Ep37 | The Core of Zero Trust: Protecting Data While Powering the Mission

Matthew Howard

Okay. I will go ahead and, kick us off. Good afternoon, everyone.

My name is Matthew Howard. I'm the chief marketing officer at Virtru, and I wanna welcome you to another edition of Hash It Out. Today, I have the honor of being joined by, two, world class experts in all things zero trust security, John Kinderwag, from Illumio, who many years ago wrote the white paper that defined the term, when he was an analyst at Forrester.

John, welcome. You wanna give us a quick intro on background? I think most people know you, but we'd love to hear from the horse's mouth, so to speak.

John Kindervag

Yeah. John Kindervag here. I'm the, chief evangelist at Illumio. And, yes, I did create zero trust.

The paper you're referring to was written in, September 2010 called No More Chewy Centers that define the idea, but there was lots of stuff that I wrote about zero trust over the years. And so and and, that's kinda been all I've been doing for the last, all six or seven years is zero trust stuff.

I used to do other things too, but, but zero trust has been all consuming even though early on people told me, that's a stupid idea and it's never gonna go anywhere. So

Matthew Howard

Well, it's great to have you. And, Don Yeske is also with us, a senior senior solution architect at Virtru and a former IT exec who was living on the in the real world, so to speak, with regards to zero trust implementations at DHS in a prior life.

Don, welcome. You wanna introduce yourself?

Don Yeske

Sure. Sure.

I think you have. I'll I'll I'll summarize briefly, Don Yeske. My my background relative to zero trust is not nearly as extensive as John's, but it it did become something that we were talking about in the late twenty teens in the marine corps, when I was leading network modernization for the marine corps enterprise network.

Grew from there as, the initial federal references for zero trust were released. And while I was serving at the Department of Navy CIO, one of the jobs I did as the CTO there, was to act as the executive sponsor for a time for FlankSpeed, which was the Navy's entree, into zero trust as as an enterprise environment.

And it it happens to be the first thing that, the the department's, Zero Trust portfolio management office said, actually met all the qualifications that they had laid out. I left Department of Navy to go work for DHS, for at that time, Ken Bible, and I led National Security Systems over there.

And I did not plan on leading zero trust. And on day one, when I checked in, he said, hey.

They're transferring ownership of zero trust from CTO here to to Cisco, and I was part of the Cisco organization. And, so I said, yeah.

Sure. I'll do that as an additional duty. It became my job to define our actual strategy and implementation plan for zero trust as a department.

DHS being the third largest department in the federal government turned out to be quite a job.

Matthew Howard

Yeah. I'll say.

Thank you both for being here. I would love to kinda maybe focus this conversation.

You know, so many people from so many different perspectives for so long now have been having various conversations on zero trust. You know, the the theme for this discussion today, I'd like to kinda, like, center it on the idea of the mission, the mission at hand with with respect to, what we know our our national defense and and and national intelligence organizations are having to do in in terms of, you know, sensitive data being shared and then and at a time when, you know, there's never been a greater need for things like zero trust controls architecturally and and otherwise.

So so, John, and I'll lead off with you. You know, your paper, seminal in so many ways.

Fast forward to today. Question for you. Is the M and M concept dead?

And if so, what replaced it? And if not, what should have replaced it?

John Kindervag

Well, is it dead in that does it exist? Yes.

It's a zombie that we haven't been able to kill yet no matter how many crosses we burn or holy water we sprinkle over things or or whatever. So it's still out there mostly because people just don't want to do something that that they think, well, I could get in trouble if if if it goes wrong.

Right? So we've we've got a problem with incentives where, most people are managing their own downside risk instead of the upside potential or the mission. Right?

And so every organization should have a mission, not just governments, not just, military, but every every business should have a mission. I mean, they all have mission statements.

Right? But from a from an IT and a connectivity perspective, that mission is, you know, to protect data and assets, and that's what zero trust was designed to do. It was designed to focus on protection instead of products, policy instead of products, and focus on what's most important that needs to be protected and then put the the the controls around that into what we call a protect surface.

And so what Don did that was pretty revolutionary in the federal government is that all the government government agencies were focusing on checklists and and products and everything, and he understood, I think, singularly amongst all the people doing zero trust in the federal government the how important the concept of protect surfaces, asking the question, what do I need to protect? And by doing that, we can shrink the attack surface down orders of magnitude, something very small and easily known called a protect surface, and then we can build out our zero trust environment, one protects our fiscal at a time so zero trust doesn't overwhelm us.

So a lot of people get overwhelmed because they try to do it all at once for everything, and that's never gonna work. Right?

So, you know, Greg Tuhill over over at CERT, you you probably know Greg, Don, from your days when he was at CISA, but he likes to quote Fred the the Greg. He who protect tries to protect everything protects nothing.

And so you gotta be very careful about what you're protecting, figure out stuff in the right sequences, and do it one step at a time.

Matthew Howard

So so, Don Yeske, I mean, the the no more chewy insides, you know, I think is is a is a simple metaphor that so many people can kind of relate to. And internalizing that lesson and sort of thinking about your journey, maybe through the government and DHS and and implementing zero trust.

I mean, how did you think about no more chew no more sort of chewy insides? How did it manifest in your sort of actual thinking and and lead you to this concept of protect surfaces?

Like, what what was going through your mind and kind of, how do you reflect on that?

Don Yeske

Yeah. So it started with trying to apply that analogy in a way that people could really latch onto, both people in the US government and our our international partners who we were working with in various ways as well.

And and I proposed a different definition, of zero trust that couched it as a shift from network centric security to data centric security. That was before I knew anything about Virtru.

That was before, you know, like, I really had a good appreciation for all the good work that John Kindervag had already done. It was just, something that I actually took from from, Lorna Mollick, general Lorna Mollick, who had worked for in the Marine Corps, at Headquarters C 4.

And and she just kept hammering this point home. It's all about the data.

That there there were two things that that I think we seriously underrepresented in all of the guidance that we put out inside of the federal government. One was our our propensity to turn everything into an acquisition problem.

Government people largely exist to buy stuff. Right?

If you were to fire everyone who works for the federal government, you would still spend 98¢ out of every dollar in the federal budget. Because 98¢ of that dollar are being spent on things we're buying for the American people in some way, shape, or fashion.

We turn everything into an acquisition challenge. It's the only type of challenge we understand.

So, you know, our own propensity to do this because we understand it was, I think, multiplied by the propensity of people to see cybersecurity the way they had and and come to the conclusion that, okay, I just gotta go buy more stuff to do this. Which product does zero trust?

Tell me, you know, does it say zero trust? What would it make the explosion on the side of the box?

If it does, I'll buy it. So, you know, we we we really underrepresented our propensity to turn things into into acquisition problems.

The other thing we really underrepresented was our propensity to turn things, as John said, into checklists. People just wanna know when the job is done.

Right? They wanna know, okay, you know, o m b wrote this memo, m 22 o nine. It says I gotta do these 14 things.

Like, did I do them? And I have had the argument, including fairly recently, like last year, with people who were like, well, that's this is what zero trust is because that's what OMB said.

So if I do these tasks, I'm done. No.

That same exact document says it's a starting point.

Matthew Howard

Right.

Don Yeske

So so the way we approached it, as John said, was different. And to fight both of those things, you know, what I tried to consistently do at DHS and at Department of Navy and at Marine Corps was, you know, hey.

Look. We have to understand capability. People, process, and product.

Right?

Matthew Howard

Yeah.

Don Yeske

Product are important, but they come last. The the thing.

that comes first is people. Right? And, you know, you're not doing cybersecurity unless there's someone doing it.

Right?

Matthew Howard

Yeah. Yeah.

Don Yeske

So so can you tell me who's responsible for these things in your organization? Let's just start there.

Matthew Howard

Yeah.

Don Yeske

And then process. How do you do that thing? Like, how do you actually do the thing that we're talking about?

It's a very nuts and bolts type question that people can't avoid. You You put it in front of them and they go, okay.

I gotta answer that. That at least allowed us to gain some traction, I think, at DHS that frankly, I'm kind of upset at myself that we didn't get that same level of purchase within the Department of Defense at the time, now the Department of War. We didn't really get that same kind of traction.

And I think it was because we had just launched so far out ahead of ourselves that we we

Matthew Howard

so so I I have heard it's super helpful. And, I mean, this goes to both of you.

I mean, I have heard and I I can't remember who said it or how many times I've heard it from various folks. But, you know, clearly, this is a really hard job that anyone and everyone has in the margins of all things sort of cyber risk management, data security.

It's just hard. You know, there's a reason most CISOs have very short tenures in their job. But, you know, as we think about this, you know, zero trust and support of the mission, where the mission is, you know, national defense, people, John, Don, to your point, on the front lines trying to share sensitive data with allies to do things like protect countries and fight wars.

Like, the mission and the need for zero trust controls, it's a journey, not a destination. Like, a lot of people would like to snap their fingers and make it so and check a box and can't claim compliance in some regard, I guess.

But talk to me, John Kindervag, based on what you've seen, maybe specifically what you've seen over the journey within the the public sector and this idea of the mission. It's a journey, not a destination.

How how how do you see that? How do people take steps towards a destination as opposed to, you know, wishful thinking and snapping a finger and hoping they arrive at some magical place?

What's the journey look like, and how do people get started?

John Kindervag

Well, I mean, there's a lot of things, that that can help them get started on that journey. Right?

And a lot of stuff that I I published and talk about in webinars and speeches. And it's the same thing that Don is talking about, a a pension towards acquisition.

And, and so and just to be done with it because if you're not allowed to be a creative thinker in it, then you aren't really incentivized to do the right thing, which is protect something. Right?

And when you talk about people, it's not just that people have to do, this stuff. People need to be protected.

It's their data. So I've had people say, well, I don't really care about that data. It belongs to my customers.

Well, I mean, behind every data point, there's a person whose life is disrupted, and so it really

Matthew Howard

and a person a. person who's a person presumably who's who's responsible for a mission

John Kindervag

Right.

Matthew Howard

in the in the context of, like, nation states.

John Kindervag

Right. Sure.

And so but, you know, you're you're just when when you look at this, I mean, there's tools that I've developed, like sitting in the Pentagon at a whiteboard with a a department of war entity, that I I can't talk about, but Don's already mentioned. I had I drew the first zero trust learning curve.

How do you start your journey? You start with learning protect surface, then you do practice protect surface.

You get to Carnegie Hall and zero trust the same way. You practice, practice, practice.

You need a safe spot place to learn how to do it, then you need to practice it before you go to the big game, which is your HVAs, your high value assets, your keys to the kingdom, or your crown jewels, whatever you call them. And then after that, you can put stuff in in, as necessary, and then you're gonna find that there's certain things that shouldn't be protected in a zero trust manner because the value of them is not,

Matthew Howard

Mhmm.

John Kindervag

high enough. So you need to actually, have some kind of data valuation, protect surface valuation, asset valuation to know is this something that I should spend money protecting because there's a lot of things you shouldn't.

And one of the. criticisms that I get is John says not everything should be in zero trust, and that's. true.

Right? I. mean, Virtru and Illumio, we both have. a whole bunch of PDFs on our website that we're trying desperately to give away to people for free.

Right? Now if we start spending millions of dollars to protect those PDFs, what does the value of a PDF become? It becomes a negative number, and that makes no sense.

So why would you spend money to get to protect something you're giving away for free? Right?

Matthew Howard

Yep.

John Kindervag

Versus, the the the data the PII, the personal identical information of our employees or the health information of our employees, that's something we need to protect. Our intellectual property, that's something that we need to protect.

So, originally, I came out with a a little, a little cutie thing called the four p's of data security. Right?

Because I was an an analyst at Forrester, and we have to do things, you know, in alliteration. So, I I talked about, PII, personally identifiable information, PCI, credit card information, because it still gets stolen a lot, and it's really disruptive when it does, PHI, health care information, and then IP, the fourth p, intellectual property.

Those are the four p's of data security. And if you start thinking about that kind of thing and protecting them, then then you can figure out where is that stuff located, and then you can figure out what is the right control, and then you can have a system, and that's what zero trust is doing.

So there's a whole methodology about building that.

Matthew Howard

So so so, Don, curious to get your take. I mean, like, again, a journey, not a destination, taking small steps on the journey, getting small victories, you know, on a path to maybe a larger win over time.

And and, again, in the context of maybe your experience, in the government, you know, it is a massive undertaking. There's no doubt.

And and so many different ways of thinking about it, people are on various phases of the journey. How do you get started?

What does small step look like? How how, you know, is it about the protect surface?

Like, what's what's a small victory look like versus, you know, the end game?

Don Yeske

So

John Kindervag

Well, the the the man hold on. Let me just say, the man better.

said protect surface now because his master's thesis is on protect surface, and it's it's an amazing thing. And I don't know if it's can you share that, with the listeners?

Don Yeske

I I think so. Let me check with the university, but I think so. And if if it's up to me yeah.

John Kindervag

yeah. Everybody should read that. So if if, if you can't get it, from a link here because the university is gonna do it, then I'm sure you can figure out how to get it from Google.

Matthew Howard

Yeah. We can definitely make it available. John, but but, Don, talk to me about that journey concept and and what does a small step look like on the path.

Don Yeske

Sure. Well, you have to work up John's right that you have to start with, like, practice protect surfaces and then get better at it. What I found in in my experience was you also have to work up to the concept of the protect surface.

So, you know, organizations that we're dealing with bottom line, the first step in wisdom is to know something about yourself. Right?

The the the the the early essential thing is to get people looking at themselves. Right?

Get organizations looking at themselves and trying to determine what's there. So where we started with DHS was, you know, just go do an inventory.

Right? Tell me how you do phishing resistant multi factor authentication. Tell me, are you do you have an inventory of users now?

Do you have an inventory of applications now? Are you doing DevSecOps?

Like, what do you do? You know, it's kind of the bobs in office space.

What would you say you do? And and that's a win.

It's small because it's it's like, people can get their heads around it, but it's also a gigantic win if you can give them just a specific enough definition of the capability you wanna describe for them to go, oh, we do that, and we do it this way. Or we've talked about doing that, but we don't do that right now.

Both of those answers are hugely valuable. Hugely valuable because it tells you where you start.

Now later on, right, that's kind of phase one. Think of that as phase one.

Figure out what you can do now and how mature those capabilities are and start building them out and wiring them together. But in phase to begin phase two, now you have to know what you're protecting.

Right?

Matthew Howard

Mhmm.

Don Yeske

What is it that was important about your mission or about your people or about something, you value that you find is necessary to protect? Right?

They're not all equal, and not everything lives in a protect surface. But it it what it is is it's it's it's entirely about under the first phase is understanding yourself.

The second phase is now understanding what is it that you protect, and, then how. do we get that?

Matthew Howard

I wanna poke on that concept of not everything lives, you know, in a protect surface or on a protect surface. I mean, like, it's a really interesting concept because, you know, I think so much of the time people think about zero trust and and and and cyber risk management.

And certainly at the Gartner conference last week, this was on full display. You know, I wanna protect the information that I have inside of my domain from, you know, loss and theft, and I wanna lock it down and prevent it from being stolen.

And that's a valuable thing. There's no debating that. But at the same time, you know, there's this idea of, look.

I have sensitive data that I wanna share with other people. It's part of a mission.

You know? I've got allies. We're we're collaborating together to to kind of, you know, get to an end game where, you know, our success is maybe joint in nature.

So how do I share information with others in a way where, you know, I'm I'm able to do it in a manner that sort of looks like, feels like zero trust. How do you think about that concept that it's not just about protecting data from being lost or stolen, but it's also about protecting data that we intentionally share with others for the purposes of supporting a mission?

Don Yeske

Yeah. So for there to be value in data, someone has to use it. Right?

In order for data to have any value, it must be of a use to someone. Right?

And and this was a large part of the reason why I came to Virtru after leaving the federal government was because of that philosophy that the company has, which is, you know, there's this dual mandate. Came from the public sector.

Came from the federal government after 09/11. Yes.

You gotta protect everything. Like, that's important. Protecting everything is important.

But if you're protecting everything to the point where no one sees it, you're doing harm. Right?

So there has to also be a way to share whatever it is that you're protecting in such a way that anyone who can prove they should have access to it will. That's just a really powerful concept.

I think in large part, all zero trust architectures are trying to enable that that motion. There's some uniqueness in how Virtru enables it.

I think a power in that technology. But I'm not saying Virtru only does this.

Everyone who's trying to get to zero trust at any level, anywhere, I'm certain Illumio is doing this. Right?

Any business that is serious, that is not just trying to sell you a logo that says zero trust is doing this. They're trying to help you protect your data.

They're also trying to make your data useful. And in the federal government, which is most of my background, we were afraid of our data.

Let me just put it out there. We were afraid because we didn't know our data.

And any task that came out that said go and know your data was interpreted the same way as any other task. Applies to everything all at once.

Right? This this is the fundamental truth that John was getting at, I think, early on in framing zero trust that no one heard. If you're trying to protect everything, you're protecting nothing.

Right?

Matthew Howard

Right.

Don Yeske

If if if everything on the battlefield even put in military terms, take it out of IT entirely. Right?

Anyone who's serious about military strategy or has studied it at all. Right?

And and I'm just graduating from National Defense University. Right?

So I have studied this. But it was something I understood years before that is there's a whole battlefield. Right?

Some things that happen on that battlefield are more important than others. Some terrain on that battlefield is more important to protect than others.

Some of it has more value than others other parts of that terrain. And if you don't understand that, what would you say you're doing?

Right? What what Sun Tzu would say is, that's called the noise before defeat. Strategy.

without tactics or I'm sorry, tactics without strategy is the noise before defeat. The converse is also true.

Matthew Howard

Yep.

Don Yeske

Strategy. without tactics is the slowest path to victory. If you understand the broad sort of brushstrokes of how you're gonna win, Even if your tactics suck, you're gonna win.

Right? So just final thought. OMB m 2209, M2414, some of the other sort of framing references for zero trust that came out took the form of task lists.

They were tactics. Right? They were things that you could tactically do that were not unaligned with zero trust, but they did not express a big broad brushstroke strategy of how to actually get where we were going. And that was a fatal flaw that we still have to go and fix.

Matthew Howard

So, you know, it's just a a ton to unpack there, but but, clearly, the journey that we as an industry, all of us, this is this is so much bigger than Virtru and so much bigger than Illumio and any vendor in particular, just kind of getting to a place where we can, you know, authentically look in the mirror, as you said, and know something about yourself with respect to your governance and your control over sensitive data as part of a an organization, yes, to prevent loss and theft, but also to enable sharing and mission success. Much of that sort of lens that we have on this journey is sort of informed by this idea that humans are sharing data with humans or need to share data with humans, and we wanna have those zero trust controls in place.

But at this moment in time, and, certainly, again, I I think back to last week at the at the Gartner conference, the cyber and risk conference in in DC, so much of the conversation right now is is, for many reasons, good reasons, whitewashed in all things AI. And it's less about maybe perhaps human sharing with humans and maybe more about humans sharing with machines or machine sharing with humans.

John, how do you think about the zero trust conversation at a moment in time where so much of the oxygen in the room is being consumed by machine identities, AI, everything?

John Kindervag

Yeah. No.

I mean, given it a lot of thought, I I wrote the forward to this book, Ajentic AI plus Zero Trust by my friend Josh. Woodruff.

And

Matthew Howard

was a heck of a that was a heck of a of a softball there. Nice hit.

John Kindervag

thank you. Thank you. I try. No.

I mean, you know, look, one of the things that we we're we're a little bit too hang hung up on is the anthropomorphization of this technology. Right?

That humans are sharing data and then machines are sharing data, and it really doesn't matter because it's it's data sharing data. Right?

So John and Don and Matthew are not on the network right now. Right?

There is an asserted identity that is that is, being used by a machine to generate packets that contain data and that are going to this, this, platform, this this platform you're using. But, really, we're just machines.

We're fronting the machine. Right? And so what you have to do is understand what's inside of the packet.

It doesn't matter whether it's a human being or a machine. It's what is the packet doing, and is it supposed to do that?

Right? So when Don said, well, we asked people and they didn't know what was on their network because they were afraid of the data. You know what who wasn't afraid of the data?

Ed Snowden wasn't afraid of the data. Right?

So because in this super secret network that he used, once you logged into it, identity, you've got access to everything on it, whether. you should have access to that or not because people weren't willing to ask those questions.

And so, you know, I've been asking these for a long time. I mean, when I was a forester, I covered encryption.

I wrote a a paper that was pretty influential, called Welcome to the New Era of Encryption. I I covered, a lot of different things around data security and created a framework for that.

And all of those things informed what I was trying to do with zero trust, which was make make the the network and the environment a very pow powerful data and asset security platform. Right?

But you have to know you have to know the right questions to ask. And so, like, one of the things we do really badly is classify data.

And. we do it badly because we use human models. This is secret top secret.

TCI, you know, only James Bond can see it. And and when you when you ask somebody, okay, the the the answer is I would know it when I see it.

Well, how would you protect it differently? Well, I probably wouldn't.

They don't know. Right? So you'd we've made data classification really complicated. And then we've made it really complicated in in the sense of how different organizations are incentivized to classify data.

So in the US federal government, data having information is power, so they over classify everything, in my experience, because they don't want you to have access to it. And in the the corporate world, they under classify it because they want everybody to have access to it because they want everybody to go fast.

I mean, we're all a bunch of Ricky Bobby's, right, we just wanna go fast. So all these things are all tied together in my mind in zero trust.

Right? And and and that's what I was doing at Forrester was pulling all those pieces, and I had a new model for data classification, new ideas around encryption, all tied together with the zero trust being the ultimate thing that plugged them together as both a strategy and a tactic. Right?

And, you know, if we had more time, I could give you the history of how I learned about strategy from, the the guy who was the chief strategist for the first Gulf War. And I learned to you know, I stay I've been studying strategy ever since then just like you, John, and I understand the difference between strategy and tactics.

And one of the big differences is who it resonates to. So strategies resonate to leaders, tactics resonate to doers.

And so people would just wanna know, tell me what to do. Right?

And and that's a valid thing, but we fail if we don't get to the leadership so that they can incentivize somebody to do the right thing instead of doing nothing or instead of just doing the checklist. So I had one three star general say to me after briefing him on zero trust the way I always do, oh, thank you for telling talking to me about zero trust in a way that I could understand because I could never understand these, you know, points of light, these checklists.

Right? That didn't seem to me as as a a leader, a mission leader, to be useful. And so, you know, it it changes the game in terms of who you're talking to.

Right? And you need to have both sets of messages available.

Matthew Howard

So so, Don, you know, we we based on the challenges that exist I mean, this is as we've said before and you guys have already enumerated, you know, this is very hard stuff. You know, it is a journey, not a destination.

You know, there's strategy. There's tactics. You gotta start small, get small wins.

You know, the protect surface is a thing. People process products.

You can't procure your way to the end game. You just you know, there's so much to do to get right, to move the ball forward.

And I guess at this moment in time with all things AI, my my my perhaps my last question for you, Don, is is everything you've shared here today and everything you know to be true, you know, not not to be negative on on the challenges in front of us, but I'm just wondering, are are we about to spend the next decade relearning the same lessons that John Kindervag taught us back in 2010, only with bigger consequences because of the AI wave, or or are we in a better spot? I mean, I'd love to know your thoughts on that.

Don Yeske

I sure. I think of AI as an amplifier in the context of the question that you just asked. So think about it this way.

We were scared of the data, right, because, we didn't know the data. And, you know, if if you were to hand an organization a task that they equate to, you know, go figure out what all your data not only what it is, is, but what it means, how important is it, what how in what ways do you have to protect it, for whom, who has to have access to it, when, why, and how.

Like, those are just overwhelming things. And most organizations faced with and not just government organizations.

Most organizations faced with that task will just reboot. They'll just, like, forget it.

I can't that's not something I can do, and they'll move on. Right?

AI the the effect that AI is having here is it kind of forces us to do it anyway because of velocity and because of the deepening importance of data. Right?

Data is the fuel of any, you know, modern AI oriented system. It is the fuel you're burning.

Right? If you're burning crap fuel, you you you're gonna burn out your engine. And, you know, you're gonna spend tokens either way, guy, whether or not you're getting, you know, reasonable results.

You will get them quickly, and they will be quickly very wrong. And so so, I see it as a good news, bad story bad news story.

The bad news is that. Right? What we're what we were doing in human time, we are now doing in machine time.

That has amplified that problem. Here's the good news portion of that story. People are now understanding the problem and starting to pay attention to the problem because they want the value that an LLM will bring to their organization if they were to employ it with the right agents, with the right people using those agents, and with enough agency among them, not too much, but enough agency among them that they can go have real impacts today on the bottom line of the business.

Right?

Matthew Howard

So if you if you want the benefit of anything AI, you you cannot afford to be afraid of your own data, like, full stop.

Don Yeske

Yep. Yep.

Matthew Howard

You gotta you gotta go do the homework. You gotta know the data.

You gotta classify. You gotta tag. You gotta do all of those things and then ultimately put controls into place so that the organization can, you know, move forward both in terms of, like, preventing loss and theft, but also move forward in terms of sharing that.

to kinda get the mission done, which is, you know, ultimately, you know, where data is arguably at its at its most useful.

Don Yeske

Exactly. And just to come full circle on this whole conversation, the way people now attack that problem is not in the irrational way of the of the attack surface.

Right? It's. not it's not try to do it to everything all at once forever. It is they're doing it incrementally.

Not. because, like, they recognize the wisdom of doing it incrementally, because they're forced to, because of the. speed of change that's happening in the system.

That's a good thing. Right? The more you understand what you're doing, the more you understand what you're protecting, the better job you're gonna do.

So I think that over the next

Matthew Howard

Yep.

Don Yeske

we will painfully learn some of the lessons we should have learned ten years ago at. higher speed, but we will.

actually learn them now

Matthew Howard

Mhmm.

Don Yeske

and. move out speed.

I have hope. I choose to. have hope.

Matthew Howard

Right. Choose to have hope. That that's that's super thoughtful.

Thank you, Don. I think we have time for one last question, and, John, I wanna pose it to you. Based on everything you know, have sort of witnessed over the course of your career, you know, zero trust maybe broader than that as well, what do you think is the number one thing?

And it's a little bit of a playoff of the question that I just asked Don, but what is the number one thing that you think the next generation of security leaders needs to get right that the that I'll say our generation got wrong?

John Kindervag

Well, I mean, our generation was not prepared for the digital age. It came upon us.

We were like, what? What? What?

You know, what's the Internet? Right?

I mean, I remember the first time I heard the word Internet, and it was at an educational conference, and and or homeschoolers were the first people to adopt it outside of academia. So, you know, we've now had a chance to catch up, but the first question you have to ask is what are you trying to protect?

Right? People call me all the time. I bought gadget x.

I bought product y. What do I do with it? I don't know what to do with it.

Well, what are you trying to protect? Well, we haven't thought about that yet.

Right? And so and and you need to protect understand what you need to protect for a couple of reasons. One is how you use it.

Right? But the other thing, there's an another Sun Tzu quote that we need to pull out other than the two that Don has already brought up. Know your enemy.

Right?

Matthew Howard

Mhmm.

John Kindervag

What's what's happening is that there's criminal gangs trying to steal your data. There's individual hackers trying to steal your data.

There's nation states trying to steal your data, trying to steal your intellectual property and turn it into them. I mean, I I just saw, watched a a thing with, Palmer Luckey, and he was saying, don't patent anything because a patent is a step by step tutorial for a nation state on how to copy what you've already done.

Right? So things that are so ingrained in us like patents don't matter to other foreign nation states, so they're just gonna steal that idea and build it themselves. So you have to protect that intellectual property and not from a legal perspective, but from a pure technological perspective because there's so much of that stuff going on.

Matthew Howard

Mhmm. Yeah.

John Kindervag

So. know your enemy as. well as knowing your data.

Though those two things will give you the the aperture that you need to understand what you need to do and how you need to move forward.

Matthew Howard

Yeah. I I think it's interesting to your point about, you know, our our the current maybe generation of of of leaders were arguably not prepared for the the massive wave that was all things digital.

But as we sit here today and imagine the next twenty, twenty five years of our collective journey into this world, you know, the next generation of leaders is sort of digital made of by definition. And as a result, maybe they are, back to your point, Don, you know, choose to have hope, you know, being digital made of, you know, not being afraid of the data, certainly wanting to get the benefit of, the productivity and the power of all things, AI and LLMs will will force the reckoning to to do the work that's necessary to, take the steps, the small steps incrementally over time to get to a place where, you know, you hopefully have some type of true zero trust control, if not perfect because I don't know what perfect is, but but true, policy, access control, and governance over sensitive data so that organizations can, you know, improve their posture, in a way that that I think comes full circle back to, you know, the first principle.

Like, what are you trying to protect? I'm trying to protect the data.

So if it is about the data and we have the benefit of the digital natives who know that, then then there's hope for the for the future as we kinda continue to kinda, head down this journey. But, it is a great pleasure to chat with both of you, today.

I really appreciate the time that you made available to us and and and for sharing your your your your perspectives. Thank you everyone for joining, and, we'll catch you next time on the next edition of Virtru Hash It Out.