What does it truly mean to "never trust, always verify"? In this episode of Tech Talks Daily, I'm joined by John Kindervag, Chief Evangelist at Illumio and the pioneer of the Zero Trust approach to cybersecurity. With cyber threats evolving at an unprecedented rate, John argues that Zero Trust is no longer optional for organisations moving to cloud-based environments—it's a necessity.
John explains why the traditional trust-based approach to cybersecurity is obsolete and shares actionable insights on adopting a Zero Trust strategy. He highlights the critical steps in implementing Zero Trust, emphasizing the importance of starting small with Protect Surfaces and flow maps to create manageable, effective security policies. Through real-world examples, he demonstrates how organisations have reduced their attack surfaces by up to 90% by embracing this model.
We also explore common pitfalls, such as attempting to implement Zero Trust all at once, and how incremental changes can set the stage for long-term success. John sheds light on how Zero Trust dramatically enhances an organisation's resilience against cyberattacks, providing continuous monitoring and automated policies to safeguard critical assets in an increasingly cloud-driven world.
How can organisations move beyond outdated approaches to cybersecurity and embrace the transformative power of Zero Trust? Are you ready to take the first steps toward securing your digital future? Tune in to this essential conversation with John Kindervag, and let us know your thoughts!
[00:00:04] How has cybersecurity evolved to prioritize data protection in our increasingly digital world?
[00:00:12] Well today I'm honored to have John Kindervog on the podcast. He's the creator of the Zero Trust
[00:00:17] cybersecurity model and also a key figure at Illumio. So nearly 15 years ago John challenged
[00:00:25] the established trust paradigms within network security igniting a shift to a more secure
[00:00:31] and reliable framework. But what inspired the inception of Zero Trust? And how has its
[00:00:40] implementation progressed over the years? With more and more organizations adopting this rigorous
[00:00:46] approach I want to explore the beginnings of Zero Trust, its gradual acceptance in the cybersecurity
[00:00:52] community to its potential future enhancements with AI and machine learning technologies. But enough
[00:01:00] scene setting from me. I'm going to take your ears all the way to Dallas, Texas where John is waiting
[00:01:06] to share his incredibly powerful story. So a massive warm welcome to the show. Can you tell everyone
[00:01:13] listening a little about who you are and what you do? Well I'm John Kindervog. I am the Chief Evangelist
[00:01:20] at Illumio which is a company that specializes in Zero Trust segmentation for, you know, being networks and systems. And I'm also the creator of Zero Trust which is a cybersecurity strategy that's become a big global movement. So those are the things that I focus on right now.
[00:01:45] Wow. So the question I've got to begin with of course there is, how did the concept of Zero Trust originate? And what would you say are some of the key challenges you faced in convincing the industry of its importance? I suspect it's quite a ride that you've been on with that.
[00:02:02] Yeah, it came out of me installing firewalls at the turn of the century when I was confronted by this kind of artificial trust model where we said everything inside on the internal network or inside the firewall is trusted and everything outside of it external network is untrusted. And you didn't need to have a policy, a firewall rule to go from the inside of the network to the outside.
[00:02:30] Because that's how the trust model worked. And so you gave the internal network of trust level of 100, the external network of trust level of zero, all the other networks that you would have would have varying trust levels between one and 99. And that determined policy.
[00:02:50] And I thought that was silly because if somebody gets access to the internal network, there's nothing that keeps them from expiling data.
[00:03:01] And I started to say that all firewalls, it started with firewalls, should have a trust level of zero, right?
[00:03:10] I mean, the trust level should be zero for everything. You should treat every packet the same.
[00:03:13] And when I got to Forrester Research in 2008, it let me start doing research on that. I did two years of primary research, built some prototype zero trust environments based upon these concepts.
[00:03:27] And it's taken 14 years to get mainstream. I mean, there's a lot of fighting on this. It's interesting how many people just don't like change and they don't like new ideas.
[00:03:40] And so I can't tell you how many times I've heard people say, well, that's not the way we've always done it.
[00:03:46] And I would say, well, the way we've always done it isn't working. So why don't we look at some different alternatives?
[00:03:52] And I had no idea that it would become such a global group. I had no idea that the President of the United States would issue an executive order mandating that federal agencies adopt zero trust in 2021, 11 years later.
[00:04:09] I had no idea any of these things were happening. It was just another piece of research that I was doing.
[00:04:15] And I did a lot of different research when I was at Forrester.
[00:04:19] Wow. What an incredible story. And I'm curious, looking back, in what ways have you seen cybersecurity evolve since you first introduced zero trust?
[00:04:28] And do you still believe the traditional trust-based approach is obsolete? I think there's an easy answer to that. But how have you seen it all evolve?
[00:04:36] Oh, yeah. Well, I mean, I've seen it evolve in that people are starting to understand the concept, right?
[00:04:44] Yeah.
[00:04:44] We're so in love with this word trust, but no one thinks about what its meaning is. And trust is a human emotion. Why are human emotions embedded into digital systems?
[00:04:54] And that was my fundamental question because I knew it wasn't going to work. And so, there's been a big movement globally. I travel around the world talking about this and designing zero trust environments.
[00:05:11] And I get to meet with a lot of high-level leaders. So, generals and admirals and government officials and CEOs. And I think that that's the thing that is most surprising to me is how well this story resonates to strategic leaders.
[00:05:33] And in fact, what I've found is it's easier to talk about this concept to somebody who's a leader, a business leader, a military leader, a government official, than it is to talk to a lot of traditional network and security people who are so entrenched with legacy ways of thinking.
[00:05:55] And just to ensure we don't leave anybody behind here, if they're people outside the tech space, can you just briefly explain the core principles behind this never trust, always verify approach and how this philosophy has fundamentally changed the way organizations are approaching security?
[00:06:14] Yeah. Zero trust is a cybersecurity strategy, right? You don't buy it. You do it.
[00:06:21] But it's a strategy designed to do two things. It's designed to stop data breaches. And a data breach isn't when somebody gets into our network. That's not a breach. We used to call that a breach in cybersecurity, but things like GDPR, for example, have redefined that. So, a breach always means the data that is sensitive or regulated has been exfiltrated, left our networks or systems, and gotten into the hands of a malicious actor.
[00:06:50] And the second thing it does is it makes other cybersecurity attacks unsuccessful because it defines policy much more tightly and much more granularly. And so, it's much harder for an attack to be successful. And it does this by eliminating this trust model that I just mentioned. That trust model is always a bad thing. Trust is a four-letter word in my world.
[00:07:16] And so, once people start to understand that they can implement the correct technologies and policies that allow the right people the right access to the right data at the right time.
[00:07:29] And traditionally, we just allowed everybody who had a credential to get access to everything. And that has been a disaster for our world. And so, when we look at these big data breaches, I tell people this all the time.
[00:07:43] We, in technology, we look at these big data. We look at these big data. We look at these big data. And so, real people are being damaged because of our lax security policies.
[00:08:09] And in the early days of zero trust, I know many organizations struggled with the idea of implementing zero trust all at once.
[00:08:18] So, Arbqus, many years later, are there any steps that you think businesses should take to maybe gradually transition to a zero trust model so they don't have that feeling of being overwhelmed?
[00:08:30] Yeah. One of the great gifts that I had was for the first five or six years of zero trust. I was really the only person in the world or one of the few people designing and overseeing the implementation of zero trust environments.
[00:08:46] So, I got to make a lot of mistakes and learn from them and then document them to make sure that other people didn't do that.
[00:08:54] So, the number one thing is trying to do it all at once. It's like remodeling a house, which I'm in the middle of right now. You can't do it all at once, right?
[00:09:02] Unless you have 800 friends who will come over for a weekend like one of those television shows that we used to see where people would remodel a house, right?
[00:09:11] And you do it one room at a time. You do it one phase in the room at a time.
[00:09:17] And so, I developed a five-step model for implementing zero trust, a methodology, if you will.
[00:09:27] And it's very simple. Step one, you define the protect surface. What do you need to protect?
[00:09:32] So, instead of worrying about the whole attack surface, I can shrink the attack surface down orders of magnitude to something very, very small and easily known called a protect surface.
[00:09:43] Because I'm inverting the concept of attack surface into the concept of protect surface.
[00:09:48] Let's not focus on all the possible ways you can be attacked. Let's focus on what you need to protect.
[00:09:55] Until you know what you need to protect, you will not be able to do cybersecurity.
[00:10:00] There's just no way.
[00:10:02] And so, we do that in step one. Step two, we map the transactional flows, which is get visibility to how the system functions as a system.
[00:10:14] And that's a key thing. That's why I came to Illumio, really, is the transaction flow mapping capability to create the micro segments that define the micro perimeters around that.
[00:10:28] And that's step three, define the technology that we're going to use or architect the system.
[00:10:35] So, most people, we traditionally started with the architecture and then tried to fit how the system works into a preexisting architecture, which always failed.
[00:10:45] And so, we design or since you're in the UK, I can use a good British tool.
[00:10:51] Every zero trust environment is bespoke for the protect surface, the thing that's protected.
[00:10:59] And that's a thing that people are starting to understand.
[00:11:02] Oh, I should design the system for the thing we're actually protecting.
[00:11:07] And set four is to create the policy.
[00:11:11] Zero trust is a set of granular allow rules.
[00:11:14] We used to play whack-a-mole, and most people still play whack-a-mole against the attackers and against the bad things.
[00:11:21] And they start to deny this, deny this, deny this.
[00:11:24] So, they allow everything and then start to deny it.
[00:11:27] And zero trust, again, inverts that principle.
[00:11:31] It denies everything and then it just turns on allow rules for the things that you need to allow access to the appropriate.
[00:11:41] The appropriate user is getting access to the appropriate resources at the appropriate time.
[00:11:46] And the reason this is important is that all bad things happen inside of an allow rule.
[00:11:52] If an organization has a data breach or a significant security event, there is a rule in place somewhere that allows it to happen.
[00:12:02] Unlike physical crime, where you can be a victim randomly of that crime, you're not a victim of cybercrime.
[00:12:12] You are at best an unwitting co-conspirator because you have policies in place that allow the bad thing to happen.
[00:12:21] And that's what I'm trying to help people understand is that they have to be much more prescriptive in their policies.
[00:12:29] And there's no easy button in cybersecurity.
[00:12:32] People complain that it's hard.
[00:12:34] And if they do that, like when I'm doing a speech or workshop, I just say, yeah, get a different job.
[00:12:39] Right?
[00:12:39] Don't complain to me it's hard.
[00:12:41] You've chosen this career.
[00:12:42] Of course it's hard.
[00:12:43] There's a lot of things that are hard.
[00:12:45] Being a police officer or being in the military are hard things.
[00:12:50] And cybersecurity is the third of the adversarial businesses.
[00:12:57] Military, law enforcement, cybersecurity, all adversarial businesses.
[00:13:02] So, of course, they're going to be hard.
[00:13:04] So, you have to have a different mindset.
[00:13:07] You have to have a much more aggressive mindset than we have now.
[00:13:10] We're very passive.
[00:13:11] We need to be more aggressive.
[00:13:12] And we need to have a more warrior-like mindset because we are in a cyber war.
[00:13:17] And we are directly connected to the world's most malicious actors.
[00:13:22] I just love your approach and that analogy of improving one room at a time.
[00:13:27] Certain food for thought for people listening around the world.
[00:13:30] And I'm curious, from everything you've seen, are there any real-world examples that you've seen of organizations successfully reducing their attack surfaces?
[00:13:38] Up to 90% I've been reading online using zero trust.
[00:13:42] And are there any lessons that others can learn from these use cases?
[00:13:47] Oh, yeah, absolutely.
[00:13:48] I mean, there's lots and lots of zero trust environments out in the world.
[00:13:52] I mean, I myself have worked on hundreds.
[00:13:57] And we still have a lot of people who aren't publicly documenting them in maybe the way we would like to so that we have more case studies that people can use.
[00:14:10] We have some of those that we're working on.
[00:14:14] But it's hard for a legal team and a public relations team to want to say, yeah, we're doing this.
[00:14:21] But, you know, the fact that, for example, every U.S. government agency has a zero trust program management office and a zero trust program manager assigned to it speaks volumes to how many zero trust environments are currently being built.
[00:14:42] The U.S. federal government is the largest IT system in the world by orders of magnitude.
[00:14:51] And they are the largest buyer of cybersecurity technology and the largest employer of cybersecurity professionals.
[00:15:00] So that should speak volumes to people about where the direction is going.
[00:15:08] On this podcast, I always try and ensure that everybody listening, regardless of their role and department at their end, has something that they can take away from our conversation today.
[00:15:18] So can I ask you to share with the listeners the role of identifying protect surfaces and the role that that plays in the initial stages of implementing zero trust?
[00:15:27] And where should organizing organizations begin when creating effective flow maps?
[00:15:32] I understand that is probably a question big enough for an episode in its entirety.
[00:15:36] But can you offer a bit of an overview on that, too?
[00:15:40] Yeah, I mean, step one and step two can be tied together in a lot of cases when you're when you're doing the work.
[00:15:46] I mean, just using Illumio's technology as an example, because I work for Illumio and I came here for a specific reason.
[00:15:52] Right. I chose to come to Illumio because it has flow maps.
[00:15:58] And so as we look at the transaction flows of an application, we can see, oh, here's the database for the point of sale system.
[00:16:07] And that database we then know has PCI or credit card data.
[00:16:12] And so now we understand the protect surface.
[00:16:15] Right. We need to protect a DAS element, it's called.
[00:16:18] So DAS stands for data application asset or service.
[00:16:22] You put a single DAS element into a single protect surface and you build out your environment one protect surface at a time.
[00:16:29] And in this way, zero trust becomes three things that are really, really important.
[00:16:33] It becomes incremental.
[00:16:34] We're doing it one at a time.
[00:16:36] It becomes iterative.
[00:16:37] We're doing it one after another.
[00:16:38] So we're not overwhelmed.
[00:16:40] And it becomes non-disruptive.
[00:16:42] The most you can screw up is one protect surface.
[00:16:45] So you don't have to be afraid of it.
[00:16:46] We're so afraid of the bad thing that could possibly happen that we don't want to do the good thing.
[00:16:54] Right.
[00:16:55] So everybody is managing their own downside risk, we say, because they care more about that than they do making things better for their organization because they won't get kudos for making things better, but they'll get in trouble if something bad happens.
[00:17:13] So one friend of mine says that one oopsie negates a thousand attaboys.
[00:17:21] And I love that statement.
[00:17:22] I love that.
[00:17:24] I might have to borrow that one myself.
[00:17:27] With most businesses either moving to or thinking about migrating to the cloud or already there for many years, how does zero trust policy apply to cloud-based environments?
[00:17:40] And are there any specific challenges or considerations organizations should keep in mind when migrating to the cloud or having their business in the cloud?
[00:17:49] Well, you need to understand that the cloud is a hypervisor owned by somebody else.
[00:17:58] And you're still responsible for all the data that you put into the cloud, right?
[00:18:04] So when we were at Forrester, we called it the uneven handshake, meaning that there's a pretty uneven handshake.
[00:18:12] They are responsible for the infrastructure, but you are responsible for the security and just the act of putting data into these cloud environments.
[00:18:23] And so don't think that the cloud is natively more secure than anything else that you have.
[00:18:32] That is a big mistake.
[00:18:33] You still need to overlay cybersecurity in a zero trust manner in the cloud, but it's done the exact same way that it's done with on-premise technology.
[00:18:46] There's nothing different about zero trust.
[00:18:49] It's exactly the same no matter where the protect surface is located.
[00:18:53] You still follow the same five steps.
[00:18:55] Now, there might be differences in the controls, but that's no big deal at all, right?
[00:19:02] And so you have to just look at this in a much more holistic way and look at it from a mission objective.
[00:19:12] What are you trying to do?
[00:19:13] Well, I'm trying to secure data that's in the cloud.
[00:19:15] Okay, well, I need to do step one, step two, step three, step four, step five.
[00:19:21] But because I'm designing that in a bespoke way, I love that I get to say bespoke, because no one in the U.S. understands bespoke.
[00:19:30] But in a bespoke way to the protect surface, it's no problem.
[00:19:34] Okay, what controls are available to me in the public cloud?
[00:19:37] What controls are available to me through third-party technologies like Lumio in the public cloud?
[00:19:44] And in that way, I can build zero trust environments.
[00:19:48] And then a lot of the SaaS providers, which you can't control as the user of SaaS, are actually building zero trust into their SaaS services.
[00:19:59] So again, it's all going to kind of meet together under this larger banner of zero trust.
[00:20:07] And automation and continuous monitoring are also critical components of zero trust.
[00:20:12] Is there any advice you can offer organizations on how they can balance these elements to, yes, maintain robust security measures, but without introducing unnecessary complexity?
[00:20:23] It seems a bit of a balancing act.
[00:20:25] Would that be right?
[00:20:27] Well, yes.
[00:20:29] I mean, orchestration and automation are so important.
[00:20:31] And if I was given a speech, I would talk about that and I would use the movie The Imitation Game as an example, right?
[00:20:39] Because at Bletchley Park, Alan Turing was building a machine, right?
[00:20:45] This machine called the Bamba to decrypt Nazi enigma codes.
[00:20:50] And in that movie, he says, what if only a machine can defeat another machine?
[00:20:55] And when I first heard that, it just knocked me on my seat.
[00:21:00] And I went, whoa, this is incredible, right?
[00:21:02] And so that's what we have to do is we have to build a machine to defeat a machine.
[00:21:09] And we have so many manual processes that get in the way, right?
[00:21:13] Hackers don't have change control.
[00:21:15] They don't have to get permission to try hacking you again.
[00:21:20] But we are so behind.
[00:21:21] Sometimes it takes days to mitigate something because everybody's got to be so worried about
[00:21:28] what if it's a false positive and what will happen if things go bad that we aren't automating fast enough.
[00:21:35] And this is the real advantage that we're going to have as defenders with AI and ML, right?
[00:21:43] Whatever those things ultimately become because we're at the birth pangs of that world.
[00:21:51] But everybody else is worried about, oh, the attackers are going to be able to build more sophisticated attacks.
[00:21:58] I'm like, no, man, we're going to be able to use these things to dissect the dead in ways and its speeds that have been unthinkable in the past.
[00:22:10] And as a result, we'll be able to defeat these attackers in real time in ways that the attackers can't even imagine.
[00:22:24] If you have a zero trust environment and you understand that protect surface, because then we can change the game.
[00:22:32] One of the things that people who've done zero trust pretty deeply for a long period of time understand is they don't have to worry about the attacks that are happening anymore.
[00:22:42] They don't do much threat research because in general, there's no policy that allows an unknown asset coming from the public internet to get access to the protect surface and install unknown software.
[00:22:57] Right?
[00:22:57] That rule just doesn't exist.
[00:22:59] And so when we look at ransomware, you want to first cut command and control, right?
[00:23:07] Don't allow the ransomware to get the command and control server to even get access to the protect surface to do the malware drop.
[00:23:15] But if for some reason malware does get there, the next thing that it has to do is call the command and control server to set up that command and control channel.
[00:23:26] That's a great place to cut it.
[00:23:28] And most people aren't doing that.
[00:23:31] So you need then to have that protect surface segmented away using micro segmentation technology.
[00:23:37] So at least you contain the blast radius and the malware can't spread to other protect surfaces inside that environment.
[00:23:47] And as the man known for creating the revolutionary zero trust model of cybersecurity, you must hear and see many untruths about your creation over the years.
[00:23:58] So I'm going to give you an opportunity to lay a few of those to rest today.
[00:24:02] What are some of the most common misconceptions about zero trust that you encounter?
[00:24:07] How do you address them when advising organizations?
[00:24:12] Well, boy, I've written about this a lot.
[00:24:15] And I think we can probably link to an article I did recently about zero trust misconceptions.
[00:24:22] But the first one is we're going to make the system trusted.
[00:24:25] No, we're not.
[00:24:26] We're trying to eliminate trust.
[00:24:28] Like I said, trust is a four-letter word.
[00:24:30] I tell people who are doing zero trust to put a trust jar out in your office.
[00:24:35] And every time somebody uses the word trust in a good way as it relates to digital system, put, in your case, a pound in that trust jar.
[00:24:45] And by the end of the day, you'll be able to go to the pub for a beer.
[00:24:51] And because it's just something that it's a throwaway word.
[00:24:55] It's what's known as a plastic word.
[00:24:57] And we just use it without thinking about what it means.
[00:25:01] And so it has no business in digital systems.
[00:25:04] And the second thing that people think is zero trust is about identity.
[00:25:08] And the identity vendors jumped on the bandwagon really early because they wanted you to believe that you could take a single binary signal, the identity signal, and do everything with it.
[00:25:20] That would just solve all your problems.
[00:25:22] It was the universal easy button.
[00:25:24] And that's not true.
[00:25:25] And it's just one signal that we use to make an access control decision.
[00:25:33] But it's certainly very, very fungible.
[00:25:38] It's, if not fundamentally broken.
[00:25:40] But identity is one of those things that can always be guided around.
[00:25:45] I mean, I don't care what you do.
[00:25:47] Biometrics, we know that in the OPM data breach in the US where information about everybody who had top secret clearances in the United States, when that data was stolen, it included digital representations to their fingerprints.
[00:26:03] So, yeah, you can't trust fingerprint readers, right?
[00:26:06] But other things can always be blood, even if you did blood things.
[00:26:12] Like in Mission Impossible 3, doesn't Tom Cruise prick his finger on the mountaintop, right?
[00:26:19] And so, yeah, well, you could, I'm sure he's shot a lot of blood.
[00:26:24] There's probably a lot of blood samples for whatever his character name is.
[00:26:29] I'm blanking on that.
[00:26:30] But so there's always ways to get around identity.
[00:26:34] There always have been.
[00:26:35] There always will be.
[00:26:35] It's just one of the signals.
[00:26:39] This packet in search to come from an identity named John is, let's look at all the other signals to see if we can validate that so we can have confidence in making and allow access decision.
[00:26:56] And then the third thing is people think they can buy Zero Trust.
[00:27:00] And I'm sorry, you can't.
[00:27:01] You do it.
[00:27:02] There's no Zero Plus products.
[00:27:03] It's a system that you use to create, achieve a strategic goal.
[00:27:11] And then finally, people say Zero Trust is complicated.
[00:27:15] And I got a call from a very well-known cybersecurity professional.
[00:27:21] I asked me, John, why am I reading all this stuff that other people are writing and it sounds so complicated?
[00:27:27] I'm like, man, I have no idea.
[00:27:29] You've been doing this for as long as I have.
[00:27:32] Well, why do you think it is?
[00:27:33] And he says, well, I think that people think that if they make it sound complicated, they sound smarter.
[00:27:38] And I said, well, that may be true because I'm not smart enough to make it complicated.
[00:27:42] I got to make it simple enough for me to understand it.
[00:27:45] So I think simplicity is the goal.
[00:27:48] But it is very simple.
[00:27:50] Five steps.
[00:27:51] That's it.
[00:27:52] I mean, how much simpler could it be?
[00:27:54] I tried to make it three because when I was coming out of that, one of my bosses liked everything in threes.
[00:28:00] And as we delved down into it and said, yeah, no, I can't.
[00:28:04] Because of the way it actually works technologically, the slowest I can get it is three steps or five steps.
[00:28:12] And it was funny because then since that time, other people, we need to add the sixth step.
[00:28:19] And here's the seventh step.
[00:28:20] And here's the eighth and the tenth.
[00:28:21] And I read some article, the 28 steps to Zero Trust.
[00:28:26] I'm like, whoa.
[00:28:27] Well, of course, you would never do it then at all if it takes 28 steps.
[00:28:33] Love that.
[00:28:34] And I will link to your LinkedIn post about misconceptions.
[00:28:37] And speaking of your written work, I also came across a powerful series of posts from you stating that risk is danger.
[00:28:45] Is that something you can elaborate on?
[00:28:47] Because it's incredibly powerful stuff, right?
[00:28:50] Yeah.
[00:28:50] I mean, one of the things that happened to me is that my nephew, when he was four years old, got neuroblastoma cancer.
[00:29:01] And I know this is something that's very dear to you as well, that you have family experience with this.
[00:29:07] But it's a very dangerous thing.
[00:29:09] But his name was Stephen Danger, right?
[00:29:12] His middle name really is Danger.
[00:29:13] And I was looking at the probabilities of getting neuroblastoma cancer.
[00:29:20] And it's far less than 1%.
[00:29:22] I mean, it's almost impossible to get, right?
[00:29:26] And so, okay, that's weird.
[00:29:29] Starting to rethink probability theory in the real world.
[00:29:34] And then we were told that he had a 2% chance of survival, which meant that the chance of him dying, he had a 98% probability of dying.
[00:29:45] And he's still alive.
[00:29:47] He's 16 years old.
[00:29:48] As we're recording this, I'm going to his play tonight at his high school where he's a sophomore in high school.
[00:29:55] And it just made me completely rethink probability because we say in cybersecurity, risk equals probability times impact.
[00:30:04] And I know that we can't know what the impact is.
[00:30:09] No one, everybody underestimates the impact of a cybersecurity event.
[00:30:14] But what I realized is we could never define the probability.
[00:30:17] There are way too many variables, right?
[00:30:21] Nicholas Taleb in his book, Black Swan, he asked this question, how many sides does your die have?
[00:30:28] And he essentially says that you should imagine a die with an infinite number of sides.
[00:30:35] So when you roll the dice, you can get any answer, but you can never predict it because there's too many, right?
[00:30:43] It's just an infinite number of things.
[00:30:45] And so I said in a speech this week that we should move from risk management to danger management because when you change risk to danger, it becomes much more urgent.
[00:31:01] And so there is no way to define probability.
[00:31:05] Cyber attackers, they have proximity to us because of the internet.
[00:31:10] They have the potential to attack us because they have the capability and the tools and techniques.
[00:31:17] So therefore, an attack is always imminent.
[00:31:21] And imminence, when I was talking to my friends who've been in the military, been in combat, when something is imminent, then that's very dangerous.
[00:31:30] And so if we move from risk management to danger management, it just changes the way that you think about it.
[00:31:36] That's dangerous.
[00:31:37] Oh, well, I want to stop that from happening versus risky.
[00:31:41] Well, maybe, right?
[00:31:42] And so when we do risk management, most people, most companies, if mitigating a risk, which is what you should always do, if mitigating a risk costs money, then they'll accept it.
[00:31:55] And I think that that is unacceptable.
[00:31:57] And so we have way too much risk acceptance and not enough risk mitigation.
[00:32:03] So let's move towards finding the things that are dangerous in our environment because that's going to make us much more aggressive.
[00:32:10] And we'll feel that urgency to really go out and fight that good fight.
[00:32:19] We're in a cyber war.
[00:32:20] We've got to fight it.
[00:32:20] We have to have the will and the desire to fight our attackers and not just sit back passively and wait for bad things to happen.
[00:32:29] Such a powerful story.
[00:32:31] And I love how some good has come from this and how it has led you to that taking across to cybersecurity.
[00:32:36] As you said, I lost my daughter to neuroblastoma a long time ago.
[00:32:41] And we are talking about probability there.
[00:32:43] My son was diagnosed with pluropulmonary blastoma when he was two.
[00:32:49] Thankfully, he's 23 now and completely fine.
[00:32:52] But that particular pulmonary blastoma is even rarer than neuroblastoma.
[00:32:57] I think there's something like 20, 30 kids a year in the world get it.
[00:33:00] And the fact of having two kids with the same with two cancers is almost unheard of.
[00:33:06] You can go crazy thinking about the probability aspect of that.
[00:33:10] And I know this is something you're very passionate about.
[00:33:12] And you've done some fundraising around this as well, haven't you?
[00:33:14] Is there any way you can point everyone, anyone listening that might want to find out more about that?
[00:33:18] Yeah.
[00:33:19] I mean, I'm encouraging everybody to think about cybersecurity moving towards the danger zone, right?
[00:33:26] Yeah.
[00:33:26] So finding the things that are dangerous.
[00:33:28] And so we have a fundraiser with Wade's Army, which is a neuroblastoma charity here in the United States.
[00:33:36] A young boy named Wade died of neuroblastoma when he was like three years old.
[00:33:41] And so I was at the time of this recording, right?
[00:33:44] I don't know when this is going to air.
[00:33:45] But two days ago, I was on stage giving a speech.
[00:33:48] And at the end of the speech, my nephew got on stage with me along with the co-founders of Wade's Army.
[00:33:56] And he shaved my head on stage.
[00:33:59] So if you can see me, you would see that I'm now bald.
[00:34:02] And as a tribute and to show solidarity to all these victims of these cancers.
[00:34:11] But also, we committed to a $250,000 donation to MD Anderson Children's Hospital in Houston to build an MIBG room,
[00:34:22] which is a room that he was in when he had cancer.
[00:34:26] He was in the prototype room at MIBG, which I can't even pronounce the procedure.
[00:34:34] But they inject these high doses of radiation into the child.
[00:34:38] And they have to be in a room that's lead-lined.
[00:34:41] And their parents can't really be with them very often.
[00:34:45] And it's very dangerous.
[00:34:47] And so we're trying to build a room that's much more family-friendly and much more child-friendly.
[00:34:54] Because that's a horrible experience for a four-year-old to be essentially in a lead prison cell.
[00:35:00] And so Team Danger Zone, we're out there raising money for that.
[00:35:05] One of the things, let's talk about childhood cancer if we can, Ramola.
[00:35:08] Because it's the least funded in terms of research.
[00:35:12] But it's almost all childhood cancers are unpreventable.
[00:35:18] There's some sort of genetic thing.
[00:35:21] And there was a man in the front row of my speech in Houston this week crying.
[00:35:28] And I'd known him for 20 years.
[00:35:30] And I was like, wow, this is really touching him.
[00:35:33] And it turns out his daughter had neuroblastoma.
[00:35:36] She's now 30-something.
[00:35:38] But they found it in a sonogram four days before she was born.
[00:35:44] So she came out of the womb being treated.
[00:35:46] And there's nothing that you can do, right, versus adult cancers or almost all lifestyle cancers.
[00:35:54] You can change your lifestyle and reduce your chances of getting these cancers.
[00:35:59] Or we know that's something that we can define the risk for.
[00:36:02] We have enough data sets to define the risk.
[00:36:05] So I think they should put more money into saving children than old farts like me, right?
[00:36:11] If I get cancer, well, I'm living a pretty good life.
[00:36:14] I mean, I'll find it, I guess.
[00:36:16] But it's not something that would be devastating.
[00:36:21] But for a family to lose a child and then have to spend the rest of their life missing that child, that's unacceptable.
[00:36:30] A hundred percent with you.
[00:36:31] As I said, I've spent a lot of time on those cancer wards with children who don't complain.
[00:36:36] They just get on with it.
[00:36:37] And it's just heartbreaking to see.
[00:36:39] I've seen so many examples of that firsthand.
[00:36:41] So I do encourage anyone listening to check that out.
[00:36:45] I will also post links to that to make that nice and easy.
[00:36:48] And just to bring it back to cybersecurity for a moment, I mean, we started the podcast today talking about the origin story of zero trust.
[00:36:58] But as cyber threats continue to evolve, how do you see the future of zero trust as we come full circle here?
[00:37:06] Are there any emerging trends or technologies that you think will shape the next phase of this approach?
[00:37:12] Yeah, sure.
[00:37:13] I mean, I think the AI ML stuff, like I said, which is step five of zero trust, which is monitor maintain, right?
[00:37:22] Step five is going to leverage that big time.
[00:37:25] And one of the things about a zero trust environment is by ingesting all the telemetry that we're getting, we can re-inject it back into the system, each of the five steps, and make everything better and better organically over time, almost automatically.
[00:37:41] And this creates a system known as an anti-fragile system.
[00:37:45] So again, from Taleb's book, Anti-Fragile, which has had a huge impact on me because it gave me the vocabulary to talk about what I was building with zero trust.
[00:37:54] An anti-fragile system is a system that gets stronger under attack, under load.
[00:38:01] So Taleb gives a number of examples in his book, and he's using it for financial modeling.
[00:38:09] But he also gives an example of the human body, right?
[00:38:13] So I know you just came back from vacation.
[00:38:16] I know when I go on vacation to the beach, I spend a lot of time drinking fancy drinks and eating and a lot really watching some of those things I probably should watch.
[00:38:28] So I come back and I go, wow, I gained a few pounds.
[00:38:31] Well, what do I have to do?
[00:38:32] I have to restrict calories.
[00:38:34] I have to work out, lift weights, run, do whatever you do, exercise.
[00:38:39] Those things are stressors to your body, but your body doesn't break down when it's stressed.
[00:38:44] It adapts and gets stronger because it's an anti-fragile system.
[00:38:49] And zero trust is an anti-fragile system in the world of cybersecurity.
[00:38:53] So it's going to get better and better over time.
[00:38:56] And that's the gift.
[00:38:58] And I think that's a beautiful moment to end on.
[00:39:01] And for anyone listening just want to find you or your team online, find more about anything we talked about today.
[00:39:08] Any way you'd like to point everyone listening?
[00:39:10] Well, volumia.com and we have the Zero Trust Hub that we're building with all the resources on there.
[00:39:19] And then just follow me on LinkedIn because that's where I post most.
[00:39:23] That's my kind of only social media thing I do.
[00:39:27] I have an X account and I have an Instagram, but I don't use those very often.
[00:39:32] But I find LinkedIn is still a pretty civil place to have discourse.
[00:39:36] And thankfully, there's at least one social network where we can have civil discourse about this important thing that we're doing called cybersecurity.
[00:39:44] And I just want to encourage your listeners.
[00:39:47] If you're in cybersecurity, man, you've picked a great profession, not only financially, but also intellectually and morally.
[00:39:57] Every day you have the opportunity to make the world a little bit better.
[00:40:01] And not very many people can say that about their jobs.
[00:40:04] Absolutely.
[00:40:05] I'd also add nearly 0% unemployment rate in there.
[00:40:08] And also the ability to work almost anywhere that you would like in this world.
[00:40:14] Today's conversation for me has been a powerful one for so many different reasons.
[00:40:19] I urge everyone listening to check out the links I'll attach to this episode so people can find everything nice and easy.
[00:40:26] But I just absolutely love spending a little time with you today.
[00:40:29] Thanks for sharing your story, John.
[00:40:31] Thank you so much for handling me, Neil.
[00:40:33] It's a pleasure.
[00:40:34] Wow.
[00:40:35] What a powerful episode for so many different reasons.
[00:40:38] And my discussion with John today illuminated the zero trust model from its foundational concepts to the strategic implementations that organizations can use for enhanced security around the world.
[00:40:52] And yet we are examining the practical steps of adopting zero trust and addressing some of those common misconceptions.
[00:40:59] And for me, it's evident that the model is not just a trend, but a necessary evolution in cybersecurity practices.
[00:41:06] And with the model's growing integration of AI and machine learning technologies, over to you.
[00:41:14] How do you see these advancements further enhancing the effectiveness of cybersecurity strategies within your organization?
[00:41:22] I also have to mention how both myself and John have been impacted by the childhood cancer neuroblastoma, something I obviously find incredibly difficult to talk about.
[00:41:34] So if there is anybody listening in health tech or in healthcare out there that would like to talk about the problem with investing and creating solutions and technology for childhood cancers, I would love to speak with you directly.
[00:41:50] So please email me now, techblogwriter at outlook.com.
[00:41:56] If you are on LinkedIn X or Instagram, just look for at Neil C. Hughes.
[00:42:02] I'm the easiest guy in the world to find.
[00:42:04] And I do employ you to message me about this.
[00:42:08] Yes, about the cybersecurity stuff, but the childhood cancer stuff.
[00:42:11] I'm not a religious guy, but maybe I am slightly spiritual.
[00:42:14] And one of the things that I've learned after 3000 interviews on this podcast is how the universe puts us all in the right place at the right time.
[00:42:23] For something to happen, we're given a little message and you kind of think, did this happen for a reason?
[00:42:30] And with John's experiences and my own and the sheer coincidence and probability of us bumping into each other in this way and sharing those experiences does make me wonder if there is a real purpose behind that.
[00:42:44] So please, if you are listening and it resonated with you, please do send me a message because I genuinely want to hear from you.
[00:42:53] Consider this your true calling and message from the universe.
[00:42:56] But other than that, I will return tomorrow with another instance of how technology is transforming our life, our business, our world and everything in between.
[00:43:07] Hopefully, I will speak with you all bright and early tomorrow.
[00:43:10] But bye for now.