We will talk about reducing the species in your cybersecurity suit.
Yeah. Thank you, Christopher. And welcome to everyone and sorry for having been a little late for the intro moderation I trust was having a coffee, coffee, and I thought, do I have to moderate at 10 30 or 11? It rarely happens to me, but we have these double moderator rolls here to ensure that nothing goes wrong here. And as you can see, I already saved the clicker for me. So I'll talk more. I'm happy. Maybe can happen. I don't think that I need to introduce myself most have seen me probably over the course of the conference. So yes, reducing this pieces in your cybersecurity suite. This is a little bit, so we did a little bit of look at all the terms. You don't need to read them out. So it's not the intention. The intention is this is trust that the terms which are commonly discussed today.
So Mike already mentioned several of them and it are way more, and it looks a little bit about how they relate and what is part of what and so on. And I think we can probably agree on, it's not a good idea to have everything in place. So it's about understanding which of these many, many tools, and it's never a problem to add more acronyms and more technology names. And so on which of these do you really need? This is at the end, the question. So how could your micro is up to cybersecurity fabric saying, how could your cybersecurity fabric look like? What is sort of the set of technologies you use? And as I've said, there are many, this is another perspective on that. This is the, the reference architecture with a little less technologies than we had before. So this is the cybersecurity incarnation of the reference architecture.
Some of you have seen the IM reference architecture, still tons of technologies. And this is, as I said, not as comprehensive as this graph we've been showing have been. So what we need to do is we need to understand the value that technologies deliver to our business. And that brings us to, we need to measure in some way, we need to apply some metrics because when you have technologies in or when, when you're saying, okay, it's the budget, then you always will have different, okay, let's wait minute until all the people are in. I think we started a minute earlier. So sorry for that. No, it's two minutes past already. So to click quickly wrap up. Maybe I go back because so many came in, we have a little bit too many cybersecurity technologies out there, and we need to understand which of these really provide value, which should we have in our sort of our own cybersecurity fabric, which of the many technologies also here in the reference architecture to pick and to do that.
This is where I just started with this slide to do that. We need to apply some sort of metrics, some sort of measurement, some sort of comparison because otherwise, and I think many of you have gone through this portfolio discussions and budget discussions. So budget always is limited where, for what, what, which things should we spend them or even worse discussing? Do we still need this tool? You always will have a few people who laughed that tool and say, oh, we need it urgently. And others will say, oh, there are better things to spend our money on. So we need to, to analyze, we need to take step back and think about which is the better technology option. So compare it, and we'll go into a little bit more on these comparisons and the, the subsequent slides, but we can compare technologies for instance, by looking at how they relate to each other in capabilities.
If you take one of our leadership documents, you will find the spider bar per vendor. This would be the more on the product level. You can do this also on a technology level, you can look at technology and think about which technology is better suited to deliver certain types of capabilities that gives you a picture. And I talked about yesterday, I talked about KRI and KPIs and the same, a little bit here. It's not about is this eight two or eight, five or eight, four, it's it doesn't be need to be a totally exact sign. So to speak on that, but it should give you a direction. And that helps you. I always feel visualizing helps to better understand some things. And this is something spiders metrics as severe Analyst. You know, we laugh these things, they all makes us look as, as, as, as you really understand it.
So, but, but applying these things is really from my perspective, helpful, and or which of the tools deliver better on the ratio of capabilities to TCO or risk medication to TCO. And maybe you have redundancy because you say, okay, they do more or less the same, roughly they are overlapping. If you take the first spider and two tools are very much the same or two groups of tools, then you need to think about, or what is the subset of the other you need to think about? Do I really need both? And as I've said, the target always should be to keep the complexity of what you do in cyber security, under control and what you implement first, what helps you most for closes the gaps? These are the questions I believe we, we must investigate in a structured approach and a structured analyzes to better understand where to spend our euros or dollars or whatever else. And we have many options to do it. We can take for metrics or also for spider. We can take a lot of different can look at a lot of different dimensions. And,
And maybe I jump in here to tell a little bit details from when we do this for customer also internally Martin already mentioned it is really relevant. The metrics, whether you take the TCO, the risk mitigation or whatever, these typical six year seven at all, and probably many more are typical measurements, dimensions. You can use to verify whether you have an duplicate tool and overlapping functionality, unnecessary risk mitigation, or duplicate risk mitigation. Or this is probably the most important thing. If you have a functional gap and a high risk, for instance, if this is your approach in optimizing your portfolio here. So this is really based on the tip or traditional portfolio management idea, using spider graphs, using different diagrams to visualize, but adding really more modern ideas or more it relevant measurements like TCO risk, security gap, or risk mitigation.
Yeah. And then we brought up eight here, as I said, or seven, seven, what else? Seven plus, what else? Exactly. And you kind of come off as more, but I believe that that seven are, are very good and probably already too many. I, I like the risk mitigation one. So the one I use most frequently is risk mitigation to low TCO. So you low TCO and one axis, big risk mitigation on the other, and then the upper right edge. You have the ones which are helping you most to mitigate risk at the lowest TCO. And I, for me recommend to look at TCO here. So really the longer cost of that, because we all know that once you have such a tool, it's hard to get rid of it. And this is what you should also look at. You must start looking at which of these tools doesn't deliver that much anymore.
This is, this is difficult in cybersecurity because if you retire cybersecurity tool and something goes wrong, then someone will stand up and say, Hey, because it's only because you are retired that tool. So you need to be well aware that what you did is better than what you had. This is clearly one of the challenges. I also like the resilience element because we are all under attack. All our organizations are under attack and we are, or will get breached sooner or later and something will happen. Some, sometimes some things sever will happen. So resilience is a very important aspect. How can we increase business resilience at the end of the day? How can we keep our business alive? So do technologies help us there in doing that? It's I think a very important aspect as well. So we can look at all of this. I think you surely have read through this thing and how does this look like?
This is for instance, a very rough sample of low TCO versus risk mitigation. And so we can, as I said, we can discuss where we place all the technologies. I'm totally open on that. And this should be a discussion. You run with the various people also in your teams, because these discussions at the end maybe are the side visualization are the most helpful things to, to understand the different perspectives to also maybe not agree, agree would be two, two strong expectations, but at least to have a common understanding of the thinking of the others, which is, I think already a big achievement in many cases, to bring people from different teams on the table and exchange about that and discuss it because you always will learn from that. Everyone will learn from that. And this is important. I remember customers who did this and they had, I was a little scared about it at the beginning, they had 35 people in the room, but the point was also that customers said, you know, there's no one them who can stand up and say, I wasn't involved.
I had 35 people from different countries from different teams then, and out of these 35, let's say 28 were totally quiet, but they were in and they had their opportunity to talk. And I think this is something sometimes even that can be the right way to do it. And he here, I, I put it into could, you should do, must do. Don't do so low risk mitigation, low Tio, probably not the thing to do. Yes. You might say, firewalls is a little bit unfair here because you need firewalls. You can't get rid of firewalls. You need them to filter a lot of noise out, but they are clearly a technology, which is not at the forefront anymore of that. Then you have the let's start here. The, the could do things sector one, so to speak. They are nice but limited. I think we, when we see the emergence from traditional antivirus to E P D R endpoint protection detection response, which is way more to the right here than we see that the traditional technology approach has been emerged into a modern technology approach.
So if you would take a spider off of these, two of them, it would be a, we AV am so antivirus and malware as a subset of E PTR. And then the logic would be, we need to shift forward and leave the old behind, or emerge to something new. That would be the, the, the message here. The must do things are the ones which are most important and you don't do things and you can play around with this. You can do it in different ways, but it's just to give you some, some ideas here. And at the end, it's really about portfolio management that helps you defining how your infrastructure and cybersecurity should look like run budget, strategic focus, but also looking at future, what do you need in the future? Where is the world heading? Where to go? And as of that, we can always can discuss about a one hour rating. It is at the end of the day, it's about how can we apply measurement to that? And this is another perspective picture we took from, from, from identity management, I think, which gives you quite, quite another good.
Yeah. Maybe I was one who worked odd on a similar way. This was the customer. And maybe coming back to, to the efforts just starting was, was creating something like that. I, if I remember right, something like three times, four hours workshop on site to build up something like an overall understanding between the involved parties. So from HR, it was identity management, HR as AP system was there, it security, it operations, all these guys joined. And we started with finding a right understanding of the right tools, which is also the first step in optimization here. And then we went through it. So we have, again, the dimensions Martin already explained, but here on a concrete example. So in area one, there is identity proving. This is something when we created this, it was not that important for the customer. Maybe today it's differently. So it's something for the long
Time. Don't do it once. Do it regularly.
Exactly. I think this is one year old, probably more
I believe anyway. Yeah,
Exactly. So maybe now they would have to use it. So the long tail area, number two is something very strong candidate. So identity Federation, for sure. We know the, that we needed, we have adaptive authentication and all that stuff and privileged access management, but even these building blocks or these items are really big things. I cannot start in a normal organization with one about 4,000 employees or 2000 employees as such 1, 2, 3, 4 big projects at the same time. This is also something maybe in the next step. I pick out this thing, prioritize a little bit and look, where are overlapping capabilities? Do I have something? Do I need to optimize something? What is my portfolio? Where's the gap. So, and here again, this, these are the dimensions, importance and missing functionality, missing functionality, and you can then extend it by other dimensions. The one we mentioned, like resiliency and so on to really find the optimized set of tools within your organization, minimizing duplicates, and the management would love if the cost are as low as possible. Yeah,
But I think at the end that the management even would love more. If the risk mitigation is as good as feasible.
When you look at, I think trust this week, we met with our, our CSO council, a group of S we are engaging with regularly. And I think we had three or four, which couldn't participate because they had board meetings the same day. And so what they really are concerned about is risk at the end of the day cyber risks, which goes up to the board. But anyway, I think the point is, and also for instance, take importance, importance could be a combination of something you did before. So you might say, I look at first, how does this help in risk litigation and other things? And then I combine that into one rating. And then I look at my gaps.
Exactly. And importance is one of the most discussed topics from starting the scale. So one to three high, medium, low one to 10 and whatever, and then how you rate it. This takes usually the most time discussing about the importance of a tool.
Define, define your access, define your, your rating scheme to rough enough, but also sort of precise enough so that you, you, you can, you know, as of that, if you then spend hours on deciding whether it's three or five or three or eight, and you do something wrong, so you need to do it better than that and rather efficiently, but it definitely helps. And as of that, at the end, this is important to visualize, but the discussions to go there are really, really important and really helpful. And you can go deeper into detail. As I've said, spiders, you have a ton of dimensions you can use for a spider. When, when we look at it from a risk perspective, you could also do it more on a capability perspective. That's what we do in our leadership, in our leadership com it is usually eight, eight core sets or core groups of capabilities.
And then we do do it that way. And we, we work with these capabilities and we compare these capabilities. And this is which that helps you more in a, in one to one or between three, four, maybe five technologies or tools, but don't go over the top. So a spider with more than five, definitely isn't of any value anymore, because you don't see anything anymore in that spider. So spider works were always two, maybe with three, and then it gets more complicated. But again, at the end, the same approach to use here. So this is a little bit about methodology. We recommend to apply, which we use both in our research and in our advisory, and think that from our perspective, from our experience really help in setting focus. And that's what it's about. How can we understand that we have the right focus and you know, one of the outcomes also of these discussions is at the end of the day, when you do that, you have some sort of, as I said, you have some sort of agreement which you then can build on which, where you start to speak more in a, in a, in a joint language and where at least everyone has understood why you do things, certain things.
This is I think the important point to understand here, but it's not just tools at the end of the day, to, to get better in what you're doing and reducing the number of technologies. It's also important to look at at the entire sort of cybersecurity posts or cybersecurity organization you have. So, and, and I think the complexity we are dealing with in cybersecurity, so we can say in identity, we have trust these four pillars, administration, authentication, authorization, and auditing, or however, we'd like to phrase it here, we have at least seven things. So we have identified repair, detect, protect, respond, recover, approve, or protect, detect whichever order you'd like to take. And we have tools that serve one, or maybe they span a couple of areas. Sometimes they are focused very much from a certain area, but we not only have the tools, but we also have, we need to put processes in place.
We need to have the right processes and we need to have the right people. By the way, one of the sentences, I heard a couple of times during the conference, which is the human is the weakest link in cybersecurity. I don't believe in this sentence, this sentence is fundamentally wrong. The human is the most important element of cybersecurity and phrase it that way. Don't discourage your people, encourage your people. They are the most important ones because they are at the forefront of cybersecurity. They are the, your first line of defense. So really change it. And it starts with these people, everyone at the bottom here, everyone is, is involved. So everyone must be involved because everyone is. So everyone must be part of it because they are part of cybersecurity. This is I think, very, very important. And then yes, you have your SI security identity experts, and you have it management at the end, even the board.
So prepare your board for board communication. If things go really wrong, because then they need to stand up and say, sorry, even though when you're not guilty, it always starts with, sorry, it's the best way to communicate in a crisis. So this is what you, what you need to do, what you need to keep in mind. And so look beyond just the tool discussion, because the other side of the coin is there's this sentence with a tool, a tool with a tool and so on. So if it's just a tool, it doesn't help you at all without the right framework. So having said this, take a structured approach. Oh, by the way, one of the other things I don't agree with, I trust recently read, oh, plan build run is the past. It's that in an agile world? No, it's not really, really true. Even in an agile world, you need some planning.
Otherwise you end up in chaos and you trust do it at shorter cycles, but in some way and more integrated maybe, but you do it. You do it continuously in operations, you do it agile and implementation. You do it stable in architecture. This is important that you can do the other things. If you don't have a stable architecture, you'll fail in trial and you do it. Long-term strategic at a strategy level. This is how these things, and don't forget the improve part. Learn from your learn from what you did, whether it has been successful or not. So overall you need to take a structured approach. This is also is important for, for selecting cyber security tools and everything you do. So what do you want to achieve? Because the, the, the, the rating you give the metrics you use the measurements for tools depend on what you do want to achieve.
Where's your business heading and a technology that might have been great for a world where everything worked in the office three years ago might not be the best technology for a world where people work from somewhere and where you in the us, we have this great resignation thing where they not even might be part of your organization in that sense of an employee anymore. Then it looks very different. And then maybe the, the BPM has a very different role. It might not be the right tool for a new world anymore. Out of that, if you trust this VPN, it's not zero trust by the way.
So you need to understand your targets. You need to, to align the different areas you need to disseminate by the way, also very important. Explain things, talk about it. Why do you do it? Take people with you, disseminate transfer things when it's about architecture, etcetera, and Warwick, and this is something you also need to do. We don't have the, the time to go into it in the very detail of this, this slide, with all the, the boxes, et cetera. But at the end, you really need to start with where's my business heading, which architecture do I need for cyber security? And zero trust is probably the most important guiding principle here. When it's about cybersecurity, it's about how do you implement it? How do you get it run? And how do you customize it? How do you configure it? And how do you, and last at least how do you operate it?
What is your target operating model? This goes back to what Mike talked about before Mike talked about also, who takes, which responsibility who takes, which role or Dr. Faba talked in his keynote about shared responsibilities. You need to do these things properly. You need to work on that, and then you can put this. So to speak into more detail, what do you do here? You, for instance, for agile, you must understand your environments. You must implement tools. You must run them for continuous operation. You need to build your breaking model. You have need to have to organizational setup. You need to continuously measure risks, risk mitigation, efficiency, KPIs, and K, I had to talk about this yesterday, which will be online probably soon as a video where our systems slides are well. So do all these steps and define your target operating model.
Yeah. So having that all set, optimized your suit of tools. You also need to take care of how to run your overall cybersecurity landscape. So all the tools, what is there, what do you need? And currently we are working in some projects where we optimize target operating models. This is just an example and short outline of something like that. So you have different main categories, like for instance, the strategy of your it service organization. You need some service design service transition because it security, it service portfolio is always changing and you can do exactly what we shared. So the optimization part can do this as part of your overall target operating model. So you need to take care of this, whether this is done by internals, externals, expert, whatever you need to take care of this before. And then for sure, also an important part here is the bottom, the service operation and the detailed roles here are, are mostly based on the it stuff. What we edit is really the additional layer of structure. Also the different lanes, which help you to build it up a little bit more efficiently. This is based on the target operating, operating model we created for identity and access management, but really especially specialized specified for bigger it security organizations
And IDM trust the recommendation, take a structured approach for everything you do. So once you start saying, okay, this is the tool I need, then do it, right? What are your priorities? This is the high level, the strategy thing. And then when you go into the tools, understand your requirements and by building an RFI and RFP, right? It means you think a lot about requirements and building these requirements list is not an easy task. I do it quite regularly for a leadership compass, and that really takes some, some, some time to build a good questionnaire here with a hundred, couple of hundreds of lines in axle. Very, very much appreciated by the vendors, always when they receive my questionnaires. Yeah, you need to have a long list in a short list. So do a high level. That's where some of them as little helping, going from a long list of vendors to a short list of vendors, assess them and analyze them and do a POC always before you make a decision. That's it. Thank you.
