[music] Steve Riley: I would say that there's a lot of power in the singles, the single policy framework, the single console, the single agent. I've talk to a lot of folks who complain about having to log into multiple consoles, multiple single panes of classes, some people might wanna say, and they love the fact that when they come to Netskope, it's one spot. The singles are helping us eliminate all of these acronyms and eliminate all the ways... Thinking differently about the different destinations, having a unified policy mindset.
Producer 1: Hello and welcome to Security Visionaries. You just heard from today's guest, Steve Riley, field CTO at Netskope. With the release of Gartner's Magic Quadrant for Security Service Edge, industry leaders are focused on becoming part of the revolution, from automating their environments, investing in new skills for their people to considering the economic climate. These are just a few of the challenges they face on their journey. Before we dive into Steve's interview, here's a brief word from our sponsor.
Producer 2: The Security Visionaries Podcast is powered by the team at Netskope. At Netskope, we are redefining cloud, data and network security with a platform that provides optimized access and zero trust security for people, devices, and data anywhere they go. To learn more about how Netskope helps customers be ready for anything on their SASE journey, visit N-E-T-S-K-O-P-E dot com.
Producer 1: Without further ado, please enjoy this bonus episode of Security Visionaries with Steve Riley, field CTO at Netskope, and your host, Mike Anderson.
Mike Anderson: Welcome to this episode of the Security Visionaries Podcast. This is your host, Mike Anderson. I'm the Chief Digital and Information Officer here at Netskope. I am joined today by a legend in the security space, former Gartner analyst, current field CTO at Netskope, Steve Riley. Steve, how are you doing today?
Steve Riley: I'm well. Thanks, Mike. How are you doing?
Mike Anderson: I'm well. I'm well. I always enjoy our conversations and all the story. You've got so many great stories.
[chuckle] Steve Riley: Now I have to tell some of them. Oh, what am I gonna remember?
Mike Anderson: One of the story, Steve, that's always funny is when you were at, I believe it was one of the big Microsoft, maybe tech ed or developer conferences, you got up and talked about security and got everyone excited about security at Microsoft, which kind of was like an oxymoron at the time. But maybe you could retell that story.
Steve Riley: Yeah. So it was maybe, not the first tech ed I spoke at it, but the second one. I had to give a presentation in the big room like, what's new in Windows XP security. I'm standing in the shower that morning, trying to think, "How am I gonna say to this giant crowd of people to get them to at least pay attention to this random person?" and it finally dawned on me. So I got on stage and I said, "Alright, I'm gonna divide the room in half. Everybody on this side, when I raise my left arm, I want you to yell Windows, and everybody on the other side, when I raise my right hand, I want to yell security. Alright, now let's practice." "Windows." "Security." So, you know, make fun of the right-hand side because they were kind of anemic. "Ah, you guys are suck. Let's try this again, so do it three times, right? "Windows." "Security." "Windows." "Security." And then I said, "See? As you say it often enough, it starts to sound like the truth now, doesn't it?" When 9000 people are laughing at something that you just said, it's like, "Okay, I wanna do this for the rest of my life." [chuckle]
Mike Anderson: Well, absolutely. Well, so let's jump in the conversation today. The exciting news came out. The new Gartner Magic Quadrant came out for Security Service Edge, so obviously being, both working at Netskope, super excited about the results.
Steve Riley: Oh yeah. I sure am.
Mike Anderson: Before we dive into that, I'd love to kinda back up. And you were at Gartner for a while. Then you were kind of, I would say, one of the parents of the whole Security Service Edge, if we think about Zero Trust Network Access. I know you love that acronym that you created, ZTNA, 'cause it has the word network in it. That'll be my sarcasm for you for the day. I wanna start there. Let's talk about your journey a little bit there before we dive in, just so people understand the context around your expertise in this specific area.
Steve Riley: Right. I was hired into Gartner in the security risk management practice, specifically focusing on public cloud security. So that was what I provided advice and guidance for with our clients for the entire time I was there, about five and a half years, is how to be secure in IaaS clouds like AWS and Azure. A little bit of GCP. Not too popular among Gartner clients. But then a lot of conversations in how to be secure in SAS applications like Office 365 and some of the other popular ones. In fact, at the time when I was interviewing for Gartner, one of the interview processes was you show up at an office, they put you in a room and you get 90 minutes and you have to write a research note out of your brain. You don't have any internet connectivity, no nothing, and the topic that I received was, how to be secure in Office 365. So I just used everything I could remember about that and wrote about a three-page-ish note, and I decided that my first actual note at Gartner would be a more well-rounded version of that same thing, and I think that was always one of my top red notes, because people just did not know how they could be secure in SaaS applications, which is interesting when you think about it, because in the IaaS services, they generally tend to have secure by default settings. You hear about these leaky buckets and it'll be this all the time. That's because somebody changed the default to something weaker.
Steve Riley: In SaaS applications is very different. Most of the security is switched off. You have to turn it on. And so you may wanna know, "Well, why is that?" A lot of SaaS applications facilitate collaboration and security sometimes gets in the way of collaboration, so most of the controls are off. But then if you think about security in SaaS applications, maybe only a handful of them have decent built-in security. Most of them have nothing at all, and this was what gave rise to the whole market of cloud access security broker, where Netskope started, is that maybe it's the best example you can think of where bolt-on security actually works. You hear about this all the time, you can't bolt security on, you have to build it in. That's true if you're writing your own applications, but for SaaS, you don't own the app. If you wanna secure it, the only option you have is to bolt something on, and that's CASBs do really well.
Steve Riley: I came to really appreciate this technology. And there was already a marketing guide in place for CASB when I joined, but I was like, "We need to do a Magic Quadrant for this." And so the first one was in 2017, Craig Lawson and I were co-authors on that. In 2018, then we added the critical capabilities note and just kept that going. Now, it was at the end of the 2020 cycle when Craig and I started noticing that there was a fair amount of overlap in the vendors between CASB and SWG, and so we started thinking, "Hey, these markets look a lot like they're gonna converge." And we got some other analysts on a call and made the case for retiring both of the distinct Magic Quadrants for CASB and SWG and launching a new one. Now, some folks wanted to just retire the CASB one and rename the SWG, but Craig and I thought it was important that we need to state to the buyers that these markets, both of them are no longer useful as standalone markets. So we retire both MQs and have a new MQ with a new name, and that happened right before I departed.
Mike Anderson: That's great. And if we look last year that Magic Quadrant got released, it was a big debut, and obviously that's a... The Secure Access Service Edge, the guides that have come out about that and the research from Gartner, the security stack was always kind of the Security Service Edge in that context. So talk to us a little about why was last year's SSE MQ so important, and particularly how does that help reinforce the concept of Secure Access Service, Edge or SASE?
Steve Riley: If you think back to some of the original diagrams that Gartner had produced with SASE, there was a bunch of networking stuff on the left-hand side; routing and switching and SD-WAN and WAN optimization and DNS. All that stuff is responsible for getting packets from one place to another. And then the right-hand side was a bunch of security things; it was CASB and SWG and VPN and DLP and IAM, and all of the stuff that concerns itself, making sure that the right stuff gets to the right destination and wrong stuff doesn't. Over time, these started to collapse, and we saw a simplified diagram from Gartner more recently, where the left hand side was just SD-WAN. And what did that say? Well, that said that a lot of the networking functions that were formally separate, maybe separate boxes, sometimes separate vendors, it all kind of consolidated around SD-WAN. SD-WAN was the overarching mechanism that people were using to get bits around, and the rest of those functions became features of SD-WAN.
Steve Riley: The emergence of SSE does for the security side what SD-WAN did for the networking side. It has taken all of the various mechanisms that people use to access data and consolidated them into one platform. Sometimes it might be just a portfolio, but the more effective ones are an actual single platform with a single policy construct, a single agent. I always like to think of it this way, that the rise of SSE means that we no longer have to think about distinct tools for governing access to SaaS versus Web, versus private apps. We wanna govern access, and we wanna use the same data protection methodology regardless of what the destination is, so why do we have all these different tools? I wanna get rid of that. I want one tool for managing access to all destinations so that my policies are consistent and so that the user experience feels much more enjoyable.
Mike Anderson: That's great point. I definitely see a lot out there around each one of these tools also has, a lot of times, their own agent, their own hardware that sits in line in organizations, and the person that has problems connecting calls into a help desk and it's, "Okay, what is the problem?" "Well, first off, what app are you trying to connect to?" And it's a whole different set of troubleshooting stuff, so it's beyond just the policy, it's the downstream effects to the rest of the organization around creating an amazing employee experience. So I'm seeing it pick up steam. I'd be curious from your perspective and the conversations you're having, what is different now compared to a year ago as far as acceptance of Security Service Edge in context of SASE?
Steve Riley: Well, I would say that awareness of these markets has increased slightly. It still sometimes feels like when you bring up these acronyms, people are kind of lost. Everybody knows what a SWG is, some people know what ZTNA is. Even fewer people know what CASB is. I just saw a recent technology adoption report from Gartner that curiously seemed to position CASB as something that people were still just piloting. I'm not sure that I agree with that assertion, I think it's far beyond that now, especially when you look at where it is in the cloud security hype cycle. When I talk to folks though, I wanna set the acronyms aside and I wanna talk about ensuring that data goes where it's supposed to go and doesn't go where it isn't supposed to go and that the right people get access to the right stuff at the right time for the right reasons. And when I use this sort of framing and don't even include the market names at all, people are like, "Oh yeah, I really need that," or even more interestingly, they say, "Oh yeah, I'm already doing that," and then like, "Oh well, how are you doing that?" And they say, "Well, I bought this product from this vendor," and they don't even know [chuckle] what the name of the market is. So I think I would love to see us figure out how to just put the market names aside and talk about the functions that this offers, to focus on the value that they get out of it.
Mike Anderson: I definitely agree. You and I've had that conversation for... As a CIO, when I look at things, I'm looking at it from, what is the problem I'm trying to solve? First question I ask my team is, "Okay, you bring me a technology. Okay, tell me what problem we're solving. And if we solve it, what value is it gonna create for our organization, and then what's the level of effort required to get that value compared to other things we could be doing as well?" So it's always a... Ruthless prioritization is something that is key for leaders, 'cause they have to make sure that they're making the right investments, they're gonna direct the right outcomes for their organization. If we double-click into some of your conversations, what are some of the things that you are hearing specifically? And are there any surprises?
Steve Riley: Well, I would say that more orgs are finding value in bringing infrastructure and security teams together, but these silos or cylinders of excellence, we might call them, they're still around.
Steve Riley: In fact, earlier today, I was on a call with a customer and they wanted to know, "How can we tear down these cylinders of excellence because this is the biggest challenge I have for getting the most value out of SASE?" And I'm like, "Well, they just need to find reasons to work together. These are two, maybe sometimes three groups of people who go to great pains through each other professionally and socially. That just isn't gonna work. When the tools are blending, when the goals are becoming shared, you need to find a reason, I think, for these teams to want to cooperate, and that's one thing that is kinda cool about ZTNA, if I wanna bring a market name back into the conversation for a minute, is that... I heard this at Gartner and I've got a number of folks here at Netskope who are hearing this too, ZTNA projects often turn out to be one of the first things that exhibit themselves as a collaboration exercise. Infrastructure and security work together and devise a new way of providing remote access to applications. It really does work quite well. And in fact, the customer that I was mentioning too said that they saw an inkling of that as they were trying to explore some of what they can do with Netskope private access, that they already saw some examples of security and infrastructure folks just on their own reaching out and having one-on-one conversations. Not at the team level yet. They think that will come soon.
Mike Anderson: You're bringing up a good point too, 'cause I think one of the things that I always tell people when I'm talking to them about specifically Netskope private access or zero trust network access, the term obviously, we can thank you for. So when I'm talking to them about that, I say, you basically have to add an additional step in your change management process where before it was application owners that I provision access for that user in this application, do they have the ability to log in? I have to have an extra step there now where it's not do I have network access, but do I have application access. So you have to be explicit on that creation stuff, and that requires coordination. So you bring up a really good point. It goes beyond just networking, but it goes to the... There's a lot of other teams involved in that process to make sure that access happens the way it should.
Steve Riley: One thing that has kind of surprised me as I think back in my interactions with folks over the last year, people do seem to easily grasp zero trust principles, but they struggle with how to get started.
Steve Riley: And typically, I try to explain that a good zero trust strategy really works only when you've got the right instrumentation in place to gather signals and evaluate context of the user, of the device, application, data, the normal gamut, the who, what, where, when, why. Now, how do you do that? Well, you need an IAM, you need endpoint protection, and you need SSE. Now, the surprising thing is that people are shocked to learn that they either already have or they're acquiring it, right? It's a tech. They just don't have the mindset change. "How do I get started in zero trust principles?" Well, an example I like to give is implement a zero trust network access project. That'll give you exposure to the principles, it'll be a way that you can introduce some new technology without having to replace anything, it can live alongside whatever else you're using for remote access to internal applications. Once you become familiar with this new language, with the way the tools work, then it's not that much of a stretch to think that... You had already applied zero trust principles to SaaS applications with a CASB, even though nobody put those words together before, and then they're like, "Oh, that's true. I haven't." So it's kind of nice to see that there's now a recognition amongst people that maybe it isn't as hard as they thought it would be a year ago.
Mike Anderson: Yeah, it doesn't help the industry... You and I have had this conversation ad nauseam, but it doesn't help when you've got every vendor in the world saying they're a zero trust product. And so sometimes you say they were zero trust and you see CIOs and CISOs gonna roll their eyes like, "Yeah, okay, you're the thousands company that said they're solving zero trust for me." But I think you bring a good point. I think that policy enforcement point between users and applications is applying a zero trust posture from an access standpoint, and I think that that's something I'm seeing people starting to understand more. I think there are some companies going to the effect saying, "Look, I'm going to make that the only way that people access applications in my environment with a few Edge cases for personas that really need network access, but those are getting fewer and fewer. And so people, things that you brought up earlier, the routing, the switching, and some of those things that are out there, the complex writing tables, are saying, "You know what, we really need all those things anymore, or do we just need internet access and then let this new plumbing do the rest for us?" And so that's something that I'm starting to see and hear on the market from CIOs and CISOs.
Steve Riley: I've heard many similar things.
Mike Anderson: Yeah, I've got a prediction for you, so you like predictions, I know, is there's gonna be a new title, it's gonna be Chief Infrastructure Security Officer. So the I is gonna become infrastructure, 'cause I've talked to a few people in the last couple of months where they have actually moved not just networking, but the entire infrastructure team and security team together under one leader, and I'm starting to see more of a trend there, because what's happened is that the in-fightings... What happened is the infrastructure budget that was cut to create the funding for the security team, and that's where there's been friction because budget continues to flow to security, because it has to come from somewhere, 'cause the CEO is not decreasing their earnings for share forecast to cover the bigger security investment, so they're moving the pieces around, but then the requirements from the security team come back over to the infrastructure team saying, "Go put this in place."
Mike Anderson: And the infrastructure team is saying, "Well, you just took all my people and my budget. How am I supposed to do that?" And so that's some of the inherent friction we're seeing in the market. That's why I think this integration of these teams, where I'm seeing that. The CIOs I talk to say they're having very good success in that approach.
Steve Riley: That's great. And that's another representation of the consolidation of these two formerly separate domains. I like that.
Mike Anderson: Yeah, it's interesting too, 'cause a lot of times you get alignment at the top level, but where things fall apart is when you get down to the people actually doing the work and putting fingers on keyboards, because to them it's, "How is this change gonna impact my livelihood?" And so human psychology and Maslow's Hierarchy of Needs comes into effect with people that are doing the work every day, because there's change associated with it, and I think that's what people are also realizing, is they combine these team, what's the change impact that that's gonna happen, and how do they take people through that change. That's one of the things I'm seeing people start to understand. If we double-click in this, we have our positioning, how does our positioning inform customers as they think about their SASE journey? How are we helping people in that regard with how we're positioning ourselves in the market?
Steve Riley: I would say that there's a lot of power in the singles, the single policy framework, the single console, the single agent. I've talked to a lot of folks who complain about having to log into multiple consoles, multiple single panes of glasses, some people might wanna say, and they love the fact that when they come to Netskope, it's one spot. The singles are helping us eliminate all of these acronyms and eliminate all the ways... Thinking differently about the different destinations and having a unified policy mindset. Although, I guess I would be remiss if I didn't also say that from time to time, not often, but occasionally when some people are confronting with a single console, arguments erupt over who gets to sit in front of that console. [laughter] Like, "Seriously?" But it has happened, and so we point out to people that there can be role-based access and different slices of the console for different roles, if you wanna do something like that and help eliminate some of those concerns. But I would say that that's one of the things that Gartner really appreciated, was the power of the singles, which has helped us move so far right and up in the MQ.
Steve Riley: But I would say that it's also preparing us very well for a similarly good position if there is ever a SASE Magic Quadrant some day. If you look at a previously released single-vendor market guide for single vendor SASE, we are the only SSE vendor listed because we now have an SD-WAN. The other participants in that market guide all came from the SD-WAN space and are adding security capabilities over time. We were faced with a decision a year and a half or so ago, "Do we wanna go all in on more cloud stuff? Do we wanna go all in on SASE?" And the acquisition of Infiot made it very clear that we were going to go all in on SASE, and I think that's maybe one of the best decisions that Netskope has ever made. We are well-positioned to capture I think a lot of that SASE business as it arises.
Mike Anderson: Yeah, it's exciting to see the... As we think about integration, the ability to ensure quality of service at sanction application level. We try to make sure we get good labeling on sanctioned versus unsanctioned applications. Well, now for the teams that control the pipes of the network or SD-WAN that sit in front of that portion of the console, they can now set bandwidth controls around those sanctioned applications to say, "Give more of the bandwidth to applications that are sanctioned versus those that are unsanctioned," and there's a lot more use cases as well that we can see on that side. It's interesting, I always tell people that there's a big difference between a best-of-suite and a single platform. You can't call a best-of-suite a suite of products. Just because a company buys someone and they put their name on it doesn't mean it's integrated from a customer standpoint, and so make sure you're investing your own platforms 'cause that's where you drive the most organizational efficiency as well. To your point around WAN policy, that's the capability it delivers you if you think about it in the right context.
Steve Riley: The more traffic that customers can send to Netskope, the more value they can get out of what we are able to offer. And one of the things I love about having an SD-WAN capability in our platform now is that we've created whole new areas where customers can send us traffic that they might not have been able to send us before, traffic from devices where you can't maybe install an agent or something like that, and now they can send that to us and we can be making security... Well, customer can configure policies so that we make security decisions correctly for that. I love it. Great stuff.
Mike Anderson: Yeah, it's interesting too, 'cause you think about, because of all this fragmentation and tools, I think what was the stat? On average, enterprises have 76 discrete security tools. And then if you add on top of that all the network infrastructure they got, then they go invest in SIM platforms to try to connect all the dots, they can figure out where the issues are, and there's been a lot of investment on that side. It'll be interesting to see how the consolidation of tools will then impacts. If all my traffic's getting inspected in a single way, then I should be getting visibility in those single platforms that today I have to rely on other tools to do for me, and so it'll be interesting to see the impact there. So there's been big investments in the whole SIM space for quite a while and other data log aggregation type tools. So it'll be interesting to see the parallel impacts in that space.
Mike Anderson: So one of the questions I have for you is, as we look at the current economic climate, obviously now cost savings is always a top priority for CIOs because they always have to find money to pay for the new things they're gonna do the next year, 'cause their budget increase covers inflation in most cases, except obviously this year, they've got a hole there. We're announcing that same pressure on the security side of the house, where cost savings is at the top, and the way that translates is in vendor consolidation. So how do you see the current climate we're in, how is it gonna help SASE? Is it gonna help, is it going to detract from it? What's your thoughts on that?
Steve Riley: Well, like you said, people are looking for areas to cut costs, to spend less money. I think SASE represents a real opportunity there. A couple of years ago, Gartner surveyed... I don't remember how many people responded. I think it's maybe almost 500 folks responded to this survey. But it was especially about consolidation, "What are your plans for reducing the number of vendors that you are interacting with as you have to upgrade your infrastructure and as you invest in more security?" And 75% of the respondents to this said that they were either devising a consolidation plan or had already embarked upon it and expected to save between hundreds of thousands to tens of millions of dollars, even though implementing the plan might have cost a little bit more money in the short term. 'Cause they did the economics and they realized that over the course of three or five years, that ultimately they'll be spending less on maintenance, less on upgrades, and less on training people. There wasn't so much desire to get rid of people at the time as there was to find ways to take the people they have already and enable them to create more value for the organization.
Steve Riley: So I saw a couple of analysis from Gartner clients, and they had both the hard dollar and the soft dollar in there. And even without the soft dollar stuff, the hard dollar savings were clear in about year two and then got bigger as the years went on. But once they added in the soft dollar stuff by taking people who might not have been doing something that added a lot of value but was necessary because of the hardware, now they can add more value, and there was greater economic savings from that.
Mike Anderson: It's interesting you say that. One of the things that I always look at is... And I hear from our CIOs when they think about SASE, it's, "Is this a rip and replace scenario? Where can I start? Can I ease in?" We talked about the VPN replacement or the zero trust network access being something, a logical connection is a starting point. What are your thoughts on that context? 'Cause that's something I hear all the time. And I think they want a place to start and then they wanna be able to retire things as they come off of contract, because they don't wanna have a double bubble that runs for 12 to 18 months. They don't wanna take an investment they made last year and now say, "Oh that was the wrong investment. Let me just go replace that." What are your thoughts, and what guidance have you given to people in that context?
Steve Riley: If someone is looking at the Netskope platform, most often, they have an old swig that is ready to be retired anyway, they have a VPN that they're not interested in maintaining or expanding anymore, and they probably don't have a CASB in place. So it's fairly easy for someone in that scenario to be able to look at old platform in one purchase. And in fact, I would say the last 18 months I was at Gartner, most of the price quotes that I saw for Netskope were for the whole platform. I thought that was really interesting. I couldn't say that was true for any other vendor in similar spaces.
Steve Riley: So I think we often find ourselves coming into opportunities where we are the right fit for where the customer is already. Like I said, that old swig, the VPN, they don't wanna expand. However, if that's not the way the customer is characterized, then they may be more interested in just one portion of what we offer, and that's absolutely fine too. Nothing says you have to start with all of Netskope from the very beginning. And if you still find yourself where your teams are kind of isolated from each other, then maybe it actually makes more sense to start with one aspect of what we do, and then once you gain familiarity with that, then encourage your teams to think about doing this in full. When it comes to consolidating these domains' infrastructure and security, it's not unreasonable to think that tool consolidation may be at least partially contributing to overall organizational change.
Mike Anderson: So it's interesting when I talk to a lot of CIOs, and I gave up my own experiences, we're always bringing in consultants from the outside, like the big system integrators to come in and consulting firms and look at our organization and tell us where can we go find savings. Often, given a target, I need you to find $100 million in saving, 'cause if I have a $750 million P&L, go find me $100 million that I can get and prioritize it based on what can I get realistically in the short term versus maybe the mid-term time frame. And so I think there's opportunities we need, is we need those consultants telling them around the whole SASE journey, "Hey, that can be part of that." But the organizational change management is... As you kinda pointed to earlier, it's gonna be one of the harder parts, because again, it's the human psychology kicks in at that level.
Steve Riley: That reminds me of the story. Shortly after I started at AWS, I was giving a talk somewhere, and I was specifically reviewing the provisioning of virtual machines, and somebody in the back of the room stood up and shouted, "You're threatening my job," and I'm like, "Really? Okay, what is your job, sir?" "My job is to take servers out of the box they come in and slide them into racks." And I'm like, "Maybe I am threatening his job." But I didn't say that out loud. It's like, "Okay, think, think, think." "Oh, do you know anything about what's gonna run on those service that you are unboxing and racking?" And he said, "Well, yeah, I've got some indication of what application is gonna run on there and what are the performance characteristics that that application needs so that I can select the right server for that application."
Steve Riley: Like, "Haha. Okay, you're not just blindly unboxing, you're making a selection of a certain box based on the requirements of what's gonna go on that box?" "Yeah, that's what I do." "Haha. So that's your value. Your value is not in the unboxing, your value is in the selection. So let me propose this to you. You can bring the value you already have to the virtual world. You're still going to be selecting the right size and capacity of a virtual server instead of a physical server, you're gonna be provisioning that into a VPC, you're gonna be applying some connectivity so that whoever owns the application can then put it on there and be off and running," and he's like, "Oh, I didn't think about it that way." "Okay, never mind." And then he sat back down. That was in 2009, and that story has stuck with me so long. I think it's important that when we are talking about the human side of all these changes, we need to help our customers and prospects be sure that they can do the best they can to keep the people they already have and help them figure out ways to provide value based on the skills they've built over the past few years. The worst thing we can do is come in and give the folks impression that we're after their job.
Mike Anderson: 100%. And what I've seen from my own personal experience is when I've brought a new cloud technologies. I was doing transformation back in the 2015 timeframe when I was the CIO of Crossmark, and we brought Salesforce in and I said, "Hey, we're gonna start building apps on the Salesforce platform. We have a room for 25 people in the training classroom we're only doing on-site. Who wants to sign up?" We got over-subscribed. And the biggest concern I had was people are gonna go, "I'm a dot NET developer. I'm not gonna do the Salesforce stuff," and it actually works out well for a lot of people. You bring up a good point, is that 80, 20 rule, 80% of people wanna learn the new technologies because it makes them more marketable or more valuable in the future. You do have the 20%. I had one time, a person that manages my phone system, and we were using the TDM phone system, and basically said, "Hey, we're moving to this new thing, Skype for voice or Skype for business," and it was cool when it first came out, and so we were moving to it, and I said, "Hey, I'll invest in you to get the training for that because we're gonna move off of this phone system, but you have to be willing to take the training." That's the only time in my career where I've seen someone say, "You know what, I don't wanna learn that new skill, that new tool coming in." And they went and worked for someone else that still had an old antiquated phone system.
Mike Anderson: So there are those people out there, but I think to your point, it's important to upskill the people we have, because it oftentimes is harder to learn the company than it is to learn a new skill. And I think navigating a company is what almost takes the longest for people versus picking up a new skill set, assuming they have the right foundational understanding of that technology area. So I wanna pivot a little bit. One of the themes of this season on the podcast has been around working cross-functional. We've had this concept of security as a team sport. So if we cut through all the marketing hype that's out there around SASE, 'cause everyone's not bolted onto that, we've seen all the big players in the space kind of attaching themselves to that because people are talking about it. What is it that we really need to know? Let's cut through all the BSs out there, what are the key outcomes that people need to be focused on when they're thinking about SASE to get it right?
Steve Riley: I would say that getting SASE right... Well, so much of the way SASE works the best is when zero trust principles are a part of the architecture. So I would say that to get SASE right requires really solid grounding in zero trust principles. And like I mentioned earlier about the thing that kind of surprised me is that people may have the right bits in place, but they haven't thought about how to use those bits to gather signals and context. So if I were to try to distill this down to one piece of advice around working cross-functionally, it's intentionally thinking about context. Now, that's gonna come from all kinds of different places, as I mentioned earlier, and in siloed organizations, it maybe different teams who are responsible for managing the things that generate all that context, but synthesizing it together to make the correct access decisions at the moment those decisions need to be made, it is only going to work when the cylinders of excellence dissolved and people come together around shared goals. They might have separate motivations, but the goals need to be shared, and that is just the right access to just the right stuff by just the right people at just the right time, for just the right reasons. I think I've said that once and twice early already, but I think it resonates really well.
Mike Anderson: No, I 100% agree. It's interesting too. And I think about what are problems that everybody inside of an IT and security organization, for that matter, care about that SASE can solve for, 'cause I think to your point, I 100% agree because SASE delivers you that single policy enforcement point that is a key component of a zero trust architecture because you need something that sits between users and devices and the resources and the applications and the data that they wanna access. And the one that comes to mind that I think is a problem that I've heard a lot recently has been around public cloud sprawl, is more and more dollars are invested there, companies are struggling with people spinning up rogue instances of AWS or Azure, and those environments don't tie back to their commits they've made with those vendors, and so they've got these contractual commits with discount structures, but then people are thrown down a corporate card or setting up new accounts, maybe under an acquisition name.
Mike Anderson: And so the ability to identify those instances and then put controls in place to keep people from doing it is something that the security teams care about, it's what infrastructure teams care about because they're investing money in tooling, and the worst thing they wanna have in the organization is duplicate investments and tools, things that don't count towards their commits, and then ultimately those things don't get migrated, they end up having to buy more plumbing to connect that to their existing environments, which becomes more investment, that is a cost now that has to be born from a run cost standpoint inside those organizations. So I think the team sport piece it's gonna be interesting to see how SASE plays out in that context and derives more and more of that conversion. If you had to say it simply, you're on the elevator and you're given the elevator pitch to the CIO of the organization, why would you say that SASE is the right bet for them to make?
Steve Riley: Maybe because you don't have another choice anymore. Oh no, I'm kidding. [chuckle] Secure Access Service Edge, the A is maybe the most important word in that acronym. As cloud becomes more and more prevalent, think of it this way, companies are moving from one data center to many centres of data, so if the data is smeared all over the place because applications are smeared all over the place, well, the workers are smearing themselves all over the place too, right? Because nobody wants to go back to the office. And how can you have effective governance over the access to applications and data, how can you effectively control the movement of especially sensitive information in this highly distributed world? You've got to have something that allows you to monitor all access and all data movement.
Steve Riley: Now, should that be one box in one data center some place? Yes, if you like to live in fear, maybe. Actually it shouldn't be. You want a cloud-based service that can distribute the security closest to where the people and where the data and the applications are. But you wanna have a single policy framework so that you don't have to be making multiple decisions based on the destination, so you wanna have harmonized user experience so that regardless of where people are going, the way they get there feels and looks the same. That's what SASE does for you. It gives that harmonized user experience, that consolidated policy framework for access to this ginormous centers of data that people are building.
Mike Anderson: Essentially goes back to, my tagline for my organizations has always been "Simplicity is the ultimate sophistication", Da Vinci quote. So it sounds like SASE can be the way to drive simplicity into your organization that results in a better employee experience when they're trying to access and use applications.
Steve Riley: And it eliminates complexity, and as we know, complexity is the enemy of security.
Mike Anderson: It is. Indeed. So we only have a little little bit of time left, and so we always have a section on predictions, and I know you love predictions because obviously you came from Gartner and made a lot yourself. So if you were to fast forward five years and there's an area that people should have invested in, what would you say in five years people look back and go, "You know what, I really should have paid more attention to that area?" It doesn't have to be SASE, 'cause we're talking about... It can anything. But what do you think people should be thinking about today, and what would they wished they would have invested in if they could look back five years from now?
Steve Riley: Well, let's see. I can think of a number of items, but if I were to pick just one. I'm gonna be tactical about this. It's effective automated data classification. We've talked in our conversation here, Mike, a number of times about signals and about context. I think one of the most useful signals that can be used in creating appropriate policies is data context, and specifically data classification. I like to think about how the role of security is changing away from the gatekeeper who says no most often to the entity that allows a default stance of, "Yes, you can, but with conditions." That to me sounds like the best way to strike the balance between staying secure and getting work done. You wanna do both of those, and so is the security sort of philosophy can be yes with conditions as the default, well, then what are those conditions? And one of the best conditions is understanding what the data is for and what level of protection it needs. And so the reason I mention this is because data classification is hard. The tools that are available aren't that great, and as a worker at Acne Corp, your job is to build widgets or whatever, it's not to sit around and click buttons and toolbars all day and think about, "Is this public or private or confidential, whatever?"
Steve Riley: So I think trying to bring in automation... Well, automation in general, okay? So we'd have a broader answer, it's, "Let's invest in security automation everywhere." Now, what's my favorite example of that, is it's automated data classification. I just think that's gonna help us get a lot smarter about this goal of the right access at the right time.
Mike Anderson: Well, maybe we can implement chatGPT in the middle and ask it, "Is this data I should care about?" And it can help. If we feed it all of our sensitive data, it can tell us that then. Maybe that's the answer, all jokes aside.
Steve Riley: You wanna give all your sensitive data to chatGPT?
Mike Anderson: No, not yet, not yet. I think there's a whole separate conversation topic around ethical and governed use of some of the new AI technologies that we can talk about in future episodes.
Steve Riley: I was gonna say, I have another one, and it still kind of strikes me sometimes how this one comes across. Sometimes I'll ask people who are struggling with how they wanna build a security program. "Well, have you thought about what is your most important asset and what would happen if that asset were compromised in some way?" And I'm surprised that very few people have actually sat down and had that conversation intentionally. They throw money at this tool, that tool, the other tool, but they don't think about, "Well, wait a minute. If one of our information assets is damaged in such a way that we would just vanish off the face of the earth tomorrow, what is that asset, and how do we protect it best?" I don't know. I don't know if that's useful as a prediction or not, but I'm surprised how often I encounter folks who just haven't organized themselves around something like that.
Mike Anderson: Yeah, an interesting one, if you reframe the question is, "What are your crown jewels?" Which a lot of people have identified what those are. "And then what data inside your crown jewels is most critical for you to protect?" And maybe that's a different way to frame the question that maybe people would think differently, 'cause usually your ERP system's active directory is always something that's maintained in the crown jewel area because it's the tentacles into the rest of the world. In a lot of organizations still today, it's the tentacles into the rest of the organization. So another good prediction. So as we always wrap up the episode, we have this section, it's one of my favorites, it's our quick hit. So I'm gonna ask you a couple of questions, let's get your rapid reaction to this and we'll fire through a few of these and have a little bit of fun. So the one I always like to ask first is, what's the best leadership advice you've ever gotten?
Steve Riley: Best leadership advice I've ever received? I don't know if I'd say that this is leadership advice, because I've not structured my career to be a people manager, but just in general, something that my grandmother told me many years ago, if someone does something for you or gives you something, thank them. Don't say, "Oh, you didn't have to do that," because that minimizes the effort that they put into doing that thing for you. Be thankful, smile, be humble and then go on. I received that advice from her when I was 12, [chuckle] and I still remember that to this day.
Mike Anderson: Oh that's definitely sage advice, for sure. Next question, if you could eat one meal for the rest of your life, what would that be?
Steve Riley: One of my wife's vegetable scrambles. She does a fantastic job of just taking whatever is in the house, adding some spices and seasonings and cooking it up and it is delicious. It's never the same, it's always different, but it's always tasty. So vegetables scrambles.
Mike Anderson: That's great. Sounds like in our house, we call it, it's must go time. It's gonna expire, so we better do something with the list, throw it together and see if we can make something that tastes good, so that's definitely a lot of fun. Alright, this next one, I'm gonna love. What is your favorite song, and what does that tell us about you?
Steve Riley: Oh, so I mostly listen to electronic dance music or classical. So I would say my favorite musical work is Aaron Copland's "Third Symphony." I don't know what that tells you about me other than I really love the harmonic structures that Copland had in his heyday. He created chords and sounds that nobody else had, and it just really draws me in. I can get mesmerized listening to his music, and the Third Symphony is perhaps, in my opinion, the best piece of music he's ever made.
Mike Anderson: That's great. Well, I'm gonna have to go listen to it. I'm sure I've heard it and I'll probably recognize it if I heard it, but I'll have to go look at that again. You also text me the link to the song so I can listen to it again.
Steve Riley: You've definitely heard "Fanfare for the Common Man," you might not know the name of it, but once you hear it, you'll instantly recognize it. That's the fourth movement of a symphony.
Mike Anderson: Oh that's great. Well, Steve, I have really appreciated the time today, and you and I could talk for hours and we always do offline as well, so I really appreciate you being a guest today and sharing the advice you've got and just the wealth of knowledge that you have to share. Is there anything that you would like to make sure our listeners take out of this conversation, any last bits of advice you would give as we think about security service edge, the impure-released SASE, anything in that context? What would you like to leave with our listeners?
Steve Riley: I wanna return to the people aspect, as we wrap up here, and remind all of our listeners that your people have value. They may need a little bit of nudging in trying to figure out new ways to provide that value, but listen to them, ask them questions, find out what it is that motivates them to do what they do, and then help guide them as they find ways to maintain that value in the face of rapid technology change.
Mike Anderson: That's definitely good advice. We always have to think... It's always people first. That's what we're dealing with. And so we always have to think about the people. The technology aspect of things is easy. It's getting the people aligned around it with the change is always the hardest part, so that's definitely good advice. So, well, thank you so much again for joining the podcast, and I know our listeners got some really great advice from you today, and so I really appreciate you investing the time.
Steve Riley: Well, you're welcome. And thanks for inviting me. It's a lot of fun as always.
Mike Anderson: I hope you enjoyed our conversation today with Steve Riley. Steve is, again, our field CTO here at Netskope, but is a long-time Gartner analyst. Lots of great advice and wisdom that Steve shared in our conversation. Three things that stuck out to me, first and foremost is all around people. So as we think about any technology, we think about SASE, we think about security service edge, start with thinking about the people and the impact it's gonna have on them in the organization, how do we help those people through that change? How do we invest in those people to get them the right skills they need to be successful in these new areas? The second one is, as you think about SASE, first off, assess your environment to figure out where is the right place to start, whether it's, a replacing my on-prem proxy that I'm using today that now becomes part of that, or replacing the VPN that I'm using for application access. Then obviously, Steve said is a area where a lot of companies can start is, "How do I think about access?" and that can sit alongside what I have today and then become my mainstream in the future. And the last one, which has come up a lot of times in our conversations this year has been around automation. Automate as much as you can in your environment. Especially when you think about data classification, that's definitely an area of automation we look into.
Steve Riley: So thanks for tuning in again today to this installment of the Netskope Security Visionaries Podcast. Stay tuned for future episodes, and have a great day.
[music] Producer 2: The Security Visionaries Podcast is powered by the team at Netskope. Fast and easy to use, the Netskope platform provides optimized access and zero trust security for people, devices, and data anywhere they go, helping customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, or private application activity. To learn more about how Netskope helps customers be ready for anything on their SASE journey, visit N-E-T-S-K-O-P-E dot com.
Producer 1: Thank you for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone you know who might enjoy. Stay tuned for episodes releasing every other week, and we'll see you in the next one.