Credit: Graham Sowden
How did you end up in your current role, and what attracted you to the industry?
I was lucky that I knew a number of Okta’s executives from my previous roles. They all talked about the growth potential of the company and the evolving importance of identity in the security space. This was exciting in itself, but what got me most excited was (still is!) the energy level of everyone working at Okta. Everyone here is on a mission.
Whilst the business opportunity was the main draw there was also a personal angle for me. A few years ago a colleague was a victim of identity theft and I witnessed how devastating and difficult it is to regain control of your own self. It was staggeringly complex and not too dissimilar to what someone might experience under a full witness protection scheme. I have been fascinated and terrified by security ever since.
What do you see as the biggest threat we currently face?
Trust. At the heart of the web’s dysfunction, and enabling many of today’s most advanced threat actors, is a fundamental trust problem throughout the internet. The threat is that trust has been given too freely online - whether users share PII, financial and business data, connect to unsecured Wi-Fi networks, or click on phishing links, it all amounts to a vast increase in risk.
Hackers, insider threats, nation state attacks, and even risky shadow IT practices, all leverage trust to gain access to enterprise systems and sensitive data. Without clear strategies in place to verify trusted users and secure access to corporate networks, organisations put their systems, applications, data and stakeholders at risk.
Is the security industry getting better at using tools like threat intelligence and collaboration policies to work together against a common threat?
The security industry is certainly getting better at collaborating against common threats. Rather than trying to do it all, vendors are realising there’s value in doing what they do best and collaborating with other best of breed solutions to help customers mitigate cyber risks and establish better network security.
We see this with the establishment of initiatives like the end-to-end security and governance integration between Okta, CyberArk and SailPoint, and Mimecast’s recently announced Cyber Alliance Program.
In terms of threat intelligence, the industry is stepping up its game as data analysis tools become more sophisticated. Many organisations are now leveraging aggregated and anonymous user data to establish patterns that can be used to identify, predict and prevent different attack vectors. This threat intelligence can also be used to enhance security solutions in line with the evolution of cyber threats. It's a virtuous cycle.
What do you see as the biggest gaps in the functionality of current cybersecurity technologies?
The new, digital first business landscape offers broad flexibility and mobility, allowing employees and customers to access resources and services from any device, on any network, in any location, at any time.
This is a big challenge to the way many organisations are used to securing data, which is to put it behind secure network firewalls. Traditionally, we would build a “moat” around our “data castle” and fill it with "sharks with lasers". Then, the only way in was via the drawbridge that we control. That worked well enough until mobility arrived and provided multiple new ways to penetrate that castle. Think dragons in the air and tunnels underground. Firewalls are still vital but they can only cover one attack vector.
And once inside the firewall, there are too many ways for threat actors to navigate corporate networks under the guise of a legitimate user. Knowing who is not a legitimate user is a key gap in many cybersecurity solutions today. However, constantly challenging a user produces a frustrating experience that leads to poor system adoption and expensive business inefficiency. Maintaining the highest levels of security without compromising user experience is a big gap that needs to be filled.
With this in mind, user identity, whether inside or outside the data castle, has to be the new perimeter for security. The solution is to adopt a Zero Trust mentality and continuously authenticate the identity of every user. By monitoring multiple contextual factors, we can isolate threats and take actions without disturbing legitimate users.
How has availability of cloud-based services changed the way you deliver your solutions?
It’s no secret there has been a global shift towards cloud-first and mobile-first IT environments. Many new solutions have been built in the cloud, with organisations taking advantage of this revolution to offer an alternative to on-prem or endpoint-based applications.
The growing adoption rate of cloud-based services continues to create a market need to simply and securely authenticate access to a host of business-critical applications. Access management has also been revolutionised by the cloud –– offering identity governance and administration capabilities without the need for endless customisation and complexity.
How has increasing regulation changed your security priorities and those of your customers?
The introduction of regulations worldwide, such as the Australian Notifiable Data Breaches scheme, the European General Data Protection Regulation (GDPR), and the incoming California Consumer Privacy Act (CCPA) has created a heightened sense of awareness around data security. Our customers now have a legal obligation to protect their customers’ data, which means authenticating users and securing access is a top priority.
What is the hardest thing about defending against gaps in API security?
Developers work at speed, creating APIs at such a pace that security teams simply can’t keep up. There is now an enormous number of public APIs worldwide which present a significant security blind-spot for many organisations.
Working quickly to spin up new applications and services, many developers build and expose APIs on repositories like GitHub without first checking with their security teams. It’s quite common for shortcuts to be taken or security best practices to be overlooked. In fact, we know there are tens of thousands of Google API tokens exposed in GitHub, which allow attackers a path into corporate networks.
Working with developers and not creating roadblocks is important. So while they continue to work at a fast pace, the most difficult part is to find ways to educate them on common security mistakes and integrate API security as a priority in the DevOps pipeline.
What is involved in building a viable business case around implementing simple and seamless security?
Any organisation should be able to use any technology securely, with as little friction as possible. Looking to successful use cases is one way to illustrate the return on investment from implementing simple and seamless security. At Flinders University, for example, the introduction of Single Sign-On (SSO) and lifecycle management to the student population helped to eliminate the majority of password reset requests, representing $22,000 in savings. All users were also able to activate their accounts in under 60 seconds.
Security has become a board-level conversation, and while board IT literacy is improving, IT leaders must put a business case together to support their recommendations. Many security vendors will have teams dedicated to helping their customers and prospects build viable business cases. If IT leaders are able to demonstrate how user-friendly security solutions will increase productivity, reduce costs and ultimately mitigate risks, they will be able to build a viable business case for the board. At the end of the day, solutions that can streamline and automate processes, and securely and simply connect workforces with the business-critical applications they need, will sell themselves.
How are you helping organisations engage with end-users to educate them about multi-factor authentication?
Any new security protocol will be met with some resistance from end-users in an organisation. Let’s face it - nobody likes to add an extra step to their already busy workday. However, there are ways to make onboarding as seamless as possible because at the end of the day, security tools like multi-factor authentication (MFA) will make everyone’s life easier.
One effective method is to combine MFA with single sign on (SSO). Almost everyone loves SSO for having no need to remember passwords and the simplicity of having all their apps accessed from the same place. Adding MFA to just one, centralised login will be a far less painful user experience than what they had before.
Letting users choose their second factor (e.g push notifications, SMS, Google authenticator, Universal Second Factor, YubiKey, biometrics) also helps with MFA education. It's a way of helping users understand the security requirements, while at the same time being empowered to use the method they prefer.
You can also do things like develop how-to guides and FAQs, temporarily step-up IT support resources, and find opportunities to share tips, like all hands meetings or internal newsletters, all aimed at smoothing the adoption of new security measures.