Jeff Moncrief (00:00):
In this upcoming session called Five Tips to Build An Identity Strategy, we're going to have two incredible presenters. The first is Eric Kedroski, who's Sonrai's CISO. First of all, I've got to call out Eric's hair, it is absolutely amazing. Please take note of it. He might have the best hair of any of our presenters today. Eric is also a yogi and he loves the outdoors. Our co-presenter in this session is Nicole, who is the director of IAM at EQ Bank. Nicole has been a lifelong Cowboys fan, so she was afraid there'd be a couple of boos from the audience. But I will say this, Nicole, I'm on your side. I've got the Cowboys defense this year on my fantasy team and they are absolutely crushing it. So I'm very, very happy and I'll be your partner in crime there supporting the Cowboys, okay? All right, with that being said, take it away, Eric and Nicole.
Eric Kedrosky (00:54):
Well, thank you very much for that awesome introduction, Jeff. As Jeff said, I'm Eric Kedrosky. I'm the CISO here at Sonrai Security. I actually play three roles at Sonrai. I'm the internal CISO here. I also play a field CISO role, so I get out into the environment with our customers and our prospects and do a lot of advisory work on helping people understand the challenges of securing the cloud, helping them understand why identity needs to be at the core of that strategy. And then the third role I play here at Sonrai is I also help our customers in their journey once they bought our product, working with Sonrai and how to achieve the benefits of that. With me today, and I'd really like to welcome Nicole Landry. Nicole is a great resource in this area. She's a long-time IAM expert and I'm really excited to have Nicole here today, so it's great to have you, Nicole.
Nicole Landry (01:45):
Thanks, Eric. I'll do a brief introduction. So as you mentioned, my name is Nicole Landry. I'm the director of Identity and Access Management at EQ Bank, also known as Equitable Bank. And I've been with Equitable now just over a year. And previously to that, I worked at other financial institutions, as you mentioned in the IAM space, and right now currently working to mature our identity and access management practice here at EQ Bank.
Eric Kedrosky (02:13):
Awesome. Great to have you. So for today, we're talking about the five tips on how to get your CISO on board with your identity strategy. As you and I talk a lot, Nicole, this is quite the challenge. This cloud space is new to everybody and it's especially new to CISOs. And when you're working in any organization, but especially a large financial organization such as yours, we have to get our executives on board with our programs and our plans and help them to understand the risks that they are responsible for managing and how to communicate that to their boards and their executives and also to the people within the company. And so, as we talked, one of the first things we talked about is getting to a baseline. We have to start somewhere. So really, the first tip and the question I have for you today is how do you get your CISO to this baseline? What have you been able to do to achieve that?
Nicole Landry (03:05):
So ultimately, I would say the first thing was really understanding our current state and where we currently were on our cloud journey. When I joined EQ Bank, we had already started our cloud journey. We've selected our provider and working towards getting SaaS applications wherever we could. Those were what we were selecting. And since then, I believe we've onboarded or we've migrated about 70% of its applications to the cloud with declaring that goal of being fully in the cloud by end of 2026. So for me, it was initially starting to understand where we currently were and stop me at any point if you want to jump in, but next it was really understanding how we work currently building and managing our cloud.
Recently this year, we've been working with Microsoft and other key partners to reimagine that next generation for EQB's cloud, and ultimately that was really to focus on issues or lessons learned that we've experienced to date and then now evolving our cloud journey. I think the next thing really is understanding our team knowledge and that is really those working on the cloud, really understand where we're at, what we're doing, what our plans are, what our objectives are, at least for, again, where my space, it really is the key goal and focus to measure our success is really just the identity and access management in the cloud. So that's another focus for me.
Eric Kedrosky (04:45):
On that one, just to jump in, I know with a lot of the organizations I work with, there's these different combinations of permutations of how people are running their cloud and securing their cloud. So when you talk about understanding the teams and the leaders and the cross-functional, what are some of the teams that you've had to work with to get that baseline? Because it's probably just not sitting in one team? Is that a correct assumption?
Nicole Landry (05:09):
Correct, yeah, it really was understanding all the stakeholders involved. So when I joined, we have a cloud operations team that manages key functions within the cloud building and doing the visioning of certain roles and responsibilities. Also, our help desk was involved, infrastructure, our engineering team. So all of these teams were involved in the key roles that they play with our cloud journey.
Eric Kedrosky (05:38):
And I would assume that there's probably different levels of understanding and almost like a different baseline in those different groups. That's what I tend to see. Is that what you saw as well?
Nicole Landry (05:49):
It is, yep. That is what I saw. Yep.
Eric Kedrosky (05:51):
Okay, cool. Cool. So then once you've sort of reached this baseline, and we talk about it a lot, is that identities are really at the core of a cloud security strategy and it's part of that paradigm shift we talk about. Do you have an inventory of your identities, both your human and your non-human identities in your cloud?
Nicole Landry (06:13):
So that was another thing that I think with establishing our baseline was really getting to that inventory or at least starting an inventory. So even just identifying types of accounts, the credentials and the permissions that each of these had, we had to start there and we're still evolving that, but really understanding from just your primary account, your human account to your non-human account and making sure that was understood and also those using these accounts were using the appropriate account for certain activities. So that's something that we had to do and we're still working on developing our inventory and furthering that journey.
Eric Kedrosky (06:53):
So the first tip there is, of course, set the baseline, and as we've talked about, there's probably going to be different baselines. Your cloud operations team and sort of an identity team such as yourself probably understands how it shifted to the cloud and the importance of identities and other teams may not, which kind of leads us to the second tip is educating your team. So one of the things you talked about was once you find those baselines, how did you educate all of the teams so everybody came together and that you leveled up the baseline to understand the problem and then to begin to talk about ways to start solving the problem?
Nicole Landry (07:27):
I think at first, we had to start by understanding it ourselves to be able to properly communicate that outwards. And really, it was explaining what identities in the cloud are and what they can do. I mean, if you look at Azure, take the example of that built-in role called user administrator. That would seem like it would be an appropriate role to assign to your help desk, but that couldn't be further than the truth based on the permissions and the functionality of that role. So really being able to understand those roles, what they mean and be able to communicate that outwards and explain those is really how we've started to build and educate the organization on what people are requesting for access and having them even question is this the appropriate access that I need within the cloud? And also using Sonrai actually to support that. We've been able to build custom roles as well for help desk and based on understanding what they do in the cloud.
Eric Kedrosky (08:31):
Awesome. And so, when you were educating these teams, did you actually have to go back to some of these teams and sort of explain the differences that those paradigm shifts that we talk about between the data center and the cloud, how the network was once the boundary and identities? Did you find yourself having to explain that to different teams a lot?
Nicole Landry (08:49):
Yeah, and I think we continue to do that and it's going to be an ongoing journey as part of evolving where we're at is continue to educate and explain that.
Eric Kedrosky (09:00):
Okay. Because I know we talk about, and this is very much buzzwordy and it sounds like a marketing thing, but we say hackers don't hack, they log in. But the truth is is that that's how it happens these days. Identities are used as the primary points of attack and we can look to a number of breaches over the years and we can look to a number of breaches that happened within the last few weeks and how identities are key to that. And I think it's really important.
So I guess the second point then is after you've understood the baseline and where all your teams are, leveling everybody up. So the second tip to get your CISO on board is really educating the teams really before you start to put a plan in place for the CISO. But that leads us to our next point is really that the CISO's job is to manage risk across the organization. And with CISO's role is also to be that business leader, they're not just the smart technical person. They really need to be that business leader taking these risks upwards to the boards or their executive teams or whoever. So really, how did you translate from those technical concepts into business risks for your CISO? Because this is really the pivot point to get them engaged and on board.
Nicole Landry (10:13):
I think the primary piece is evaluating the risk. I think that from our perspective, we often talk about the possibility of a destruction event. So something that we've seen or heard about in the past, like you said, where other companies have faced. So for my focus, if we don't get IAM for the cloud, we leave ourselves open to having serious breaches. And so, communicating that upwards and ensuring that the CISO understands that is crucial, because if something were to happen, he's in the hot seat or they are in the hot seat.
Eric Kedrosky (10:49):
And with these risks, I mean again, we kind of pull it back to the technical for a second. The paradigms have shifted with the cloud, even though you've gone and you've educated your teams, there's still a lot of education that we as security professionals and identity professionals or whatever we call ourselves these days, have to go through. This could get complicated. And so, did you find that yourself, you were even having, walk us through your process and how you're preparing that conversation with your CISO, and then also how you're helping your CISO get ready to have those conversations further up the chain?
Nicole Landry (11:24):
I think that there's two parts there, because it's really what you take away to your stakeholders and your staff and how you're educating them. And then, what they would be interested in compared to what my CISO would be interested in. And really, ultimately, the CISO is not really too interested in the specifics that enable the security in the cloud, but it's more so really ensuring that your organization remains a trusted provider to its clients in providing its services. So really, when you communicate that and establish that and make those key correlations, really that's what my CISO would take forward to the CIO or CEO to really establish why there's an importance of one investing and what we need to do in our journey with the cloud.
Eric Kedrosky (12:19):
And I mean, that rings me being a CISO as well, that rings super true. And I think the other thing for me and maybe to vetted off of you is like don't overcomplicate it to me. I myself, yes, I'm a technical person, but at the end of the day, I'm not the solutions engineer. I'm not the cloud engineer, I'm not the security architect anymore. And I find that sometimes when people bring things to the CISO, they either speak so technical or it's in this complicated way that yes, as you look down and spend the time to do it, you could make sense of it, but at the same time, your CISO doesn't actually most of the time have the time to do that. So in doing that, is that the same way you approached it with your CISO trying to keep it less complex, less technical, and more business risk oriented?
Nicole Landry (13:09):
Yeah, exactly. It's to the point where it's not really the specifics of really what we're doing or how we're doing, it's really what is the outcome and what is that protecting us from, any vulnerabilities. And those are really the important factors that he cares about or they care about, for sure.
Eric Kedrosky (13:28):
So there really-
Nicole Landry (13:29):
It really is not overcomplicating it. I think you don't get that understanding when it's too complicated or it's not at that high level.
Eric Kedrosky (13:39):
And I feel it. As CISO, sometimes we get put in that position because a lot of us are technical in nature that we get the technical story, and at the end of the day, it's like we need to be able to tell that story upwards and we need the time to be able to do that, not dig eight layers deep and figure out how to translate the technical. So really, step one, you've built the baseline. Once you've understood the baseline, you've got to level your teams up by educating them to understand the risks, but also understand how the risks manifest themselves within your own organization because it's going to be different.
And then, really, the pivotal point is the third point is translating from the technical to the business risk. And that's the point where you get your CISO bought in. So you've kind of done these two things ahead of time and you get your CISO to say, "Oh yeah, I understand this risk. I understand the impact it could potentially have on our organization." Now they're bought in. So now we start to move on to, okay, the CISO's on board, but now you've got to help the CISO get on board across the organization at the executive level. I think of it this way, how do you set your CISO up for success? What do you do? Because at the end of the day, they need to show success with their peers and with their leadership structure and maybe depending on the organization, the board or whatnot. So how do you set your CISO up for success?
Nicole Landry (14:56):
So I think ultimately, one, setting my CISO up for success is really just driving those quick wins and from the program that I'm leading, what are those quick wins and how can I showcase to him as well that ultimately we're working in collaboration with his peer's teams. So when you talk about getting that buy-in and from one, the CISO and others, it's also working closely with your stakeholders and ensuring that for us, the teams that are really building and managing the cloud, that we have a strong working relationship that it doesn't really hinder the progress of the security in the cloud in our direction that we need to go. So being able to work towards that really just also provides that quick win to my CISO that, look, we have the right teams involved and everybody is on board and we're moving ahead cohesively. And then, ultimately, really it's just establishing those, like I said, those quick wins and what those quick wins are for us based on some of the things that we can do.
Eric Kedrosky (16:14):
So again, you've baselined it, you've educated, you've hit that pivotal point, you've got the CSO on board, they're like, okay, I get this. I understand the risk. We need to do something about it. You want to set them up for success, which is the fourth point. And what it sounds like is start with the basics in there. So it's kind of like set them up with success. Asterisk by starting with the basics is the fourth tip. If we look at now, it's almost like you're ready to execute, you've kind of lined up all the ducks in a row and you're ready to execute and help your CISO do that. How do you be successful with this identity at the core of your strategy approach to securing your cloud? How do you get those first wins for your CISO in that space?
Nicole Landry (16:54):
I think really that focus is looking at that privilege access cert for higher risk identities, integrating with your existing tools, your privilege access management tools. If you're that far ahead in your journey, if you've established that, I think that is a quick win and building that into your approach and your strategy, for example. Also I would say cleaning up that low hanging fruit, unused identities, especially the privileged accounts, those non-human accounts. And I think those are also important and quick wins that ultimately will show some direction and forward movement with the work that we're doing. Sometimes it's not about overcomplicating it again and starting at the bigger problems, but attack some of the smaller ones and work through that. And then, you're already showing progress and people, when they see some positive outcomes, then that can drive some more further forward momentum.
Eric Kedrosky (18:03):
That's awesome. I mean, I'm personally biased because I've been a CISO in this cloud security space probably going on I think eight years now. And as I like to say, I might not have the physical scars, but I've got a lot of the emotional and mental scars from being a CISO in this cloud space. It was such a shift in so many ways for me, and I really like these two quick wins. You want to get your CISO some credibility. They're putting their name out there for this program which you're recommending and they want to get some credibility.
And I always think cleaning up the low hanging fruit to pick on the first one you talked about is such a big thing. It doesn't sound amazing or cool or whatever, but there's a ton of risk in that low hanging fruit. These identities in the cloud that are just hanging around. Now, you might not use them or the developer that created it might use them, but if somebody comes across whether uses it nefariously or with the best intentions, it can create a huge problem in your cloud leading to a lot worse risks or a lot worse scenarios.
So I think I'm a big fan of always cleaning up the low hanging fruit. And for the CISOs out there listening or the people like Nicole out there listening, working with their CISOs, this is a great way to get those wins. We had 5,000 things that were unused in the last 90 days that we're down to 2,500, we're down to 1,000 and we're down to 5. I need you to go work with your peers to get those 5 done. That's a great way to build credibility and build momentum for your security program.
The other one I really like is what I see is your privileged access certification process, because now we're talking about how do we blend the two worlds together. Privilege access certification isn't new. I mean, you've probably been doing it all of your career in identity management and you've got processes and you've probably got even some legacy tools that you can use. One of the best things you can do is sweat those assets, as you said, use your existing PAM solution if you can, integrate it with a solution in the cloud, use your existing processes. And again, so you're not trying to reinvent the wheel in the business, you're actually trying to use that. So I really like these two Nicole about, again, clean up the low hanging fruit and really having a privileged access certification program for your cloud.
Now on that one, and before we get to some questions, I just want to dig into one thing. I know this is one thing you and I talk about. A privileged access certification program can be rather large, and especially in a bank and a mature bank that's been doing it for many years, I mean, you get down to the nitty-gritty little details in your data center, but in the cloud it's not like that. So maybe what's the quick win in that? Where do you start in that certification process? Do you just say, "I'm going to take the highest risk thing right now, which is the things that have full permissions and start there and get the process working," or do you try to get down to the nitty-gritty right off the bat?
Nicole Landry (20:55):
I think getting down to the nitty-gritty off the bat can overcomplicate things a little bit, to be quite honest with you. And so, I think starting at a point that you can identify, for example, when you look at the built-in roles and looking to reduce some of the permissions of a very common function, which is help desk, and that built-in role, that seems obvious for them, but it's not, as I mentioned earlier, it's like how do we reduce those permissions. It may not be truly certifying them, but it's one of the things where we're looking at it, is this still correct? Basically, using the tools that we have to really just reduce those permissions, and then potentially right now maybe manually certifying them and communicating outwards that this isn't right and adjusting it and making sure that the appropriate people have access, and that's further communicated. So it's a bit not necessarily utilizing that certification, but a bit of both in a sense and starting at a point where it's more obvious than drilling deep down into the nitty-gritty where it's going to take more time.
Eric Kedrosky (22:05):
And it kind of sounds like you're almost like cleaning up the low hanging fruit here. It's really obvious when a user probably shouldn't have full access to the whole cloud, or it's really obvious when a user shouldn't have access or a role or a non-human identity, shouldn't have a level of permission that is the full cloud or a whole service or whatever. So it sounds like even start with the low hanging fruit there, clean up the biggest, most egregious things, and at the same time, you're building a process while getting wins as opposed to getting marred down in the minutia of it all, which could stall a program or a process, correct?
Nicole Landry (22:43):
It could. And I think that you lose momentum. Again, it's that over-complicating things start with what's obvious and sometimes as obvious as it is, it usually isn't as obvious. So really just start there, don't overthink it. That's what we've had to do and scale back and really focus on how we can attack some of this low-hanging fruit as we keep calling it.
Eric Kedrosky (23:07):
Okay, cool. Now, I know we're getting some questions in, so I'm going to try to get to that. So really if we talk about it, Nicole, what I'm hearing is the tips to get your CISO on board is first get the baseline, understand where the teams are, who the players are, their understanding of the cloud and these kind of shifts to the cloud and especially identities in the cloud. Once you've got that baseline, the second tip is to educate your team, get everybody on the level set and then start formulating your program. The third tip is translating that technical program into the business risks for the CISO. And this is pivotal, this is where you get the CISO sitting up in his or her chair saying, "Oh wow, yeah, we need to take care of this."
And then, once you've got that buy-in, the fourth one is start with the basics. Set your CISO up for success as much as you're setting your team up for success by not overcomplicating it, starting with the basics. And really two things that everybody on this call can go away and do in this thing is pick two things to focus on to get your wins. And those two things are one, focus on low hanging fruit, meaning unused identities is a great one. If it hasn't been used in 30, 60, 90, whatever days in your cloud, just delete them. And the second thing is start a basic privilege to access certification process within your cloud and really map it up to what you have in your organization if you have it. So there's the five things for our listeners. I know Nicole's doing it to success. I can see it. I work with her a lot. They're very successful in this organization by following this pattern and she's doing a great job at it. So hopefully, this helps the listeners. And I think now we've got some questions, Nicole, so let's take a spin at this.
Karen Levy (24:40):
All right. First, thank you very much Nicole and Eric, that was great. For everyone in the audience, there will be a pop quiz at the end of the day, so hopefully you took good notes and appreciate the review we had at the end there. Another really interactive session. We have a lot of questions. I'll start with a question from Tanya. She asks, "We talked in the beginning about setting a baseline and how long do you think the evaluation and education part needs to take before you can switch to actually doing and getting buy-in?" Do you have any advice on that or guidelines?
Nicole Landry (25:13):
Sure, I can start on that. I think it really depends on where you currently are on your journey to really say how long that's going to take. So if you're in the really early stages, that could take a little longer than some organization that is a bit further along to maybe do a reevaluation and just a refresher of education piece and then moving forward with actually working through doing the work and getting that buy-in. So I think it really depends on where you're at and it's not really something that you could put a timeframe on, but I think utilizing tools available to speed that up and optimize that are key. I think it really just depends. I don't know, Eric, your thoughts on what-
Eric Kedrosky (26:00):
My experience working with lots of lots of customers and advising on this, it takes a lot longer than you think. You really are in some cases having to retrain people that have spent years and years and maybe even decades getting to a point in their profession where they understand the data center and having them now shift to the cloud. So I think, like Nicole said, there's a lot of resources out there. There's the course, the topics on the summit that people can go watch, but it will take a lot longer. And I think that it's crucial that you understand that and put the focus in upfront to make sure that you deliver the right training in the right ways to the right people.
Karen Levy (26:38):
Okay, I think we have one more minute for one more question. What's the best way to educate your team? Did anything specific that you do really help you in that situation?
Nicole Landry (26:53):
I think the best way to educate your team, and really I think this is dependent on the organization and your management, but for me, what's really helped my team is making sure that they block off time in their day because this is building on their proficiency and knowledge with the things that they're doing for their work. So blocking off time to put in training to research, to attend things like the summit as well to learn from and making that time. I think we need to ensure that our teams and us ourselves block off that time for that training education and build it into our day-to-day. And sometimes that's challenging, but I think it's important to encourage that. And that's helped at least for me as my team's building their proficiencies and understandings.
Eric Kedrosky (27:42):
And I'm going to take the CISO spin at this one for anybody that wants to take it from this perspective. There's nothing more value than showing the real risk. So if you have an opportunity, a tool, a way to show either your CISO, so I learned about this by my staff showing me and then how I educate, whether it be our customers or when I'm advising or my own leadership on these issues, show them it for real. There's so much FUD, there's so much talk, there's so much noise out there. But if you can say, listen, identities in the cloud are a risk, here's an example of how it's a risk. That's great. But if you can then show that that's happening in your cloud or you can show how that could happen in your cloud. And Jeff does a really great session, Jeff Moncrief that introduced me, does a really great session, is live hack. If you haven't caught that, watch that.
Show them tangible proof because there's never been a time where I've shown a CISO, especially in an advisory capacity when they say, "Well, that's great Eric. We kind of understand what you're talking about, but that can never really happen to us." And I can say, "Well, wait a minute. You've got this user in non-prod that has access to all of your production data through an identity chain in your cloud. Did you know about that?" And their jaws hit the ground and they're like, "Wow, I think I need to learn about this". So show them the proof in the pudding. I know CISOs love that, and I know it gives them a lot of ammo to take their programs forward.
Karen Levy (29:01):
That's some great final thoughts. We're up against time. We're going to close this session. Thank you again to Nicole and Eric. Keep the questions coming. We're going to continue to answer them in the chat and join us next for a break, we have networking and some standup comedy. Your choice. Looking forward to seeing you there. Thanks, everyone.