TEC37 E16: Top Considerations When Building Your Security Architecture


How do you know if your cybersecurity investments are being made in the right areas? Our collective rush to remote work has exposed additional surface ripe for security attacks. Spending may be also be on the rise but, hopefully, not at the expense of strategy. In this episode, Robb Boyd and WWT security experts Kent Noyes, Chris Konrad and Mark Wall, discuss: - Danger of running towards shiny objects - Importance of an architectural approach - Benefits of using value-stream mapping to identify workflow contributions to risk - Rise of SecDevOps and security automation

Please view transcript below:


Robb Boyd:                   Well hey, welcome to TEC37. My name is Robb Boyd. Today's show is about security, specifically security architecture. We've got three different experts with us today, each representing a heavy duty background in different areas of security, all the way from a services and financial standpoint, all the way through to architecture and on through to automation and things that we're doing from a cloud perspective that perhaps we should all be looking a little bit closer at. It's about having a methodology. It's about developing an architecture that involves making good decisions up front so that we're not having to reverse ourselves later and declare that we wasted investments, we wasted time, all the things that we don't want to do when it comes to any projects like this. But we've got some smart people with us on the show today, three different experts from World Wide Technology. Again, each with a vast background. You're going to enjoy this one. It's TEC37, your source for technology, education and collaboration. My name is Robb Boyd. Let's go have a show.

                                    All right so here we go. We got our distinguished panel from World Wide Technology and I would like to go through some quick introductions just to make sure I don't mess up anybody's background because everybody has an interesting background to play a different part in this discussion. But Chris, let's start with you. I wonder if you could give us a little bit of your background and what's important to understand?

Chris Konrad:                Sure, absolutely. First of all, thank you for having me. I'm Chris Konrad. I'm director of security for our global financial services business here at WWT. Been with the organization now for six years. I've been in the cybersecurity business for 23 years and I'll just say that over that time, I've seen a lot change, but I also have seen too much stay the same. Really interested in the conversation we're going to have today.

Robb Boyd:                   Yeah. Do you find it interesting, every security conversation has some element of something we've all been saying for a long time but it also keeps everybody in business to a certain extent because it just feels like there's always something to patch. There's always some basics that are being ignored and as unsexy as it can be though, those are good things to continue to hammer on because we're going to still have to do it. But as long as this business involves users, until we can get rid of the users, I think we're going to always be struggling with some level of security. And as far as I know, they're not optional in most situations. Well, let's jump over to Mark Wall. Mark, we've talked once before, but I'm enjoying having you in this conversation again. I think it'll be good. I wonder if you could give us a bit of your background.

Mark Wall:                    Yeah, thanks. My name's Mark Wall, practice manager here at World Wide Technology. I look after a lot of the automation side. And if you kind of think about it, a lot of the, can't say the word, operationalizing, how do we remove toil? How do we improve efficiencies? How do we provide better time to value? With the security industry always changing, as you said, and things are always evolving, how do we better connect systems and mitigate risk and do you do a lot of those type of things? Really excited to be here today.

Robb Boyd:                   Yeah. And boy, there's a clue right there as to where we might be going in the conversation, so that'll be interesting as well, because I think automation itself just as a general category holds some very real promise to solving at the very least, fat finger issues or things that just repetitive mistakes perhaps. But we'll get more into that in just a moment. Well, Kent, I wonder if you give us a little bit of your background as well, sir.

 Kent Noise:                  Sure. Kent Noise, I'm a distinguished architect in the global security practice here at World Wide. I've been here for 20 years based in St. Louis at our headquarters. Been here a long time. I've been in various practices over time. My second stint through security. I've been in security now seven or eight years with Chris and architecture is definitely sort of a passion of mine as it's woven into business and operational needs. Looking forward to the conversation.

Robb Boyd:                   Well, let's get started with that conversation then. I'm going to come back and start with Chris since I did the introduction there first, but to kind of set us off, I wonder on TEC37 anyway, we've had multiple security conversations, some more technical than others, some were business oriented than others. Today, one of the contrasts, it feels like it's very important here is that we want to have an architectural discussion. In terms of setting that up, Chris, I wonder if you could kind of set the stage for why architecture? Assuming I'm saying it right but when we talk about security architecture, where does the importance of that begin to lend itself to this conversation?

Chris Konrad:                Yeah, I'll first start by saying that every organization really needs to understand, what levels of risk that they're currently operating at. Whether it's from a technological standpoint or a programmatic standpoint, that's the fundamental thing they need to do first is understand what levels of risks they're operating at. And once they know that, they can really begin to accelerate the maturity of their cybersecurity program and candidly, it all starts with architecture. And so you have to have a good solid architecture externally, internally and across the board. Once you have that, you really then can begin to accelerate the maturity of your program and then focus on other areas of cybersecurity.

Robb Boyd:                   Well, I know we're going to dive deeper into some specifics around different articles. One thing I love about working with you guys is that you all publish quite a bit. I don't know if someone's got something over your head saying publish, publish, because I know it's not easy, but I do love the fact that you guys are constantly putting out information and putting your thoughts down in writing, which we'll link to those things. But one of the points that was made in one of the papers that was a good lead into this discussion was the notion of pursuing logical security architecture over more, perhaps tactical, I guess. The difference between what you want to do first before you start running after shiny objects. Kent, I wonder if you could speak to, what's important about going first when it comes to running after security issues and where we need to place things?

 Kent Noise:                  Yeah. The logical architecture is important because there's so many tools, it's so complicated and security, well it's almost random and we're all engineers. We want to act. We want to get things done. We want to check boxes and get things done, but that logical architecture keeps you essentially, it's kind of product independent. It keeps you from getting distracted by the product choices you're going to make and lets you focus specifically on the security needs and the priorities based on risk as Chris kind of talked about. Once you kind of have risk organized, you know where to prioritize, you can then set up policies and you kind of categorize what solutions and products you're going to apply to security and security controls that are necessary. If you start getting too fast into the products themselves, you can kind of get lost, caught up in it and really confuses things going forward. That's the way I look at it.

Robb Boyd:                   Mark, I see you nodding.

 Kent Noise:                  That's the need for the security to be logical. Yeah.

Robb Boyd:                   Does everything make sense to you, Mark?

Mark Wall:                    Yeah. And we see a lot of these, I think, conversations going on with customers where it's, I'm reminded of, for those of you playing the home game, there's Joe Weber, who's on our cloud team, founded the World Wide bald men's club or something. And he gave me a quote, he's used it in the Air Force, it's called vector versus velocity. Meaning, do I do a have a strategic plan? Do I need to move something forward pragmatically? Or do I need to just get something done and be very tactical and focused? And I definitely agree that there's a lot of tools and shiny objects. You definitely need a plan. You need a framework to operate in, but where we see a lot of customers' challenged too, is just getting some momentum, getting some wins, building that multiplying factor, getting that flywheel going in certain areas and getting the teams on board. But it definitely has to be grounded in some overarching plan.

                                    Doesn't have to be completely fleshed out and be a 100% perfect. The cost of perfection is infinite. You're never going to get there, but you need something that is going to align the teams to be able to move forward better together. And so, whether it's security, whether it's automation, whether it's other areas of business, it seems to come up quite a bit.

Chris Konrad:                Yeah. I'll just add to that, Mark, as well, that you talked about operationalization of security tools at the top of the call, and that's a big problem. Everybody buys so many different security platforms. As you know, the average enterprise has something like 75 to a 100 different unique security products. And then what we're seeing is that they're just sitting there stale. They're not integrated into other platforms. They're not communicating with each other. And that goes back to the fundamentals that Kent was talking about around architecture. Until you have that, you can't move forward.

Robb Boyd:                   Well, there's some first things first type of lessons to be gleaned from what I was reading. I think Kent, I think it was your name that was on the article, but it was this notion and as Mark mentions, people and teams and getting them involved, I think you specifically had called this as the importance of stakeholder involvement as being something that needs to be established first and foremost, because if you don't, then you've just completely increased your risk, which we're talking a lot about here, but this is a slightly different area. Risk of failure in terms of your project and implementation, especially down the road, if you don't have buy off early on. Can you speak to the importance of stakeholder involvement and where that fits into a process of pursuing a security architecture?

 Kent Noise:                  Definitely. It's one of the biggest obstacles I think, to progress that there is out there and it's not just that. If the stakeholders aren't involved, they're not involved it's not that it may block it, you may have to reverse it. We've been in customers where segmentation is a great example. Security is woven into everything, segmentation particularly, kind of separating out resources within an organization based on risk. Segmentation specifically requires a lot of parties to be involved. And if they're not, we've seen organizations rip out hundreds or thousands of firewalls, pull them back out after they just put them in three or four years ago, because they didn't involve the stakeholders in the overall planning. They made a product decision without involving those stakeholders and then it caused them to reverse. Not only stop it, but reverse, but it also, segmentation in the data center, for example, you're going to touch the environments.

                                    And if you don't get all the stakeholders involved and they don't have buy in, you're not going to move an inch, you're not going to be able to move forward. And so we see a ton of stalled micro-segmentation projects and we have over the past few years as I've kind of specialized in that. Mainly because it's not a technical issue at all, it's mainly just because they're not all bought in. And once you get moving, somebody will back you up and think that they have another better idea, or they just won't like your idea and they won't participate, they won't move quickly. It's a huge deal in security because of the nature of security woven into everything that's out there.

Robb Boyd:                   Yeah. It's interesting how we can become so, everything feels like my priority. And I know if I understand the network and I know most of the users have no idea how complicated the network is, then it sometimes I always feel like if I'm going to get this done, the last thing I want to do is go bother a bunch of people because I'll never get my stuff done. But then in my experience also has been I'll end up spending twice as much on the backend though, fighting for justification or trying to resell something that has already been purchased and is already in motion but is at risk of not fulfilling its promised potential because I didn't involve the right people from the get go.

                                    I'm curious if you, because I would imagine you all are seeing this from different levels, but obviously there's been, we're all working from home. There's been a explosion of work from home. And for, even though some people have started to go back to work and some people have to go back to work, but there seems to be a strong indication that there is going to be a balance for the longterm of people embracing more work from home, which I have to think increases the security kind of attack surface, so to speak. I'm curious what you guys are seeing both either from customers or just in general reality, do you think it's going to stick? And how does that change the importance and our approach to security architecture?

Chris Konrad:                Yeah. I can speak just working with a number of large global financials. They put hundreds of thousands of their employees to work remotely. And from what I'm hearing is that it's going to be a permanent thing. Maybe only 40% of their workforce is going to go back. They successfully got everybody to work from home, now they got to think about re-architecting that network and what does that look like? And let's do it securely moving forward. And it's more than just work from home, it's really work from anywhere. And so we're starting to get into more and more conversations about, we got to think about segmentation. We got to think about our secure access service edge or the SASE model and what does that look like? That's top of mind with everybody now.

Robb Boyd:                   Well, I'm glad you brought that up because I want to get into that. Go ahead, Mark.

Mark Wall:                    Yeah. Just maybe add on the other side of that too, that we're seeing is there's the support side of the organization internally to operate working from home, but then even the customers are really being, sorry. Our customers, organizations are being forced to transform digitally, to provide services and goods for their customers. The demand of simple things like curbside pickups, ordering online, some of these in person sort of experiences are drastically changing or scaling differently. The need to provide those applications, those services directly via the internet and digitally are becoming paramount. A lot of organizations are rushing into that. Rightfully so because of just the cost of doing business. But now it's like, hey, I kind of rushed. Are these applications secure? Am I exposed because I kind of hurried up and did these things because of the economic sort of impact of what's going on? Definitely seeing a lot of these conversations come up more and more as, hey, I needed to respond, but how do I maybe not take a step back, but look at things maybe more holistically and put a better strategy going forward?

Robb Boyd:                   Curious if this went through your heads at all, because obviously, you've been in security and specifically you guys have all been around networks your entire career, but it feels like everything that has had to happen has happened in many cases, much quicker than we thought we even could do it in certain situations but then I always worry about security with that because security is the last thing, even when you're planning stuff out so God forbid when you're not even planning, then it's definitely coming in secondary to just connectivity. But it feels like there was some kind of a, in the politest way I can say it, but I told you so, from a business resilience perspective, in that I think we've been sounding that bell, ringing that bell, whatever the right terminology is from a resilience perspective, saying you need to adopt remote work.

                                    Everything from understanding it from a cultural management perspective, all the way through to a, how do we make it work perspective? Because it speaks to the agility that everyone needs a bit more of. I feel like if there's anything good that maybe comes out of everything that we're going through is once again, there's always moves in the market that have been happening all the time. This is certainly a big one that companies that have embraced these kind of changes and get good at operating in the new normal, they're going to obviously do well coming out the other side and security is a way to continue that at an accelerated pace, I feel like. And so you were mentioning the SASE I think, is that the right way to put it? And I had to write this out because I get mixed up on our acronyms, but so secure, what is it? Secure access services edge, did I get that right? Who can explain what that is? And let's get into some details about that, because I think that's really what you guys are encouraging as something I haven't heard enough about.

 Kent Noise:                  Yeah. I could probably jump in on that. And I think the pandemic, as you kind of talked through a little bit, you were alluding to it, kind of accelerated that whole thing. But when you think about it, and this is where SASE's coming about, it was already an inevitability. Users were already starting to be everywhere. Coffee shops, in their home and everywhere, as we know, but applications are starting to be everywhere as well. The destinations of those users are starting to be everywhere, on prem, in the public cloud, in public cloud infrastructure. And so it only makes sense for instead of forcing a lot of hairpinning of those users going to those resources through central locations, you'd want your security stack to be everywhere as well that you go through to get to them. Secure access services edge is kind of like, just think of it like remote access security as a service.

                                    A provider will build up your typical security stack that you go through, say you going through a VPN to your home office or whatever. There's going to be a security stack with things in it like DLP and CASDI and all these security controls, firewalls and IPs and all those things. What SASE is, they basically it's providers are putting that security stack up in a cloud, abstracting away the details of it and allowing you to connect to the nearest one to you as a user. You're at home, you connect to the nearest one in the cloud to you, remote access as a service, you go through it. From there, you can divert straight to SaaS applications in the cloud, or you can divert to your on prem if you want to. But it's just an extension to me of taking users that are everywhere, applications that are everywhere, now you need your security stack everywhere that you go through to get to them because it is everywhere. It's much more distributed, much more dynamic. Much faster too.

Robb Boyd:                   Now you guys have worked with tons of different vendors and services and I was reading something, so forgive me, I'm winging this out here so I hope I'm right. Did I read, is it World Wide Technology's security services is a billion dollar market? A billion dollar business? You guys, I didn't realize how much you've been doing. And along with that and knowing your background, because I've worked with you from a product and technology perspective, I am the guy that tries to convince everybody to run after shiny objects, or at least historically I've been. And the idea is it feels like you do something that's more nimble and you need something that's more accessible for, as you're saying, everybody's in different locations.

                                    And so this old model of stacking stuff up at a single location and racking and racking it for access and then trying to connect everything to it, isn't going to fly at all. And that's never, and we've said that before, but I don't think it's ever been more obvious than it is now. What's the importance? And this, come to you, Mark, the importance of automation when it comes to the implementation of an architectural model in this direction that Kent's speaking to?

Mark Wall:                    Yeah, absolutely. And it's kind of some of the conversation earlier, there's levels of abstraction. As much as I can say, "Hey, what are all the systems that need to pass certain data back and forth? And as well as providing integration with that." But even to start simply, abstracting away the nerd knobs. How do I reduce the human factor and say, "If I have to," I'm over simplifying, "configure this firewall, configuring this remote access policy, configuring this network device, how do I create essentially templates?" That I can sort of abstract away all of the complexity in that and provide that security policy that I can then programmatically apply no matter where. If I have 10 instances around the globe and it's this sort of security stack, I can apply that in real time at the push of a button.

                                    If I have to make a change or I have to delete a user, if I have to update a policy, I can update that once and programmatically push that out really across the board. And so it really allows you to operate faster. And probably one of the biggest themes we're seeing in automation is it's not just efficiency, it's accuracy. It's how I can remove the human element? How can I reduce risk of if I have to touch 10 different devices and tools, how can I make sure that I'm consistent in what I'm applying, not just from a compliance or an auditing, but just from a what is the cost of fat fingering a device? In the world we are today, if your application's down, if you get impacted from a service, what is that cost when everything now is digital and real time? It's immense going forwards.

Chris Konrad:                Yeah. And I'll just add to that too, Mark. With the extreme shortage of skilled resources that we have in the industry, I think the last study I saw from ISC Squared was three million jobs short. There's not enough security professionals that are out there today so every department is understaffed. And so how can we automate many of these mundane tasks that need to be done every day? Automation is top of mind, with just about every single organization that we're working with today, it's just a matter of trying to figure out exactly what those use cases are to help them with their efficiency.

Robb Boyd:                   Well, one thing I think, Kent said it in his article too. Now I'll come back to you though, but Kent said in his article and I really like this because I pulled it out was this idea of increased automation means less operation. And so you're making the task of operations simpler when you've automated away, as you were saying, Mark, the repetitive things, the things that shouldn't require a human.

                                    And I just wonder, I'll let you guys then comment on this one again, but I think it was Chris that started off at the top of this conversation talking about how as we've run first after gear, after we run after shiny objects to implement and a lot of them don't work well together, I feel like some people run after automation as a secondary impulse to try and make things work together that really weren't designed to work together from the get go because the bottom line is we're seeing the challenge of having humans in between those processes, doing things that theoretically are simple, but it requires a human because these A doesn't talk to B in this type of thing. And it feels like if you start with the architectural standpoint, like you guys are professing and preaching here, then it feels like you could maybe avoid a lot of that and the faster we get to that, the better. But back to you in what you were saying, Mark, sorry.

Mark Wall:                    Yeah, no, absolutely. I think having that, the architecture of what you're looking at and kind of rallying around and then as you kind of have that defined, we have a common tool that we use. It's not necessarily a literal tool, but call it a process. It's called value stream mapping. It's sort of, somewhat of a manufacturing concept. As you have your architecture and where you want to go and what you're driving towards, there's still the current state and future state of where you want to be. Taking and thinking things in the thought process of a system and thinking of things in the process of how a manufacturer, if I'm building a car and I got to build the chassis, drop the engine in, move it onto this next thing. It's not that unsimilar to IT organizations and our security organization.

                                    Being able to sort of say, "Hey, what is the flow of work? What do I have to do to resolve an incident or push a button here, here, here and here to configure a new policy?" Really taking the time to map those out and then defining, what is that value that I'm looking for? Because that'll help you not only understand where can I make the most impact? It's going to make sure that you're including the right people. As we said earlier, bringing in the different teams. If it requires six different teams to do sort of one change, getting all parties on board, understanding the flow of work and then sort of attacking how I can automate that is really going to make everybody's lives better.

                                    But more importantly for some organizations, budget's a concern. It's like, hey, I want to do automation. I want to do these things, but help me understand the impact. When you map out a process, you can quantify it. Hey, it takes these amount of people, this amount of time, there's a time to value cost and there's even a cost of operational time. If I'm paying this team X amount of money and they're spending 95% of their time doing these repetitive tasks, we can move them on to different areas of the business or different projects that are going to be much more impactful.

                                    Going through and doing concepts like value stream mapping, not only create efficiencies, you can create a return on investment model to help you get more budget or help sort of project future return dollars to your different parts of the business. We're seeing that become more and more popular. Taking a couples steps here to kind of organize your strategy, look at your flow of work and then quantifying all that is really going to give you the ammo that you need within your organization to make some change.

 Kent Noise:                  There's Robb, there's two things we've moved way up in the architectural process here much earlier than we used to do it is discovery is one because we're dealing with complicated brownfield environment so visibility discovery, but this workflow automation he's talking about. Right on the front end of the process of your technical architecture design, we hit that pretty early because it affects your decisions. If you're working with things that don't have APIs or don't play well together, you need to kind of know what your processes are going to be before even the architecture's built. We used to kind of put it in the middle or towards the end. We build it, then we're going to automate the architecture much earlier now because it's such a big deal. It's almost a matter of survival in the security world right now. We get a good early start on that.

Robb Boyd:                   Well I love the fact that you're saying there is you're learning as you go and you're changing. You're working on your own value streams and kind of reworking the process that you then share with customers as we learn better ways to do things. But yeah sorry, go ahead, Chris.

Chris Konrad:                Nah, I was just going to add to what Kent and Mark are talking about and you guys well know is visibility is key and just people don't know what's on their network. Whether it's just devices on their network or whether it's applications, just who's talking to what and that's, Kent, you talked about, moving that up further along in the architecture discussion. Now people have an understanding. They can see everything that they have on their network and they can move an acceleration.

Robb Boyd:                   You guys reminded me of a previous show that we did and I don't know the episode number, but it was another TEC37 show. And I want to say it was Todd Neilson, where we had talked about the importance of, in a process for kind of identifying risk within a business and narrowing down so that you're working on the things, because security ultimately is a reduction of risk. It's never an elimination. It's never the idea of just getting done, securities, that project we did last year. It's always reducing the things that have the biggest threat to the business so you're not wasting money fighting something that may be important because it made the news, but it may have nothing to do with your business. And it feels like that works its way into the value stream. Can you help me understand, because I think that's got to be present as part of the process, but this, when you speak to this visual exercise of value stream mapping, where does that work itself in? I assume it's somewhere near the top of the pre-architecture discussion?

Mark Wall:                    Yeah, I can chime in and then Kent, Chris, you want to add color. And sometimes it's even, I want to say parallel as part of bigger engagements that we work on with customers. The idea is, if we're defining what the end state and the goal looks like, we still need to do some discovery and map out what's our current state so we can get to that future state. Sometimes it's somewhat of a parallel effort in saying, "Hey, what are sort of somewhat of a governance model? What does the architecture look like? What are some of the policies that we want to tackle and enforce? And where do we start??

                                    It's always a, here's a roadmap, here's a strategic roadmap. Here's some of the technical roadmap, even to be able to make sure that the design, the architecture and sort of the process side, somewhat definitely mesh together, but I think as early as you can have those conversations, however, you need to know where you're going to be. You need to define a little bit of the end state and be comfortable with where you want to go. And then you can have that process sort of conversation, go on a little bit after that so you know where you're going to end up being and you can make the best determination of that.

Robb Boyd:                   And so, is it true, Chris, that you guys can do this with any customer in under an hour? I'm just kidding.

Chris Konrad:                Yeah, I think around 45 minutes we can get it done.

Robb Boyd:                   45 minutes. Yeah I thought I knew I had it wrong. Now as I think about the kind of engagements that you guys do and you're one of the most consultative partners I've ever had the benefit of working with, but obviously this is a multi-part process. It involves different people. It's obviously you're not just working with a chief security officer or just working with the IT manager or something like this. Can one of you perhaps share just a little bit of an understanding because one of the takeaways from this is we're going to share some resources, both for, I believe you guys will actively do value stream mapping as a specific workshop with customers. And I'm sure you've got some other workshops and or things that maybe are more generalized or very specific perhaps as to where anybody feels like their next step is. But who typically needs to be involved for you to start figuring out where the value is going to come from in a process like this? What do you like to see?

Chris Konrad:                Yeah. And I guess I can answer that a couple of different ways. At WWT, we have a variety of different consultative services that we provide an organization with. It could be everything from a briefing, to a workshop, but everything starts really with an assessment. As I said, at the top of the call, just understanding what levels of risk they're currently operating at. And we can be talking to an architecture team, we can be talking to a data center team, we can be talking to the security team. Just first of all, what is it you're trying to accomplish? What is it you're trying to protect? What's the most important thing. And then working with them to design an appropriate level of assessment that can include interviews and documentation review, diagram reviews, but could also be some vulnerability scanning and some form of reviews of their network architecture. And once we have that, then as I said earlier, we can really start to accelerate and prioritize and categorize the things they need to do to fix their program.

Robb Boyd:                   Curious, how often do you have customers that come in? Because I feel like in this perfect world we speak of, now we're speaking of that imaginary world and the way I see it, where customers are thinking about all the different projects, well beyond security or networking, generally, that they have to be concerned with from an investment perspective to their shareholders or whatever it may be. And then, and security somehow always seems to end up at the end of that priority list. Do you have customers that are proactively saying, "We know we're not on top of where we need to be?" Or do you find most customers responding to the fact that something happened and now we need to come to you and help us get our act together because one, maybe we need help putting out the fire that's currently burning, but then we also, it was a wake up call to realize that we need to do a better job of this going forward. Where are you seeing people in that kind of continuum right now?

Chris Konrad:                Yeah, I'll just, I'll go first here and just say that, first of all, it depends upon what industry they're in. If they're a heavy regulated industry, so whether it's healthcare or finance or retail, they're going to be taking security a little bit more seriously, potentially. There's going to be a little bit more budget added to their security program because all the various regulations that they need to adhere to for their program. That's one, so that's a different level. And then as you, the regular enterprise customers, where they are privately held, privately financed, maybe they don't have those regulations they need to adhere to. But then maybe the CEOs of the organizations are very concerned about protecting the confidentiality, the integrity and availability of their greatest asset, which is information. That has another level of priority. Really all depends on what industry they're in and who's telling them to do something about it.

 Kent Noise:                  I would agree with Chris completely, it's a mixed bag. We're seeing them come in. We ask those questions right off the bat, pretty much any workshop or briefing, what are the drivers? And it's pretty split these days. There's a lot going on in the news. There's a lot going in the industry. There's a lot going on in the companies that doesn't get revealed in the organization that you may not get revealed outbound, but they got them. And then there's compliance. There's fines. There's all kinds of things going on that we're in a good industry for us. We're in a good industry because of it. It's a nice rich industry with lots going on in it, but the industry has a long way to go. Has a long way to go to kind of get it all under control.

Robb Boyd:                   And we keep redefining it so it's probably going to continue that way to some certain extent, perhaps. And I don't know, that makes it fun if everything was easy that everybody would be doing it, I guess. Well, you guys, obviously, you're talking about building architecture and the importance of architecture first and it really reminds me of the Proverbs about knowing the plans of something before to lay your foundation, I'm mixing them all up at this point. But I think, you know what I mean. Hopefully everybody understands without the actual words matching what's happening inside my head. But I want to just go around the horn real quick as we wrap things up, as far as next steps.

                                    You guys, we mentioned the value stream mapping workshop as being something to go forward with. And we've also mentioned that there's a number of different articles, which we'll link to here as well, that are good for further reading. But if someone was going to take a step, we always encourage everyone to interact with the platform. You guys have incredible resources there in St. Louis, but you've made those available remotely. And so it's not a matter of being anywhere near the St. Louis area to be able to take advantage of people like yourself, if not yourselves directly, but also just the infrastructure that you are able to build, test and showcase and various things with. What would you recommend next? Chris, I'll start with you.

Chris Konrad:                Yeah. What I would recommend next for any organization is to visit wwt.com and take a look at all the various ATC insights or briefings or articles or labs. Everybody's in a different part of the journey around cybersecurity, security is a process that never ends. Depending upon where you are, but then go straight to the platform to go look for that information because of all of the great subject matter experts we have across cloud and networking and automation, can really give you some ideas to brainstorm. You know what? I think I need to have World Wide come in and do a briefing on this particular subject. I think that's a great place to go. And as a matter of fact, I'm telling a lot of younger professionals, people that are in colleges, where can I learn? I want to build a lab. Well, go to our platform, start there and learn. That's the first step.

Robb Boyd:                   Yeah. How about you, Kent?

 Kent Noise:                  Yeah, I'm going to cheat this a little bit. I'm going to say internally, everything starts with risk. Just spread the good word, make sure that they're thinking risk minded and what they prioritize. You got spread that not only security teams often know that, you got to spread that to, there's a formal way to do that. Spread that to the network teams, spread it to the other teams that are involved back to the stakeholder concept. But I would have to re-emphasize what he said about our content and strategy. A lot of it's placed out and it gives you a way to start and to get on the platform. The articles that you've referenced, I would we touch those.

                                    But your use case, it depends on your use case. If you're talking about some of the ones we're talking about here, like SASE or zero trust, there are on demand labs that are out there that'll let you specifically compare solutions against each other. There's articles about it. There's guidance about risk and everything that we've talked about here out there. I don't want to, Mark's probably going to say the same thing, but I don't want to push it too hard. We do have a lot of good info out there and we're pumping it in, putting it out there daily.

Robb Boyd:                   I think that SASE security model, S-A-S-E, is interesting to me because I haven't heard enough people talking about that. And maybe it's just because my head is stuck in the past. It could be the big issue here. I just was laughing internally. Well, maybe it showed on my face as well, but Kent, when you said I was just going to summarize, Kent is pro spread in sort of spreading risk. I'm like, wait a minute. That's probably not the right.

 Kent Noise:                  Probably not a good way of putting it, no.

Robb Boyd:                   Yeah. But I know what you mean. The idea is we need to all understand the role that is played with that and how we can reduce risk in the right areas and invest properly with that. But so final words, which no pressure on you whatsoever, Mark, you've been working with automation and really pushing that envelope and saying we should be doing less, which I know hasn't probably resulted in you doing less, but yeah, what's your takeaway from today's conversation?

Mark Wall:                    Yeah. And if you look at security or you look in other areas, we sort of rally around, there's three things you need. You need strategy, you need a plan, you need to organize what you're doing. You need to be able to execute, you need the resources to do it. There's a third bucket, it's enablement, you need your teams. You need to give them the tools and the ability to operate efficiently. A lot of what we talked about today, there's a lot of learning labs. We actually did another TEC37 on unicorns. You can't just continue to hire these resources that are expected, no, this tool, this tool, this tool.

                                    But if you really focus on enabling your teams or yourself, if you're very interested, we have a lot of great labs, a lot of great content, of what are 10 things you need to know to build out sort of a DevSecOps career? What are some great hands on resources for you to learn programmability concepts and call it kick the tires in a safe, controlled environment to make this firewall talked to this system here and really automate those processes? We have a lot of that great strategy and other content and use cases, but we also have some really cool hands on learning labs that can really help you up level your skills or your team's skills to really operate more efficient.

Robb Boyd:                   Yeah. And I love the way you brought it back around to the people because we started off kind of talking about the need to engage stakeholders earlier in the process, when you're talking about a where and how to build an architecture. You cover the importance of building an architecture, but you have to have the right people involved from the get go and that's the only way you're going to be able to move it forward efficiently because it'll come back to bite you if you cut that corner. It's going to come back and get you here at some point and it sounds like you guys preach that consistently.

                                    Gentlemen, thank you so much for taking the time to join us for this latest episode of TEC37. To our audience, of course, appreciate your time as well. Hope you enjoyed this one. Please continue to let us know what you want to hear more of. And the best way to do that of course, is to interact with these professionals on the platform which is wwt.com. My name is Robb Boyd. You've been watching TEC37, your source for technology, education and collaboration. We'll see you on the next one.