Discover insights from a conversation with Tim Roddy from Open Systems on business transformation, IT security, and collaboration at the RSA Conference.
In a world where businesses are constantly evolving and facing new challenges in cybersecurity and IT infrastructure, the importance of collaboration between IT and security teams has never been more critical. At the recent RSA Conference, Sean Martin had the opportunity to sit down with Tim Roddy from Open Systems to talk about the topics of business transformation, IT security, and the necessity of aligning IT and security initiatives for a more secure and efficient operation.
Business and IT Transformation in the Digital Age
The conversation kicked off discussing the challenges that businesses face in a rapidly changing digital landscape. Tim highlighted the need for businesses to adapt to transformations driven by factors like remote work, cloud migrations, and evolving business requirements. With threats constantly looming, the alignment of business processes, IT functions, and security measures becomes paramount to staying ahead of the curve.
Zero Trust Network Access (ZTNA) - A Game-Changer in Connectivity and Security
One of the key topics discussed was the concept of Zero Trust Network Access (ZTNA) and its impact on network security. Tim shed light on the importance of implementing ZTNA to ensure secure and controlled access to critical applications and data. By deploying ZTNA, organizations can limit access to authorized personnel only, thereby reducing the risk of unauthorized access and potential data breaches.
Bridging the Gap Between IT and Security Teams
Tim emphasized the need for organizations to bridge the gap between IT and security teams, especially in smaller enterprises where resources are limited. By offering managed services like SASE (Secure Access Service Edge), Open Systems enables organizations to focus on core business activities while ensuring that IT and security functions are efficiently managed and monitored.
Real-World Use Cases and Success Stories
Throughout the conversation, Tim shared insightful examples of how Open Systems has helped businesses, particularly in the manufacturing sector, enhance their security posture and IT infrastructure. From implementing ZTNA for secure access to critical equipment to transitioning from MPLS to SD WAN for cost efficiency and flexibility, Open Systems has been instrumental in driving IT and security transformations for organizations of all sizes.
Looking Towards a Secure Future
As businesses continue to navigate the complexities of modern cybersecurity challenges, the role of providers like Open Systems in guiding organizations towards a more secure and efficient future becomes increasingly significant. By offering tailored solutions, expert guidance, and proactive monitoring, Open Systems stands as a valuable partner in the journey towards robust IT and security operations.
This conversation with Tim Roddy from Open Systems highlighted the critical need for businesses to prioritize IT and security transformation in today's digital landscape. By embracing collaboration, deploying innovative solutions like ZTNA, and relying on trusted partners for managed services, organizations can navigate the complexities of cybersecurity with confidence and efficiency.
Reach out to Open Systems to learn more about their comprehensive IT and security solutions and embark on a transformative journey towards a more secure and resilient business infrastructure.
Learn more about Open Systems: https://itspm.ag/opensystems-d11
Note: This story contains promotional content. Learn more.
Guest: Tim Roddy, Vice President Marketing, Open Systems [@RealOpenSystems]
On LinkedIn | https://www.linkedin.com/in/troddy/
Resources
Learn more and catch more stories from Open Systems: https://www.itspmagazine.com/directory/open-systems
View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Empowering Businesses Through IT and Security Transformation | A Brand Story Conversation From RSA Conference 2024 | An Open Systems Story with Tim Roddy | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Hello everybody, you're very welcome to an On Location episode coming to you from RSA Conference, this is Sean Martin, where I get to talk to loads of cool people about some cool things, all in the guise or in the spirit of helping businesses operate securely so we can actually generate and protect some revenue.
And, uh, it's difficult to do that sometimes when, uh When teams are moving around, tech stacks moving around, clouds are moving around, then business requirements are shifting. And of course the threats aren't standing still either. And in order to keep up with a lot of it, I'm actually hearing a lot of folks talking about, well, certainly business transformation, but a lot of IT transformation, security, teaming up with IT to transform some things in a better way.
I'm thrilled to have Tim Rodion with me from Open Systems. How are you, Tim?
[00:00:52] Tim Roddy: I'm good. Thanks for having us on the show here today.
[00:00:54] Sean Martin: It's going to be fun. I'm excited to hear what, uh, what you're hearing as part of the conference. But even more so, what some of the conversations you're having with customers are.
But before we do that, maybe a quick word about what you're up to.
[00:01:08] Tim Roddy: Sure. So I'm Vice President of Marketing at Open Systems. Been here about a year and a half. Been in the security 20 years now. Spent a lot of it at Secure Computing, which then became part of McAfee. And built out the web security. Gateway product line, um, and moved it all into the cloud.
That's now, uh, part of what is known as, uh, Sky, Skyhackin, uh, security. Uh, things that get moved and changed names in this industry, which of course happens all the time in the blink of an eye sometimes it seems.
[00:01:36] Sean Martin: Yeah, and analysts have their own terms for a lot of this stuff.
[00:01:40] Tim Roddy: Oh, they as well, they do as well.
We keep changing that, so.
[00:01:43] Sean Martin: Keep everybody on their toes. We don't have enough to deal with. So, I want to talk to you a bit about, um, So there's no question, we, we had a forced transformation, uh, a few years back. And then we have, I see a lot of transformation from a business perspective. And, I've been talking to some CISOs and I, I was asking them, Have you seen much transformation beyond business processes and, and the drag from, from that from IT to actually pull in security to have transformation as well?
And a lot of them were saying, I think, Not enough. We need, we need more in terms of better collaboration with IT and security to really transform things in a better way, where we kind of get ahead of some of the things and enable the business to operate more effectively. What are some of the things you're hearing in that respect?
[00:02:35] Tim Roddy: Well, I totally agree with that, that statement and that experience, and we've lived it over the years, even before COVID. Um, Ten years ago, people started talking about shadow IT, which was the business bringing up and buying applications, cloud applications from new cloud vendors to run the business, and never telling the networking people and security people about that, even though they all end up reporting into the, the head of IT, right?
The CIO. That is, that's the norm. It's not the exception. And then within the networking and security part, if the company's big enough, they're not talking to each other enough necessarily as well. So you now have gone well past that. That's the critical point, uh, where, especially the forced acceleration that occurred during COVID, where everyone was working remotely, right, and everyone went out and spent money.
We're going to get Zoom licenses, we're going to get more VPNs, and we just got to connect people, right? Because at the end of the day, the business imperative is let's be productive. We got to connect them. If you can't get to, to where your asset is, or your, your data, you can't get your job done. If it's a manufacturing plant, the manufacturing facility shuts down.
You can't have that. There's no revenue. So that takes priority. But then security is like, well, how is that going to work with it? Right? So you can't necessarily keep up with it. So we're now at a point where we're seeing network transformation to support those business realities of data being located in all these different clouds.
People are spending time trying to figure out how many different cloud apps do they have. Surveys show, you know, probably 30 percent of the ones they have, they don't even know about. Because people go out and buy five user licenses here and there, but there's important data for the organization that's there.
Is it properly protected? Does it meet compliance requirements? Do you use two factor authentication? And they're like, I don't know, I just needed to get my job done, right? I just went off and did it. Um, people buy, uh, suites from, you know, Google or Microsoft. You've got all these other products that are there, and you're, it's part of your E5 license, for example, from Microsoft.
And then some people start using them. Other people look at the dashboard, don't even know what they are, and they don't use them. So, this gets out of control. So, transformation has to be understanding what's being used, how are we going to secure it, and how are we going to connect to it. Because the old networks of hub and spoke, where you had everybody in the office and you had a firewall protecting everything, because all the assets were there, doesn't work anymore when the assets aren't there anymore.
They're out in a variety of different clouds, public and private.
[00:04:58] Sean Martin: So, tell me about some of the organizations that you work with. You have a very consultative and service based engagement model. And, so I think, my guess is a lot of them don't have huge teams. Don't have a lot of the skills and a lot of the knowledge to operate a mature program.
So they probably look to you to help with that. So how does that change, um, kind of the point of the CIO and the CSO? They may, they may only have. Probably not the CISO.
[00:05:36] Tim Roddy: Right. Um, no, that's absolutely true. So, first of all, when you're looking at consolidating or reworking networking and security, you've got two different groups there you've got to work with.
The networking people and the security people, who eventually may all report to the same person, but the higher up you get are not paying attention to the details. Um, throughout the entire market, you have, uh Individuals at the highest end, the largest organizations who have no problem hiring and keeping networking and security staff.
But as you move down to smaller size, mid size and small enterprises, and our target market is around 1, 000 users to 25, 000 employee organizations, what we call small enterprise and mid market. They feel very sharply the cyber security and just IT technology. Employee shortfall that exists worldwide. You just can't find people.
And if you are a skilled person in IT and security and you want to work for a company as opposed to a vendor creating security products, you're going to go to the Fortune 500s because you got a great career path there and a great name to work for and benefits and everything. So it's harder for the 5, organization, personal organization to hire and keep people.
The ones they do have, they want to deploy them on running the business, enabling the business so that it's It works properly, you know, applications are integrated and smooth business processes. They don't want to spend them on security, so that's where managed services come into play. And we offer our SASE or ZTE services purely as a service.
If you want to do it yourself, hands on keyboard, you can do that, but not with us. So that's how we address that issue, that of, you know, not having enough people to work and manage the solutions. Right.
[00:07:19] Sean Martin: So are there I don't know if the right word is misnomer or misunderstandings where they might buy one or a collection or a suite of technologies that enable the business and have an expectation that security is built in or have an expectation that security is being managed by the organization that provides those products like office suites in the cloud, for example.
Right. Talk to me a little bit about that. Where are they Misnomer, I think, is probably the right word, where they might think something should be, and it's really not.
[00:07:55] Tim Roddy: Well, you buy, you buy some, you know, well known cloud based business solutions, whether they be office suites from the Googles and the Microsofts, or CRM systems.
You know, they'll, they'll tell you, you know, you have, you're going to set up, um, a hierarchy of who can get to what. Salespeople can only do certain things, who gets to do the reporting, who can edit everything. www. microsoft. com That is security by, to some degree, how you design it. We're going to enforce two factor authentication, and we're going to integrate into an IAM provider.
Who is it that you want to use? All the major ones, whether it be Microsoft, Octopeng, etc. You're going to support. That's scratching the surface of it. They're not going to scan for his data being sent the wrong place, right? If a salesperson all of a sudden is downloading his customer list, that's not a good sign.
He may be resigning the next day or something like that. So that's where you have to have A security view of the entire thing from a web security standpoint, a data leakage protection standpoint. And those companies that make those applications, their job is to make an application that enables business use cases, not secure the thing and make it hard to get to some of the data.
Right? Right. So.
[00:08:59] Sean Martin: So how do you, how do you balance that? Because I'm sure a lot of organizations think just that. That once we apply security layers and lock things down and put controls in place, It's going to be harder for users to access. It's going to be harder to work with our partners. It's going to be harder to close transactions.
[00:09:17] Tim Roddy: And the C Suite is about
how fast can we move and how can we be a good partner to get things done. Not put blockades in the way. People get annoyed with two factor authentication. People write down passwords. They use the same password. We've trained them ad nauseum on that. We do it anyway, right? So, and you hear about the hacks sometimes.
You just kind of shake your head on what some people have done. Never change their login password from admin, right? Something like that. So, um, we work consultatively with organizations because we do the implementations and we, you know, we sit down with them and say, what is it you're trying to do for your transformation?
We're not doing this overnight. It's going to take years, right? We're going to change the network first or we're going to change the security service part of it. But we have to have a vision of where you want to be and we'll help you through that. Who are the partners that you've got? What are the applications you're using?
If you want to put ZTNA in place and get rid of your VPNs, what applications are you using? We have to know that.
[00:10:09] Sean Martin: Tell me about that scenario. Because maybe, maybe organizations, security teams have heard others do that, right? Right. To ZT& E. They don't quite understand what that means. Right. Can you paint a picture for them?
[00:10:23] Tim Roddy: Right. So, right now users, especially remote users, would typically, if they're going to get to private apps, especially applications you've created yourself and you've got running in your own data centers, okay? Right. That's something DeGroote created, and once again, IT created them, and security probably doesn't even know about them, right?
Um, they may not be in a typical HTTP protocol, so they could be using UDP or something like that, right? So those users know, if I hook up to the VPN, connect to that firewall, I can get in, I'm in the network. I can run around as if I'm in the office and get to everything. You want to go to ZTNA, you want to put a policy enforcement point in front of every single one of those applications.
So If you're going to transition that, the first thing you want to do is take your web security logs, if you're going through a web gateway on premise there, let's run a report and see what people are going to. Okay, take away all the public stuff. They went to CNN. com, they went to their local newspaper, they went to Weather.
com, they went to their bank. Get rid of all that stuff, that's fine. Okay? Now look at all the other applications. You can come up with a list of, Oh yeah, we know we use Salesforce, we know we use this, we know we use that. Great. What are all the other ones that are unnamed? Then you've got to start doing a little work and research what they are.
You may know some well known ones that are internal, but what people are always worried about is if I turn off that VPN, I think I've done Zero Trust Network Access, and all of a sudden there's some guy who's going to some app we didn't even know about and now can't get there. So you end up leaving on the VPN.
And so they can use that. And sometimes they make me quiet about it and we'll keep that running for a while. And you've got not gotten over the chasm to completely getting out of that, that business. Because the VPNs mean you got to maintain them, you got to do the upgrades, you got to update the hardware, it's going to go end of life, you need to buy another capital equipment purchase.
All that goes away when you get a service for zero trust network access. And it's getting through that last 80 percent of anything's pretty easy. It's that last 20 percent the hard part, you know.
So I presume you help them do that last 20%? We do. We have to work with them. It's, you
know, it's, it's, that's the harder work.
You know, it's like you guys got to spend some time, the customer, you got to help us out because you don't want to just let any vendor come around around your organization typically, right? So you do a consulting project, you have a, you have a way of implementing, you want to do it quickly and for a defined price and cost and walk through, walk through these things.
One of the biggest hazards for that are things that will slow it down is trying to figure out exactly what applications they've got. And there's always that worry, did we get them all? It's like when an organization decides, they've been around for a while, decides to clean up their Active Directory list.
You know, they're like, why do we have all these things? Well, one way to do it is turn them off.
You can turn them off, you'll
find out real quick. You know, depending on how big the organization is, how critical it is, maybe, you know, you do turn them off and see who screams. Right? So, because we did them five years ago for a reason and those people aren't even here anymore.
[00:13:15] Sean Martin: Right. Right. So how, we start a transformation, we get 80%, we get the last, the last mile, 20%. Yeah. Now what? It's not a set and forget it, is it?
[00:13:28] Tim Roddy: Oh, no. Well, we're going to run it for you in our case. Right. Okay? Uh, if you're doing it yourself, you are going to have to maintain it. Which is, resources have to spend time on it, right, to do that.
So it does have to be, you stay on top of it. And then you have to monitor it to make sure it's working properly. You're not getting people getting logged out. If someone says, I can't get to something, why? You've got to triage that. So that's all part of that. You were trying to do that with a VPN. You've now gone to a managed service provider, like us, taking care of it.
In our case, with our own tech stack. We're going to monitor those things proactively as well. Um, and make sure, and look and see, Are we seeing any changes in behavior? You can also see some anomalous behavior where you think maybe someone's a password issue or something like that, right, from a security standpoint.
But if you're using two factor, you're going to eliminate most of that problem anyway, right? Because the attacker's not going to have access to your phone token, so. So
[00:14:18] Sean Martin: what are, give me some customer stories of outcomes. Where have they made huge strides in IT transformation? Security built in by design from the start.
Right. With your support, getting it rolling and managed.
[00:14:35] Tim Roddy: Well, we see, we see examples, for example, we have a lot of customers in the manufacturing area. Okay. Manufacturers have plants with automated equipment. That equipment, some of it can be quite old, now has controllers in front of them that are digital.
So they can't be firewalled off from the network anymore, because you have to be able to get into them to handle the controllers, those upgraded digital controllers. So Uh, use cases are putting zero trust, network access in to only let people get into those controllers that are allowed to. Small handful of people, maybe some external contractors.
So when we do A-Z-T-N-A for it, we oftentimes, if they're a manufacturer, do it for OT as well. We like having the same solution and we've got control and somebody really knows what they're doing. 'cause the manufacturing people, they're about manufacturing, they don't know the security necessarily. They may not even ever worry about it because if you were firewalled off.
Within DMZ, no one could even get to your plants. You don't have to worry about a lot of things. Right? So, and the devices weren't connected together. The last thing you want now is someone getting in with multiple digital devices. The next thing, you know, you can take everything down. Because if it's a process manufacturer or even a widget manufacturer of piece parts, you're out of business in production.
And you never, once that time's gone, you never get that back. Right?
[00:15:51] Sean Martin: Are you seeing, um, are you seeing cases where Especially in the mid market, they're often times suppliers to other organizations.
[00:16:02] Tim Roddy: They'll supply much bigger companies, Fortune 500s, yeah.
[00:16:04] Sean Martin: Exactly. So are you seeing a push for some of the large organizations that they're doing business with, asking them to demonstrate their posture and
[00:16:16] Tim Roddy: You get into SOC compliance and all those kinds of compliance, which varies by country and everything else.
Right. Um, and they like knowing the provider has process, us in our case, managing it. We've got those certifications in place as well, that we're following processes on things like change control and upgrades and all, all of that. So absolutely, they're having stuff flow down. And at the federal government level, you're seeing big contractors, defense contractors having to comply with CISA directors for getting to zero trust.
Because they don't want some of the issues that you see when you meet them at some big software firms where, you know, they've They've had their code compromised and what have you and then that gets sold off to hundreds and thousands of Organizations using it. You've got an enormous problem at hand.
[00:17:00] Sean Martin: So do you you support?
organizations that provide service and products to public entities
[00:17:09] Tim Roddy: Sure, we have you know, we have some manufacturers that make automobile parts They make military parts things like that that get into right Get into much bigger systems. We may not even know what they are, but they want to know that we have got our certifications, and they're working towards their certifications, because there's a whole documentation tree for that.
Flows down, right?
[00:17:32] Sean Martin: Time for one more story. Outside of manufacturing, any other examples?
[00:17:39] Tim Roddy: Yeah, I mean, it's MPLS is still, you know, A third to 40% of the world steer still is on MPLS. Okay? There's still a lot to be moved there to, to get to using the internet as your backbone and having, um, you know, these smart points of presence that aren't necessarily managed by Telco. Um, but we partner with the telcos in terms of running these sound, and then we run that SD WAN for them, and you do it.
The, the use case there is to reduce costs and be more flexible, right? Because you can bring up a site very quickly. A lot of organizations that'll get off MPLS will still keep it around. In small amounts. They want it as a backup. They want to connect a critical plant to a corporate entity or a critical branch office on one side of a continent or a country to the corporate office.
So, they still have those use cases, but it's dramatic reduction in it. You know, we're still years and years away from MPLS going completely away. It's still a multi billion dollar, you know, industry there. It's evolving and you need the SD WAN to get to an environment that is SASE. You're not going to do SASE if you're on MPLS.
Because you'd be routing everything back to corporate, and back to the cloud, and back again. Too many hops. You want to reduce the hops. You want to be as close, the user as close to the data as possible, while still enforcing secure policy access.
[00:18:57] Sean Martin: Simplicity, at least it doesn't make security harder.
[00:19:01] Tim Roddy: Right.
You don't want to make it hard, but you've got to make it reliable, and you know, and you want secure connectivity, not just connectivity. That is a good user experience, and we talk about SASE experience, SASE experience. Because we want to be a great experience for the user, the organization that buys it, and that keeps them as a customer if they have a great experience.
[00:19:21] Sean Martin: Fantastic. Well, Tim, it's been a pleasure chatting with you. Likewise, enjoyed it. Thanks. Hope you have a good rest of the week at RSA Conference, some good conversations, and thanks for helping the mid sized enterprise and mid sized market.
[00:19:38] Tim Roddy: Well, we enjoy it. We look forward to talking to the folks listening and hopefully, uh, you know, discussing with us their needs.
Thank you.
[00:19:44] Sean Martin: Absolutely. Be sure to check, uh, out Open Systems on, uh, ITSP Magazine. Connect with Tim, Tim Roddy, and, uh, I'll put links to all that so you can, you can meet with the team, learn more, and, and get some help as you, as you transform your network and secure it along the way. So, thanks everybody listening.
Thanks, Tim, for joining. Catch you on the next one. Thank you.