The why, where, and how of the APRA CPS 234 standard - with Jay Hira, Security and Compliance Advisor at Salesforce
Our guest this week is Jay Hira, Security and Compliance Advisor (aka Chief Spy) at Salesforce. Jay has a broad experience having been on the tools as a pen tester, been a Senior Advisor at KPMG, Senior Consultant at IBM, Security and Risk manager at Accenture, Senior Manager at EY, and having worked cyber in finance organisations.
Gar and Jay had the opportunity to speak face to face in this episode and discus the why, when, and how surrounding the APRA CPS 234 standard and the role and value of certifications, standards and regulations. Jay also gives us his thoughts on the critical infrastructure bill, the inflection point we’re seeing in how consumers value privacy, and the zero-trust approach to cyber resilience.
The Get Cyber Resilient Show Episode #67 Transcript
Garrett O'Hara: Welcome to the Get Cyber Resilient podcast I'm Gar O’Hara we're joined today by Jay Hira, Currently the security and compliance advisor at Salesforce. Jay has a broad experience having been on the tools as a pen tester, been a senior advisor at KPMG, senior consultant at IBM, Security and risk manager at Accenture, senior manager at EY, and having worked cyber in finance orgs, We got to speak face to face and discuss opera CPS 234, and the role and value of certifications, standards and regulations, the critical infrastructure bill and the inflection point. We're seeing in how consumers value privacy and also the zero trust approach to cyber resilience over to the conversation.
Today, I'm joined by Jay Hira, security, and compliance advisor with Salesforce. How are you doing today, Jay?
Jay Hira: Very well. Thank you for asking. Uh, glad to be here on your podcast Gar.
Garrett O'Hara: Good to Have you good to, have you? We've looked and caught up a few times now on email and texts and stuff over the last few weeks.
So it's been great to get to know you and, and so awesome to have you here face to face. We're getting to do this uh, in person, which is wonderful. Um, Jay, look the, The first question we ask everybody is how did they get to where they are today? And so the audience has a little bit of an understanding and, you know, gets where you, you've come from.
Your journey essentially.
Jay Hira: Alrighty. So my journey started in a small town in the Western part of India. That's where I grew up. And as a kid, I think I was always a very curious kid and growing up I think it was understanding how computers really operated and how. they Connected with other computers and the networks.
I think that was what invoked the initial curiosity, which led me into pursuing computer science and engineering at university When I was at the university, I was I was just a nerd. And in terms of. uh, A book warm as well. And which is where anyone who read any book used to come to me and request that, you know, have a look and see how you go.
So I CA I stumbled upon a book which was an unofficial guide to ethical hacking, which act- actually exposed me to certain concepts of how work in software programs and how you can manipulate computers through low-level system settings. And that again, sparked that curiosity in me to learn a bit more about it, explore a bit more about it, which led me into my first role as a penetration tester.
Now I was good at what I did, and at that point I felt like. uh, I learned everything that was to be learned in that domain and which is where I was looking for a new challenge. So I knew personally that my communication skills were very poor. My interpersonal skills were poor and I needed to get out of the lab.
So I chose a consulting uh, job, and, you know, I had. to Face the client it? was, It is as customer facing as it gets uh, in the consulting world. And I guess the point that I'm trying to get at is that I've been very strategic in terms of roles that I've chosen or the opportunities that I've pursued which in a way gives me exposure to a lot of different areas of cybersecurity that I wanted to develop and enhance now.
Um, 2012 is when I moved to Australia and. uh, I think the move taught me a lot of things. Some things that come top top of mind are around personal resilience. Uh, the need to have really strong relationship with mentors who tend to guide you on your journey to life. Um, and you know, picking up things quickly. Um, we were stuck by with COVID in 2020, and that gave us a lot of time to reflect on who we really are and what are we doing?
Are we enjoying it or not? Um, that made me in fact realise why I do what I do. [laughs] and One of the important discoveries and also you know, In terms of my interests, I love working with universities with educators on how do we ensure that students get the right sort of exposure in their industry ready when they move into the workforce?
Um, again, like if, if I was to summarise and if I look back at what has been the most rewarding part of uh, my journey so far, it is not what I've done. It is not. Uh, what I've learned, it's, it's been more of how I've helped people succeed. So it's the giving back. That's been the most rewarding part of my journey.
Uh, that is what got me to where I am right now, Gar. And you know, I'd just like to understand from you in terms of what, as an advocate for cybersecurity, what really motivates you in this domain?
Garrett O'Hara: Probably the same thing. Like, honestly, it's, it's and it's so cheesy, but like that's the, the big part of the brief for the podcast is the God, it does, [inaudible 00:05:05] so cheesy saying that, low, but you know, it's the giving back.
It's the the bit where, you know, and, you know, this from the prep calls and then your guest has been on uh, and we said this like not 10 minutes ago my job is to get out of the way so people can hear, you know, from the, the guests. And, and that to me his giving back, you know, my job is to hopefully meet people like you and all the other guests that have been, so it's sort of.
to try And yeah, try and give back to the cyber security community. They've been so kind to me, that's the thing, you know, so many people have and then that's been the general experience I've had in this industry is that people are unbelievably helpful, willing to share open. Um, which yeah, I just think is so, so it's just a, it's a wonderful attribute for our industry.
Jay Hira: Absolutely. agree With you Spot on, And I think the world needs more kindness and you've gotta start with being kind to yourself and then being kind to others.
Garrett O'Hara: Yeah, No, I totally agree with you. You know, we, we talked about the prep that we were doing for the episode today. and, you know, One of the things uh, I understand you're interested in and, and sort of you're keen to talk about today is the opera uh, CPS 234, which kind of hit us a little while ago, changed from a guideline to its standards.
And I know as a company, we started getting a lot of queries about, you know, what's going on with CPS 234? Do you guys have a statement? And I'd be very keen for you to run us through what, first of all, what CPS 234 is first of all. And yeah, what its value is.
Jay Hira: All right. So let's start with the simpler answer and then let's get into the uh, more complex answer with the detailed structure on the why, what and How [inaudible 00:06:40] CPS 234. The simpler answer is as a regulator, you've got to be able to measure your regulating entities on different areas. It could be corporate social responsibilities, it could be information security and. You can't measure something that you haven't truly defined or enforced. And CPS 234, the draft, when it was released uh, in March, 2018 was opera's effort to essentially define the minimum requirements around information security.
So that's like the short answer of what it is all about. Um, but let's follow the structure of why, what and how. So why was it needed? I think a lot of influencing factors, a number of incidents the impact of these incidents it was getting to a point where you know it wasn't a question of if, but when are you going to be breached?
And which actually goes back to the point around when Opera announced the draft CPS 234. they came out and they said that organisations or regulated entities. uh, need To adopt the approach of being [inaudible 00:07:49] breached. And you've got to now focus more of your capabilities on how would you detect these breaches? How would you respond to them? How do you recover out of them? The overall element of cyber resilience is what they wanted to focus on. So that's the why of why? CPS 234 was really needed. The what is again, fairly simple. The, what is. uh, There was a CPG, which always existed. But as soon as you open up a CPG, there's an about section in it, which says that, you know, this is Opera's point of view on what is best practice, what good looks like, but that that's not enforceable and which is where opera needed to take a stand in making it enforceable.
So that's the, what the, how is something that we discussed when we earlier met more around how there's uh, 24 requirements, Broadly nine different areas. And the standard itself um, is principles based and it's not granular prescriptive or a compliance-based standard, more like PC ideas, just which we compare it to when we spoke, you know, how PC ideas was prescriptive in terms of doing the, the Details of what password needs to be set on a certain system which falls within the cardholder data into [inaudible 00:09:01] I guess that in a way, summarises uh, CPS 234.
Garrett O'Hara: And do you think it changed? Uh, cause you know, you mentioned that, you know, it's been around since March, 2018, I think you said, and you know, went from guideline to standard.
One of the things I would say I've seen in our industry is unless you have to quite often people won't. and it's only when something becomes. You know, a certification or a standard or a regulatory requirement that's when you see change what was your perception of Opera, Opera regulated bodies free, standard when it was guidelines, was it a little bit?
It's optional. So maybe we, you know, we, we may do some of that, maybe we won't. but what, what, what was going on back then?
Jay Hira: Yeah, so I think uh, we've got to recognise as Opera, as a regulator regulates super funds, it regulates insurers. It regulates the large ADIs as in banks, it regulates foreign ADIs as well.
Um, and, and, and which is where it's, it's like, how can you have a common yardstick to measure someone that's a smaller business or a medium sized business versus a larger business, which is generating a lot of revenue. And obviously has a lot of focus because they're storing so much personal information.
You know, they've got a focus, they've got a clear program which focuses on protecting this information or. you know, Better data handling practices, and which is where the challenge was more around, how do we notch these smaller and medium sized businesses? Or how do we actually give them a business case to go to the board to justify, and also then, you know, use the standard as a driver to get the funds that are needed to implement.
Cyber hygiene. Let's call it cyber hygiene because that's the requirements actually hint at what's what's you know, natural and what's necessary, or what's non-negotiable, which needs to be there in these financial services organisation.
Garrett O'Hara: And, and so do you think, like, as a, as I think through what you just said there, like.
one of the, The biggest utilities in certifications regulation is that it forces the hand of businesses to do probably what they should do anyway. Um, you know, it should be nearly on a t-shirt at this stage, but, you know, compliance doesn't mean security. Like they're totally different things. And and even certification doesn't really mean good security outcomes and, and same with standards, but what, what's your perspective on that?
And then the usefulness. of, You know, the ism or [inaudible 00:11:28] CPS 234 nest, or any of those things when it comes to, to change. And probably this is the second part of that question, which is the regulations. Because I think that's where often things really change. I'd Love to hear your perspective on that.
Jay Hira: Okay. Um I think short answer again, would be, does achieving certifications or following standards or following what you're mandated through your regulator lead to security outcomes?
Uh, I guess no, not necessarily. And like, you Already called out that, you know, it's, it's not necessarily that leads you to good security outcomes or good cyber hygiene or good privacy practices. And again, it boils down to the fact of, you know, let's draw draw parallels to a university education, right? Good Solid university education gives you a very good foundation to be successful, but can we tie uh, university education to success in the workforce?
Not necessarily. we have seen both ways, right? We have seen people who get good university education and are successful, but at the same time, it's not. a detriment, right. If you haven't really got good university or formal university education doesn't mean you're not going to be successful in the workforce.
Uh, So I guess that's, that's, that's the key point in here? Um, That you know, smaller, medium businesses would always need that bit of a push or a nudge to achieve or to drive results or achieve good cyber hygiene. Whereas the larger businesses are already ahead of the curve in terms of their efforts. And then this in a way uh, helps them establish security metrics or, you know, Demonstrate that their capabilities or this becomes like a differentiator for them to succeed.
Garrett O'Hara: Yeah. And I suppose in a way it gives us a a common language. So you could roughly know where organizations that we work with are sitting in terms of their, you know, adherence to a standard, whatever that may be. Um, And so I definitely feel like there's usefulness there. And then the regulation, I feel like that's the bit where stuff really changes.
I think of like GDPR. You know, how, how long the privacy conversation had been happening then GDPR happened. And you watched how many organisations had to change. And let's be honest, not always in a good way to, to, to that point. It's, You know, compliance doesn't necessarily lead to the good outcomes, which is you, you see cookie acceptance boxes everywhere now on websites, and you kind of have to accept them if you want to view the the content.
And that's not really in the spirit right. Of GDPR. So I suppose suppose there is that, here's another question. for you, like when you think of this heavily interconnected digital world, we live in everything is connected to everything and it's all digital. Um, how do you see regulators or the role of regulators in terms of making safer that in target ecosystem?
you know, when you think of, you know, certainly commercial level and national level, and then probably international too. Like what's the role of regulations there
Jay Hira: in the past. If you look at what has been the role of regulators, it has always been to drive quality outcomes and also to. always Look at the general public and their interest. I almost feel like um, in the future.
The role is now becoming a bit more broader in which is where it's split between policymakers and regulators, both. And we've seen a prime example closer to where we are here in Australia. We are in uh, the government came out with the 2020 cyber security strategy, which essentially. You know, gives you a roadmap of what are we trying to achieve or what are we trying to do or amalgamation of all the effort towards combating uh, cyber threats and that in a way gives the regulators, you know, some sort of a platform or some, some sort of uh, input from top down on How do we regulate our industry or how regulated entities within, within a specific industry. So regulation in a way, does play a key role of driving outcomes and they, you know, play a role in cyber hygiene. They play a role in every aspect that we have discussed so far. Um, so I guess that's what that's, that's, that's where we're coming at anything that you'd want to add here, Gar?
Garrett O'Hara: No, I think that's, That's really good. I mean, the thing I would add is maybe another question for you, which is your thoughts on the the critical infrastructure building. And that's the thing that's working its way through parliament at the moment. And I think broadly has support in Australia. I think we my sense is that we need it, you know, the, the things that are going on at the moment in Australia, but I would say internationally you know, Biden [inaudible 00:16:13] And you know, so are we sort of many other countries, and I think, I think for most people now they get an understanding of how vulnerable we are when it comes to power, when it comes to healthcare finance education and transport, all of those things And, and I think I know what your sense is, but I feel like COVID was the bit where people realised our supply chains are very brittle, You know, just in time delivery is fine when everything's working, but when it breaks, it's actually, it's kind of a nightmare. We saw it in [inaudible 00:16:41] as well. It's not just COVID. Um, yeah, like what what are your thoughts on the the, the critical infrastructure bill?
Jay Hira: I totally totally agree with you. Like uh, think of someone who's trying to go for a regular healthcare checkup and they expect a certain service that needs to be available.
You know, there needs to be some doctors look at the notes on. You know, when did the, they last see the uh, patient? What was the blood pressure? And this is important and this infrastructure needs to be maintained. So I completely agree with you on the point around how they've gone into expansion of this critical infrastructure bill to include financial services or retailers, or, you know, other critical areas that will always you know, something that we should have thought about earlier.
And we're now starting to realise that, you know, it's important to include. them.
Garrett O'Hara: I love the fact that you said should have thought of it earlier, 'cause I think that's the failing of uh, societies in general is that there's so many things. where, Let's be honest. Our industry has been talking about this for how many years.
Um, [inaudible 00:17:44] I saw him talk at one of the Australian conferences and I remember him talking about, we're going to see critical infrastructure getting hit. It's going to be power. It's going to be healthcare. So it wasn't, there should be no surprises, but it just uh, takes a little bit of time for this stuff to, yeah.
To land Doesn't it? sometimes and, and policy to catch up with mere reality, I suppose.
Jay Hira: Absolutely agree with you there. Gar.
Garrett O'Hara: Yeah. Um, one of the things, you know, when we, we, and, you know, as I look through the submissions to the, the critical infrastructure bill and many of the kind of industry submissions and a lot of the unions actually I saw had commentary, it seemed to revolve [inaudible 00:18:22] broad support, but we need clarity on the specifics because that's kind of the devil's in the detail.
Um, And one of the things that was raised and by many of the submissions was the, the costs that are incurred through doing good security, good privacy. Um, you know, it's not stuff that's free Um, and, in some industries, you know, and, and, you know, here, it looked to maybe the Western side of the US and some of the stuff that comes out of, you know, big tech, you externalise the costs to the people who are using your app, but you can't really do that.
When you think about critical infrastructure, health care, et cetera, be very keen to get your thoughts on. Like, and, and I don't know if there's an answer for this one, [laughs] so it's a little bit of a curve ball, but when it comes to the cost of privacy and security, how do we tackle that? Because I don't know if there's an easy answer.
Jay Hira: Um, I agree with you Gar, but let me just take a stab at it. The idea is that you've got to this, this is like foundation practices that you've got to have cyber hygiene. good security, Good privacy practices. We've talked about that. The struggle in the industry is the challenge that we spoke about earlier around the difference between you know, where are we going to get the funding for it from, you know there's small and medium businesses already struggling with challenges, not being able to keep up with regulations.
And then there are obviously market leaders or the larger, or you know, Revenue generating businesses, which obviously are ahead of the curve. But I almost feel like what has happened is uh, the consumer itself has become very security and privacy savvy. And you would now you know, almost in order to maintain and continue to get your consumers trust.
They expect a level of you know, proper data handling practices out of any organisation that they share that data with. And It could be a small Superfund, or it could be an insurer. They are now becoming more and more security and privacy conscious, and they want to know exactly if I'm sharing some data with you, how are you going to use that data?
If I ask you to will you share all the data. with me? You know, if I want you to delete the data, would you delete the data? So I think consumers getting so more co- conscious than they were in the past. And when we uh, when you spoke about GDPR and when it came into effect CCP, and some of the other regulations that we've seen, there's such a big green for consumer rights, you know we need to recognise how massive wins these are uh from, and, you know, government initiatives actually focusing more on rights of the consumer, which, which, which is fantastic.
So we're moving, we're drifting away from. You know, using yardsticks to measure, but already, you know, we have... rather than using regulations, standards, certifications you know, by these organisations as drivers, I think it's more of how do you win and continue to maintain the consumers' trust? Because of the more consciousness that that's been built into the consumers, I guess, I guess that's an important.
Garrett O'Hara: Yeah. And, you know, I I hope so, so much that that, that has changed. It does feel like we're, we're starting to see a shift. And you know, when we were prepping for this, you know, we, talked kind of about some of the moves that apple has made around you know, what kind of going using privacy as a selling point, you know, and, and, and what's weird to me is I'm seeing posters as I drive around in Sydney and finally, That thing of privacy being a, you know, competitive differentiator is is being used.
And I think if apple does it, let's be honest. It's very, it won't be very very long until other big organisations start to follow suit. Right?
Jay Hira: Absolutely. Uh, and that's the whole point. That's where you're trying to not worry. So a lot of organisations would look at the costs or the time invested in meeting regulations, irrespective of whether they're security or privacy focused regulations.
As an overhead, whereas I think it's time to recognise. that, You know, these are basic non-negotiable um, practices that we need to follow and now try and capitalise. If you're already investing in it, you might as well make it sound like it's something that you're offering uh, to your customers. And which is, which is exactly what, you know, some of the players in the market are doing that are leading and, you know, the, the, the funding.
So it's I think I was talking to a developer a couple of days ago and they were talking more about how development was always focused on outcomes in the past as to what do you, what's the end state, but now it's becoming uh, more agile in terms of, you know, every time uh, there's there's a user.
You know, they keep on changing the requirements and you've got to keep up with uh, their requirements almost constantly with your sprints. So I guess that's where we're moving towards. You know, you've got to uh, make sure that your drivers are adversaries, which are the bad guys, as well as users or consumers of your product, rather Using regulators or standards or certifications as a driver to achieve, good practices.
Garrett O'Hara: I think you're you're so right on that, that there's no one solution it's a combination of different things. I've heard that said a few times recently that you know, it won't be one thing. It'll be many things that kind of fix many, not fix, but you know, get us to a better place uh, with many of these problems.
And I really like your take on. The organisations that are leading with this stuff, because I think what we're going to start to see, and this this is a crystal bowl thing, but we'll hopefully start to see startups and very small emerging companies understanding how important this stuff will be in the future.
Building in privacy and security by design from the start, which is way cheaper. So down the line, your way, you know, you can go faster, you can move um, more uh, quickly to market bringing products because you've, you know, you built your core around privacy and security rather than carrying the technical debt along with you, which is, let's be honest.
That's what, [laughs] that's, what has been kind of the standard for the, the longest time. I think.
Jay Hira: Totally agree with you Gar. And which is where I think a lot of organisations have now started to look at their security effort and align it with what's the outcome that business wants to achieve. So align your security outcomes with your business outcome, align your.
Security strategy with your business strategy, align your security policies or security initiatives with what business is trying to achieve. And some of these, you know, one of the simplest examples could be, let's just say there's an insurer. Um, that wants to create a single customer view of the you know, of, of, of the consumers and which is for their own benefit because, you know, they've seen.
A consumer using two separate products, they are supported by two separate stacks of applications. There's no communication between them. And they don't even know if it's the same customer or not, you know and which is where they're seeing a lot of value. in this Single customer view. So that's what business is heading towards, right?
How do you align your security outcomes with that? That means, you know, there's going to be a lot of communication between systems. You know, there's going to be a lot of different channels through which we are offering services. So you've got to now focus more on aligning your security outcomes with what business is trying to achieve.
And that's the whole point, right? If we start doing that, if we start getting on that journey, Then it becomes much easier to justify. I almost feel like there's two groups you know, Of of people within an organisation uh, and it needs to be security team isn't just security team security team needs to be the whole organisation.
Everyone is an ambassador for security rather than, you know, just one bunch of people, five or six nerds in a room or five, or six people trying to. You know, be the detractors or, you know, you you perceive them as, you know, not enablers, but probably people who will always ask questions around. Why do you know, why, why are you doing that?
Why do you need to send this file out? And Why is it a flat file? But have you thought about what's the content of the file? I think it's the perception. The general perception is you, you ask a lot of questions, so let's change that. [laughs] and Let's get to a point where in. We're trying to align with. alright, fine.
Let's down on the table. Let's try and understand what are you trying to do. And then we'll support with how to do, how to achieve whatever you want to achieve in the most optimal way. But at the same time, managing trust in the information that you're trying to transfer from one point to the other.
So I guess that's where we are headed towards.
Garrett O'Hara: I totally agree. Um, and and then I hear this from obviously security leaders like yourself, but more and more. Um, yeah, security, you know, it's probably an overused analogy in our industry, they, you know, the, the reason brakes were in the car was the car can go faster.
I feel like the brakes are starting to wear out on that analogy. Cause it's a, it's probably our only go-to, but it's so perfect 'cause it absolutely makes sense. Um, but I agree with you 100% that uh, more and more in this industry, I'm hearing a maturity from the security leadership. which is We are a function that enables the business rather than, you know, some isolated silo that just has to build the biggest wall around the organisation whatever.
And and this is maybe the perfect segue, the biggest wall, you know, when we were talking prior to the uh, recording today, one of the things that came up was zero trust, which is just, it's such a big topic of conversation at the, at the moment. Um, I know I've done you know, multiple talks even just in the last few weeks on it.
And it, seems like a huge appetite. to Have a conversation, what does it mean et cetera. And there's definitely, I think we're past the eye-rolling stage where, you know, the, the marketing brochures all had zero trust in every, every platform, every vendor had some sort of a take on zero trust. But what's your take on a marketing term versus the kind of practical approaches?
Like what is zero trust to you?
Jay Hira: Um, at the core of the concept, it's about bringing security to where your data really lives, which sounds so simple. Right. But at the same time, the idea is, and, and, and the reason why it sounds Very simple and very not security is just because traditionally we've always looked at network centric, perimeter based security, which essentially translates to you're either trusted or not trusted.
And that trust decision is made at an organisation's firewall or at the perimeter where in you're determining that. Anything on the outside of these walls is untrusted. Anything on the inside of these, these walls is trusted, but think of it this way. Right? Um, is anyone, any traffic coming from within the organisation really trusted?
Can we really put in that intrinsic trust in anything that's within the four walls? Let's just say you and me were having drinks. We had a pizza party at home watching footie And there's while I was trying to just heat, reheat or heat the pizzas, someone just knocked on the door, you let them in they're sitting down with us, they have access to the whole house and we haven't even checked with them.
We've just trusted them because, you know, there's some of your friends that you've invited. Some of my friends, you think they're my friends or I'm thinking they are your friends and they just get into a conversation. So there's just so much trust that we that we have on them that we haven't even asked them about, you know, Why are you here and what are you doing here?
So the point again, that I'm trying to make here is that with the pandemic, with this sudden influx of digital transformation with this mantra of, you know adopt digital transformation now in order to stay competitive, stay afloat. We've got so many different channels through which our organisations or products or data within our organisation is being accessed, used to be from within the offices.
Now it's remote users. Our partners are remote. Our customers probably had access to our websites, but now they've got access to our apps from their phones. Um, they can actually book tickets from, you know, the their phones again. So again, the idea is that there's no. perimeter at all. And which is where the whole concept of network centric, perimeter uh, based security doesn't really work anymore.
Um, so, so that's where, you know, when I was trying to summarise or give a short answer, I said that, you know, bring all of your perimeter or bring all of your controls closer to the data. Anytime that I think of. uh, Zero trust in my head. I've got this picture of five circles Um, one of the circles at the centre is the data circle.
That's four circles on the corners of assume, a rectangle, the four circles on the corners. One of you know, those four circles are your network, your devices. Um you know, your users, your applications and systems, and that rectangle itself is an envelope of controls, which either detect respond, recover capabilities.
So imagine this thing, to have these pillars, These are the, this is your ecosystem. When when a user is trying to access data or when a user's trying to access a device, when the device is trying to access a network, when there's a system that's trying to access data, there needs to be controls that protect.
So there needs to be almost like micro perimeters around each of these pillars that will Almost not intrinsically trust anyone that's asking for access, but will test and verify and validate before the access is granted. So that's, that's in a sense where you know, zero trust is that, have you read anything recently that resonates with you or, you know, something that's a simpler concept, right?
Garrett O'Hara: So I've, I've, I've been reading a lot on zero trust and then sort of listening to a lot of stuff. in zero trust. And yeah, I think what you've just said is is pretty much it um, in your analogy. It's yeah. It's like making sure the guy sits in the sofa and, and gets asked his, his name and doesn't get any pizza and not any beers so we know exactly who he is, what team [inaudible 00:33:09] and who let him in at what time?
Um, yeah, I think, I think that's it. I think one of the things I've been talking about a little bit, I suppose, is uh, the idea of. You know, I've heard this thing of, oh, isn't this just least privilege haven't we always done it. And I don't think it is. And I don't think it's marketing term because I think what we've, what we're seeing now is uh, technology as an enabler, but telemetry that's available to make contextual decisions didn't really exist in the way it does today.
Um, the ability to micro-segment security domains, or controls within an organisation, I don't think that existed at a tech. level. Um, so I think we might've always wanted to do zero trust, but we're only now at a point where it's sort of feasible from a a tech perspective. And, And I also think there's a. Uh, an appetite from a policy.
And by that, I mean, the, the policy within an organisation to map to those more stringent security controls so that if the worst does happen and you get poked, it's, just, you know, it's a much smaller uh, blast radius. And I hate using that term because I know a lot of people roll their eyes, but it's, it's useful.
Um, you know, it's a smaller impact. I think that stuff. has become really, really important. How do you, Here's a, here's a, maybe a tricky one. Like how do you see that evolve? Like what, what is it? Did we just get more granular. Like what's the evolution of zero trust?
Jay Hira: Um, I guess zero trust is the start. That's where you start.
And I almost feel like. uh, A lot of conversations that I've had recently, a lot of people have asked me around, we want to start zero trust, where d we really start? And how is this going to evolve in the future? So there's the same, same question that we're discussing, I guess, where you start is very foundational, right?
Anytime that we start on a journey to achieve a regulation or a security standard or a certification. You start looking at your data and where is your data flowing? You know, take the prime example of PCIDSS cardholder data. If you're storing cardholder data, if you're a merchant, you've got to actually know exactly where it's being stored.
How has it been processed and where does it move? what are the hopes? What are the systems or applications that it touch and. Sometimes the simplest things are the hardest things. Um, back in two... 2015, I, I do remember I had attended a conference ISACA conference where I heard uh, Mike Burgess speak. He was then the uh, CISO of Telstra.
And the point that he was trying to relay was really simple. He was talking about five no's of cybersecurity. know where your data is, know what the value of your data is? Um, know who's protecting it. Know who's got access to it. Know how well protected it is. Five simple terms, right. But that's summarises cybersecurity, right?
And that's where you start. That's the foundation. Figure out where the data really is and map the flow of this data. That's like the very beginning. Now the question. more around, Where would this evolve to? Um, I think that's a difficult one. And that's where if you start embedding these principles in play, or if you start getting this in play, I guess you're ready for any sort of a challenge.
I don't really see this evolving into any other concept, which will just, you know, 10 years down the line will wake us up, but I may be wrong again. Right. Um, Everything that needs to be thought about. Feels like with this concept it's been thought about, they may be an extra circle that gets added in here, right?
The foundational pillars, but the concept still stays, right? Why that intrinsic trust stop having that intrinsic trust start validating before you. Trust, I guess that is a very powerful concept. And I think you can't really beat that concept that applies to us as human beings that applies to computers, systems, applications, networks.
That applies everywhere.
Garrett O'Hara: Yeah, it really does. It, It's funny as you're talking through that, I was thinking of about what could the the evolution be? And if it was like, if it was double zero trust, but you used numbers. what you would end up with is the infinite sign, [laughs] and it would be infinite trust and that's probably, definitely not what we want.
Um, Jay thank you so much. and I'm sorry to finish in such a crappy joke uh, after such a good [laughs] conversation, but thank you uh, so so much for joining us here today. I'm going to steal your analogy by the way. I liked your university education analogy and how that it correlates, but it doesn't necessarily indicate that you're going to be successful.
I think that's a really good analogy for security certifications at an organisational level or compliance. Um, so with your permission, we'll be stealing that one. Thank you so much for joining us.
Jay Hira: Thank you Gar. I Really appreciate you giving me this opportunity to be on your podcast. I appreciate it.
Garrett O'Hara: Absolutely. It was fun.
Jay Hira: Thank you.
Garrett O'Hara: Absolute pleasure. Thanks so much Jay for that conversation and for sharing a tea and beer after we recorded, you can guess you had the, tea and you had the beer as always. Thank you for listening to the Get Cyber Resilient podcast, Jump into our back catalog of episodes and like subscribe and leave us a review for now. Stay safe.
And I look forward to catching you on the next episode.