You're listening to the identity epicenter podcast. This is a show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity. The center podcast I'm Jeff. And that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good good. I feel like we've been looking at each other, on our web cams pretty much all day today. We did our livestream this
morning. So, I guess a Week Ago, by the time, people are listening to this, it talked about our guests today. I'm very excited to get into this deaf's a cop. Sarina. But before we go down down that route, I wanted to talk to you about a meeting that we just had and a question that came up. So the recommended to a client that they put together some training on how to use their their IGA system, right?
Because one of the main pieces of feedback we got during our workshops was that People didn't know that they could do certain things in the tool that they could actually do, right? So capability, existed, these folks have been living without it. So our recommendation was to train people up on that, but that's kind of a that's like a big thing, right? Like, so how do you go about doing that training? Where do you start? How much do you do? What was your thought?
As we were having that conversation? Yeah, I thought it was interesting because my mind immediately we went to how much training do. You actually need to put out there if the process is good like, and I always use the example but Amazon's like a perfect version of that, everyone knows how to spend money on Amazon. I didn't take a class on how to search for things and find what I want. Add to a carton, you know, and buy it. It's just a process and a full that makes sense in this work
and works. I think, in the case of identity, there's clearly going to be some training that needs to be done. But I always would I would take a step back and just like okay how does this actually working like this is make sense. Are we asking stupid questions that we don't need to ask just a data on the screen relevant to whatever is we're trying to get done? You know the probably the classic example is like access
requests. I need to request access to this thing and it's obscured or obfuscated by some weird, it sounding Active Directory, Group name, that someone came up with like 20 years ago and Morphed into like, oh, this is the, you know, the axis that gives you marketing and admin access on the Azure instance, like, okay, that totally makes sense. So I like I think about it very critically because I think this is like one of my true passions on the identity side is the
customer experience. Like if you had to do a lot of training, you gotta really rethink is it's the way you're presenting the customer to make sense and then once you get to where you think you're going with that, you know, hit it from Bunch different spots, lunch and learns. Adios documentation. I think people learn different ways, you know, have have a few options, but I think personally, I would start with, you know, why do we need to do to the
training of the first place? Yeah, that's a really interesting Viewpoint. I think one of the things that the IG has platform for this particular organization is designed that one hundred percent the time you have. 100% of the options. And so I think if they brought people in and said, look, here's the happy path and it's very simple. And it's going to work 80 percent of the time, 20% of the time, you might need to go down the path where every options available that would take care
of a lot of the problems. Yeah, I feel like this is a situation where you want to put people on a rails experience as much as you can, you know, maybe it's a rollercoaster, hopefully maybe it's not as exciting. From an access perspective but you know there's a defined path and sometimes having too much control or power over that or even just choices in general can really kind of impact the overall service and yeah the usability of it right. We're not.
I know I think there's somewhere in between the Borg and everyone doing the same thing. And you know I'm trying to think like who would be more free you know freewheeling like where everybody kind of whatever you want Q I guess would be the other one we just kind of do it. Does whatever you Yes, that's a star, star Star Trek next Generation reference.
So that's something right? Yeah, no. I mean, you know I and I think the folks at this client had put a lot of effort into written documentation and putting you know notes and read you know, red block of text and people don't even see it and they're not going to take time to read the document. So you're right it has to be easy. But Then on top of that understanding, someone's not going to read a 20-page word doc with a bunch of screenshots. Maybe a video would work better.
Yeah, for sure. I know I've done videos on the past when I did roll out of an access request was, here's how to use it. Did screen, share, you know, screen recording. Basically, I definitely got someone else to do the Talking part because my voice is it was not exactly where I wanted to be. And yet here I am doing a podcast, but I think there's a variety of ways you Information out you'll never solve for
everything. Have the available options, you could run metrics and see who's using what you have take you if you've got like a web hosting and how many hits as a page, get or if you've got a Wiki or something like that, you know how many views Etc, find out what your users want from a training perspective and then put your focus there rather than trying to figure out on your own without any input from the folks that you're going to be pushing this on to.
Well, I hope our listeners want Want deaf set cops because that's where we're going to talk about today, right? Yeah, for sure. This is a conversation.
We teased on our live stream this morning, talking about Deb sex shops and some of the myths and things like that to go along with it. I'm really excited to have this conversation because I don't think we've actually gotten into this topic at least on the identity side with at least very much over the 134 episodes or so that we've put out already over the last over two and a half years.
So yeah, we're going to talk tough suck-ups and I To introduce Our Guest today is name, is Mike Fraser. He's the VP of Dev SEC, Ops with Sophos. Welcome to the show. Thanks for having me dropping in gym. Yeah, thank you so much for joining us and I'm curious to see where this conversation will go. Not curious, but interested because I think there's a lot of different ways that we can kind of get through this, but this is the first time you're with us.
So we have tradition around here that we like to understand your origin story. How did you get into the wonderful world of cyber security? Charity and they by extension identity and access management. Is it something that that you chose, or did it choose you? That's a great question. So I, I was in computers as a kid and join the Air Force on. I was 18, but decided because I had such an affinity for computers as a teenager that I wanted to do something different.
And so, I actually worked on Weapons Systems likes a physical weapon systems on F-15 fighter jets. Men actually transition to, the gar become a cyber security engineer. So I started in cyber very very early in my career but then I because I have an entrepreneurial Drive got into starting out and brick-and-mortar computer repair shop. And then I kind of move through Cloud. Was there at the very early days of cloud where people are scratching head going? What is this Cloud thing?
How do I I how do I even use it? And so, I actually started a private Cloud company for the SMB. Also found the timing was imperative when you're trying to release a product and Hardware is very hard and so had a couple different Consulting companies in cloud and cybersecurity and virtual desktop infrastructure and then decided to get into workspace as a service. And then finally into what is, what was RE Factor, which was the whole reason.
So opposed where we were, I was really trying to solve the issue of Bridging, the Gap between cyber security where I started out my career, going to the other side in the software engineering world and really being able to bridge. The gap between cyber security and Dev or devops, which was
just a huge issue out there. And something I really wanted to solve a new, it myself, is kind of being in the trenches as both, the cyber security engineer and then coming over to the Software engineering World in a fun fact, I went to get my bachelor's and master's degree wall starting refactoring, computer science because I needed to use my g.i. bill benefit from Port expired, for my Air Force days, but I also really wanted to fully immerse myself into the software
engineering / computer science side of the world side. Truly, I had a good holistic understanding of the Trying to solve nothing like an expiration date to us per action and all facets of life. Let's talk a little bit about refactor because I think it's an interesting thing. Let's leave it that I T as code and I think we've been hearing, you know, as code for a long time. And I'd love to hear, you know, what exactly was refactor, because I think that's how you ended up at Sophos.
Yeah, exactly. So I yeah, I actually coined the term. It is code. I In the whole, premise around what we were building a tree. Factor was the around the principle of if everything becomes code or becomes it is code. It's not just about app development anymore. We need to look at everything else. That Rings. The cloud is infrastructures code. Configuration is code, policy is
code. And really try to take the same principles that devops was to adding infrastructure as code to Agile software development and really create an agile approach to More general-purpose automation with security built into it. And I was also tired of seeing everything in our world, in cyber, are all Point Solutions.
I wanted to build a platform that could cater to multiple personas so that cyber security engineer could up skill and actually be a part of what the devops team is doing and vice versa, build something that had the features and functionality because most cyber security products out there. Devops doesn't want to touch because of the fact that it
Wasn't built for them. And it's too in some way simplistic, the other way I look at it is kind of opinion people that want something is very opinionated versus creating your own opinions. So we had to balance, very delicately between bowls, we have something I'm super flexible but also, you can package up so that you could basically put out your opinions and somebody could use the automation content, they're very consumable way.
Seems like that ties in pretty well with what we kind of started off the show today with training. And how do you make Things usable for a variety of audiences and now you're working with Sophos as AV as the VP of devstack Ops which one very cool title to. What the hell does that mean? Yes, they're coming on board to say so and it's actually saw post. It's a site that no, no, you're fine. I'd say, give me six months to still try to be on point with bouncing it correctly. So all good.
But yeah. So I so Refactor is now become sofas Factory, which is basically it's the same product, just just rebranded and I'm driving the dev second strategy. But again, around this kind of holistic thought, process of having more general-purpose automation, to be able to support. Also the broader ecosystem to. So, one of the big pieces that we were driving at refactor, was
I want everything. The basically become building blocks that can be come from different vendors and this, Ice nicely into the I Am side because it's a huge issue there and but more generally kind of the broader ecosystem because there's a lot of vendors that are trying to figure out how to modernize their approach of the products that they've had in
market for a long time. And then you have a lot of new vendors coming into the market that are a little bit more bleeding edge for the typical cyber security teams out there as well. And so that's like a huge huge push on our end, but But I basically Sophos Factory product and team at Sophos around F, PSI cops. So Mike, we we try to make sure that we don't leave anyone in the dust. And, you know, our listener base is really all over the Spectrum in terms of background and years
of experience. So like to start off with kind of a 10-1 around Dev SEC, Ops, which to me sounds like part of three different words, development, security and operations, right? I mean, doesn't that simple, it could be. I think it's a little bit more, a little bit more involved, exclamation to it, but my philosophy undef set cops is, it's more General is so dense. I got frillies about the principles of devops and then
adding in security to the mix. Also though I want to be clear it's not just AB SEC redefined its really kind of a new paradigm of again this whole concept of it is code. So if it becomes codes and Looking at again, your infrastructure, your configuration security is code whether that's policy or, you know, developing towards apis and other things that you're trying to programmatically create so you can have a continuous process to build more
modern solutions. And Dave said cops to your point is the combination of three different words and I look at it as a collaborative process between Dev or devops security and hops because the fact that Only if you're going to truly achieve that set cops in an organization, it's not just we're going to add security to the developers plate. It's really thinking about this is a more collaborative process. We have so many different domains, including I am inside
of cybersecurity that. There's no way that you can expect developers to just say. Yeah, we're going to pick up all things security because we're modernizing, that's the approach here and then on the other side, on the cyber security side, I really am passionate about seeing cyber security practitioners up. Upscale and redefining the definition of developers to because it's not just about app
development anymore. And so I want to give cyber security practitioners and teens not just to see the table but to be actively involved in the process. And as cliche as it may sound really, truly start breaking down the silos and organization so that they can all cohesively work and collaborate together. Yeah. When I think of the ideas code, I think about you know, automation of the deployment of T infrastructure applications.
I think there's obviously an I am tying, but could you kind of elaborate on that identity is critical to anything that you're going to build? Obviously, you have to be able to tie into various different systems. You have to be able to also have the identity tied into any of the automation that you're trying to do inside of these more modern solutions. I look at the I MP says one of the core building blocks when you're building more of these steps, a cop's / ideas, code type of solutions.
Because at the end of the day, you have to be able to tie in what you're doing into whether it's, you know, apis or SSO or whatever it may be from an identity standpoint, you have to be able to continuously tie into a to write and then looking at other things like zero trust, and so on. We want to be able to ensure over time that you're able to get authorization to various different systems to, but it's not necessary depending on what you're doing.
But because of the fact that you're tied into so many different systems and everything changes to, right? So if you take the building block approach, you may be using
one technology today. But, you know, six months a year down the road, you may want to change something else or have something in addition to, you really want to take a much more Jeweler approach to that as you're tying into, it was basically building a solution that has many different parts to it and requires identity for each of the different parts inside of the solution that you're building.
Yeah. Whenever I think of ideas code, I'm thinking about like automated deployment of, you know, infrastructure and the application. So you need to have accounts that have the right to do things. Was, you know, to pull from a code repo or, you know, initiated new instance or connect to a database. So there's a lot of accounts that that it is code process requires.
So, is it the management of those and from an IM standpoint of we're talking about mostly the authentication process or is it like life cycle of those accounts? You know what all would be first is my premise. Correct. And and second is what are the, you know what kind of components of I am is it authentication authorization user life cycle? Things like that? Yeah, that's a that's an interesting question. So I think it's it's all all all.
All the above the issue with trying to figure out how you're building towards a different solutions is there is around, use cases. I have some customers that are working to they wanted to on-boarding and off-boarding of users and they're going to tie in a multiple different systems do that and they're going to they're going to use a much more dep SEC Ops type of approach. Then there's the, I need to tie in to particular systems to your point.
Whether it's a repo, a code repo, or its I need to offer authorization against this API or I need to be able.
All to, you know, tie into this VM and go set something up or whatever may be and so there's all there's a different piece of identity that's a part of that and a lot of what drives around F PSI, cops around concept of CI CD, continuous integration, continuous deployment in the the problem that exists with that is that you end up giving the keys the kingdom when it comes to that because you're tying into all these different systems and
you have to go face. Actually tied together different steps that you're trying to automate in there and so when you're doing that you have to be very careful about the level of access and authorization that you're giving around who in a lot of these systems. They don't really have any sort of like privileged access management.
Other than like, yeah, you can have access to this or know you can't and you're not thinking about the granularity inside of the pipeline to create, even if you have granularity on how you can access, To execute said pipelines. And so that's still a problem that exists out there in the space and something that I'm working towards trying to help solve for because of the fact that it's a, it's a, it's a
problem out there. And if you're your point trying to get into more of the steps that cops where you're incorporating, other things outside of just traditional active, you really have to think about how you're structuring the identity piece to all this. And how that Ties into the Automation and the continuous automation of that as well. So that you can also be able to have an understanding and be able to also audit like who's doing, what, where, when, and
how. Right. Yeah. And when I, when I speak with clients a lot, they're trying to get their arms around. This whole Dev psi-cops process or devstack. Anyway, they might not have the operation side down. In other words, the Developers Are solving the problem because they have the problem and they need to solve it in order to move forward. So they kind of Define their
processes and everything. But even at a more fundamental level just wondering, you know, when does an organization need to kind of build a capability around dep SEC Ops, is it like, you know, how, how large they get is it only certain types of companies or what do you you know, in other words who needs
deficit, cops? I think every every organization needs, that's a cop's, the conundrum though is Hannibal where you're probing with the question, which is the size of the company and the maturity of different teams in the company. So the larger the organization, the more likely they have different teams that are dedicated to supporting the different pieces of the dev second outside again.
I don't look at this. It's just trying to add particular tools into your just your devops, you know, an active process. I think about it more holistically. And so if you take that approach to the what Dev Cyclops is then, you're really thinking about how do I incorporate this type of approach as I'm modernizing and also, how do I think about the ways that different teams can support what they've created? And so that takes a turkey? And type of skill set to be able to build.
I often equate. This also in the software engineering world to software Engineers are great at people. They can build stuff from scratch developers. If you're just generalizing the term app developers have to have code that they start from but they can then add additional functionality to it and I take that same thought process to what devstack copses you have those that can build something from scratch and then you have those that can tweak and Sighs.
But they have to have something that's already created. So you can apply the 80/20 rule, is that where 80% of the way there? They can go and customize a 20% of it to get the outcome of the end result they're looking for
and support it too. And I see that as the future of of devstack cops in general is you're still going to need the folks that are going to be able to create the base automation content that you're going to use and then you're going to have the other folks that can consume it. But you have to think about this more about across. I think you brought this up earlier Jim the full. Form of technical talent to ensure that you can cater to
both sides of that. So you probably also heard, you know, the shift left in the shift right out there. And I look at it as like, you need to shift left for sure, try to get as close to the beginning of the creation of whatever you're trying to build through Dev Cyclops pipeline process. But you need to also be able to take that and shift it right in more of a consumable type of approach where it's more low
code, no code. So you have to have high quality Code and Loco no code and be able to balance both of those on both sides of that because just shifting left is not the answer and just shifting right where I abstract everything and make it super simplistic, you need to be able to do both and that's you know that's the least, that's how I think about it. Okay. I'm going to take the bait just shifting left because I think we don't want to leave anybody in
the dust. My understanding is Shifting left has to do with we're moving to it agile. Software development process. Now we're testing earlier, we're not doing that waterfall methodology. Where we're going to build a product and then now guess what? We're going to start testing it. It's this continuous integration development process where we're testing as we're going. So to work through talking about really is the automated testing script based testing of applications that are running
all the time. Okay? So Obviously I'm getting to my point of ignorance talk to us about shift left. Yeah it's fine. It's the concept of ship left. Is trying to incorporate security is close to the beginning of the dev process so that you can have the scanning. And Remediation happening is suttas as close to the beginning of a pipeline process as possible when you're releasing software.
Conceptually now, in cybersecurity the whole reason this whole shift Of thing came to be is because of the fact that most of the cyber security products out, there were being used outside of the development process. So now it's the concept of trying to reduce that insect. Now we take this and move this forward to the concept of it is code. It's not anymore about being a
part of just the dev process. Even though I'm taking the same approach and how I create and release my Solutions now that they're all software-defined, but I'm Also, thinking about how I can build this from code, from the very beginning, but then package it up in a consumable format where you have to now shift, right? Because it needs to be in a format that other folks that aren't just developers or devops
Engineers can actually consume. So there's a there and there's a debate going on on this but I truly believe it's a shift left first and then shift, right? And again it's not just about app development, it's now about thinking about everything. Holistically from a technology standpoint in your organization that may or may not be about just application development and there's a lot of organizations that aren't developing
applications at all right. But they need to take the same approach now, they're Building Solutions because if I'm no longer Racket and center rack and stacking infrastructure in my data center or I'm now using the cloud, that's one great use case, where this becomes a major issue at scale and You have to. Now, start thinking about how do I build things from infrastructures code? How do I set up guard rails and policies around that? And then how do I tie in the
other building blocks that too? Because I may want to be able to assess the infrastructure created against see is benchmarks. I may want to be able to remediate it. I may want to incorporate Integrations to be able to pop that data into my ticketing system or cmdb or whatever it may be. And so again thinking about this more holistically and then how do I, you know, tie in the other building blocks here.
Because I may want to incorporate using a particular IM solution across the board, for every single building, block that I create or multiple different. I am Solutions depending on the organization and who supports different implementations of different products that are being used in the organization. So what is the x axis from your
definition of Shifting left? Because the way that I'm picturing, it is all the way on the left, is the developer who ever is. Creating the thing and then all the way on the right is the consumer or the customer of whatever that thing will eventually be and everything in the middle is all the stuff that happens. The people and parts that contribute to getting it all the way to the right and he talked earlier about you know shift not
necessarily shifting, right? But you know, spreading out for example the security responsibilities across the spectrum is that and I thinking about that correctly in the context of kind What you were looking at for my awesome. I think everyone needs to be thinking about security, but I do still think it's on the cyber security team and any ancillary teams in the organization to be able to long-term still support
that. I think the problem though is as lived in if I decide I'm going to need to go say cloud native, but I'm going to deploy kubernetes cluster is usually that's on the plate of the devops team, not the security team and then screw team is either brought in after the fact Or the devops team has to pick up on the security side.
And so my thought, in my opinion on this is that if you build things and building blocks that each team has to maintain then being able to bring them all together. Then the security team still is able to manage the risk in your organization and support different cybersecurity
products. They have to support, but being able to work in conjunction with the dev or the devops team and then also the Ops Team who's going to have to support any of The stuff once it goes into production and other systems in their organization that may not be directly tied to cybersecurity. But it's imperative that there.
You're able to utilize those systems in conjunction with the security products in the organization, but I don't, I'm also against the thought process that developers are now going to become the Security Experts and our, the devops engineers are going to put this on their plate. And so you probably heard talk out there about, oh, we can build these Papa dep SEC out scenes. Do you ever try to hire a devops engineer?
That is very difficult, if you ever try to hire a devstack Opera engineer, that's like trying to find a rainbow color, grimaud painted unicorn out there in the wild, right? Like it's just not, it's not in reach to be able to think that you can add a whole nother domain to somebody that already had that has the expertise around to different domains already. Devon Ops for. So I did not hear you use the word contains.
Nurses station but I often hear Dev set cops, you know, linked to things like Docker. And a lot of times that's when, you know, engaging with the conversation with the client is they've got Docker, they're doing a lot of deaf set, cops work. How big is containerization in the world? Dev cecrops is that? Usually the driver? Or is it just part of the puzzle? That's a great question.
So there's a school of thought. A out there that that data set, cops is purely driven around to your point containers really, you know, Cloud native Technologies, like kubernetes. And it's interesting because I last year we ended up engaging with platform 1 which is the Air Force's dep SEC cops initiative. So we want a super small business Innovation, research contract with Platform One around their initiative.
What I found though is kind of working through this is Really the Legacy side of systems, you have to score that you should still be able to apply Dev second principles, but it's not directly tied to Cloud native or, you know, containerization known as the other side where it's like, it may or may not make sense for your organization to go that way. I don't think that Dev set, cops and containerization are
mutually exclusive. I think that the principles and the approach, the dep's a cop, should be able to be applied to traditional you go infrastructure, use case. Has that you can apply to like Network automation or configuration management for devices that may or may not be physical. And then also thinking about how you're applying those same principles to, you know, building kubernetes cluster Zone applying, you know, security
control suppose. So it's from my perspective that's like Ops is a is the approach and how you're trying to modernize, but being able to not, just put it into just solely containers or containers. Reservation I think is is a way to think about it in organizations and there's all kinds of different use cases that I have worked with customers on that are using it for that are again. Aren't what you see out there is traditional Pure kubernetes or
containerization use cases? Yeah, I think Dev PSI cops, probably the closest parallel in the, I am world, the traditional I am world for me just privileged access management where you've got this group. Up of Highly technical users and your quote-unquote going to do something to them. You're going to change the way they work by implementing some technology, that's just between them and what they have to do
for their job. And so I think there's probably a right way to do that and a wrong way to do that. I'm wondering, you know, you've probably seen both but, you know, you and you've implemented implemented death. Cops program yourself kind of what's the right way to do that. And if you could back with any real world example, I think that would be interesting. Yeah, that's a great question.
I think, from my my perspective, when you're thinking about how organizations are building out a deep sigh, cops program, the keys to thinking about that, and to your point about like privileged access management or different products that you're trying, To incorporate this. The mix is who supports these different products and what level are they add technically to support anything, net new, and there's some examples in
the. I am space from different vendors that may, you know, may have existed for a long time. So they've been catering, primarily to the cyber security teams. And now other products are coming out, there are catering more to the developer side of different teams. And so, you really have to think about how these are Packaged up in use and then what else they're supporting in conjunction with it is. A lot of times it'll be like Hashi courts.
Good example though, so I'll bring them up around for of the developer devops type of approach for how those Pro who uses those products. But the security team has to support, say the bolts implementation, and then how do you incorporate those into the next piece? Which is going to be All right, now that I can pull Secrets or credentials and get authorization to then go creates a infrastructure as code who is supporting that.
And I think that the ability to get cyber security to be involved in that and be able to support that as you're building out, your depths at cops program is imperative and also the go back to my prior point, the upskilling part, because a lot of times, this is completely outside of the scope of what Cyber security, practitioners know, and understand. And so, it's net. New skills that have to be
learned to be a part of this. So maybe I need to learn how I can pull secrets programmatically from Vault, and I need to know how I can build some infrastructure as code saying Terror for many of the cloud native templates and thinking about it again, back to the whole it is code conversation. How does that get incorporated into the the outcomes organizations, trying to drive?
I've through whether they're pushing to, go to the public cloud or any sort of other initiatives that are going to help them accelerate what they're trying to do. And I think that's a huge piece of the hate to use this term but of digital transformation, which is a completely loaded term. But it's it's part of that process that organizations are
trying to go through that. They can basically modernize is really what the root of that is and that requires different teams to be a part of And also again the Alps killing piece to so that the full spectrum of technical talent in the organization can be a part of the deaf, psych Ops program that you build inside your organization.
Yeah, my perspective on. Is that if I'm the in the information security office, I don't need to run the hot Chic or poor the The Vault or whatever technology is necessarily backing up. I don't necessarily need my folks to do the administration work. What I want to make sure of is that the proper controls are in place, the proper auditing is in place. And you know what? I prefer to see is some leadership from that development side, coming to the information
security office. To say, hey, we've got a process here where we're managing identity and access and we want to make sure that we're in alignment, that, you know, we have the proper controls in place. I think the same thing for privileged access management. It shouldn't have to be that the I am team comes and says, hey we need to take over your process. It should be that the engineering team says, hey, we're managing all these servers we need to make sure that we have proper controls and
auditing and place. So I think that that would be idea. I don't know that it's always going to happen but I do think it needs to be a partnership. I don't think Some kind of antagonistic process where you know, from a from a app Dev team or from an infrastructure team where it's like, oh you guys are just want to come in like take over this process and you're going to make my life suck? Yeah. I think there's two ways to think about it, to from that perspective.
And this goes to some of the work that I've been doing with some, some largesse eyes as well, our system integrators around, there's the tear And there's like the support of the underlying infrastructure and the configuration of the
different. I am products that you have to support which a lot of organizations are trying to figure out how they can do, you know, in a much more modern, sophisticated way of leveraging, kind of debts, that cops approach to building it around infrastructure as code. And and so on, then there's the other side of it to your point, which is the how do I then use those products in the dev
cecrops pipelining. SS where I'm trying to build these newer modern solutions and so that is also the other approach and I think that it does to your point require a relationship. That's not not confrontational between development and devops whoever's managing that side of it and the cybersecurity team who's going to have to support the different products that are now being used inside of that process to and not everything is going to be you know, too much.
Sample, like using hashing core, your Dev team and devops. You may be using it, but you may have other. I am most likely have other IM products in your organization. And so, you have to think about how do I incorporate those into. Is, I may have two or three or four different products inside
my organization. So I have to think about how each one of those is used in. Can I have those as essentially the building blocks I mentioned earlier as a part of that process where I can swap one out for another if another team is using and supporting it and I'm not just beholding to the Deb. So the devops team because now they're forcing us to have to use this this net new product I think longer term strategy is. Can you package up the integration automation around
these? I am products in a consumable way that you can have other teams using it without them having to know the inner workings of say like how V works. It's just like, oh, I just need to build on these few inputs and I can run this. And now I get the Result. So I'm looking for, I know, Brad that secret and use it in my process, right?
And so, thinking about it, much more around the consumption pieces, this critical, and how folks can can use this type of stuff, you know, we've been talking off a lot about Dev, sock, hops in the context. They think of it, kind of already existing, but what happens if it doesn't exist. How do you insert or create a culture of death cegavske? It it seems to me like it's very much a culture in a mindset and less the actual technology portion of it.
So the technology is an enabler, but if there is, if there is no Dev SEC Ops today, how do I start one? How do I insert myself into that process? Yeah, that's a great question. I, you really need to look at how you're doing work today. In your organization and who has responsibilities for? The different work and you may have a super mature Devol practice, you may have. And I mean not doing any devops you organization. So conceptually from a principle standpoint that would be.
The first thing is, how do I get things in place to be able to even build what I would consider a more of a devops tile practice. And some of that stuff is like, continuous feedback loops between teams, so you can be more collaborative. And you know what, either team with different teams you're doing.
Then also thinking about it from a process standpoint, so feedback scrape, but you need to have a semblance on the understanding of what not just what other teams are doing but how you can incorporate more of the agile process into what you're trying to create and continuously update and monitor as well, what your super critical.
And then from longer-term strategy, it's being able to get a semblance on again around the The solution building side in the organization heat, apply those principles to what you're basically trying to create from a solution standpoint and then being able to iterate quickly on that and having each of the teams involved from a collaboration standpoint and technology is critical to this but also is equally critical is having the processes in program in place.
Because if you don't have an understanding on what you need to do to build the practice or the Graham, you're not going to have an understanding about how to even apply technology that could help you to start redefining this in your
organization might commit. Ask you to put your your future thinking cap on so Jeff. And I did a live stream today and someone asks about Quantum Computing and how it would impact password policies and pastoralists and, you know, positions like these major trends that are happening around us. Things like The cloud which, you know, guess is the new trend anymore.
But I'm wondering what are some some Trends, or some things that you see in the future, that that you get excited about what's going to change in the dev SEC Ops landscape and make it better. That's so, I don't know if I will get into Quantum Computing and how we read from that, from Dev SEC house, but I do think AI ML. And it's funny because when I was in school, I took a a IML class. I learned firsthand of the fact that what we think about AI. It's very rudimentary.
A lot of its Brute Force type algorithms. And I do see though that if you start taking the approach on dep SEC, Ops the next kind of approach to it is, now how can I
apply? Any of the any of the data that I'm now, building from what I'm doing to make better predictions on what users want to do, or longer-term, even have the robots, be able to go do stuff with it, which I know in a lot of organizations is terrifying, but at the same time, I think longer term will see more and more intelligent automation where we're actually leveraging large. Cassettes around machine learning and then being able to
apply more of an AI approach. Thinking about, you know, can I now have these night out a machine, go do these things that murder automate have machines, do it, but I'm controlling what it does to actually be able to make decisions off of the data that I build off of that. So that's, that's where I see the next Trend. And maybe on the next podcast, we'll talk about Quantum Computing, you know, a year or two out because I may be more applicable at that point.
And I got a quick question for you, even great with your time. I don't even got a couple minutes left here but You know I'm a Star Trek guy, the Borg are they in AI. Oh that's a that's a good question because there are differing between machine and human interaction with human rights framework. Yeah, cyborg of sorts. I don't think the board themselves are I do think that the control of the board is driven by hey, I bet it's conceptually think about it from a collective standpoint.
It would be possible to be a I but I yeah it's that's a good question. I think I'm on the fence on that one. I thought I'd throw you on the spot there. So let's wrap up with something in the Star Trek universe. Who is your favorite Star Trek Captain or officer. So I have I have two one. Cumin and one synthetic. So Captain Picard for sure the Next Generation You by far is my favorite captain of full-time across all whole Star Trek and then data.
So a nice, a data and not data because of my love for the next generation and data is is also right there up there with Captain Picard so I like both of them equally Ali iconic characters for sure. Jim about yourself, who's your favorite Star Trek. ER, I'm not gonna have an original answer here but be cards. My favorite, I mean, I just think that guy was so cool. Yeah, I don't know what it is about him, but like he totally
nailed that role for sure. You know, you can do hash cap hashtag my captain or you know whatever you want to do it for Picard for sure. I'm on that one, you know, I'm old school but I like Spock. I mean, there's something about the logic, the lack of ammo. And things like that, that you're not, not sort of tainting, the decision-making sometimes to a detriment for sure.
But yeah, I always thought it was a fascinating, you know, not only character but roll right to be able to kind of show that, and he kind of saw it go over with data, trying to figure out. There are several episodes of him, trying to figure out the Human Experience and emotion and things like that, which was always a who, you know, going from the cold. Yeah, thatís a cold. But the robot To him all of a sudden experiencing happiness or sadness, or things like that,
and taking it to the extremes. So I guess Spock would be mine for sure, over the captain, or was he? There you go. Was question. Who's your favorite character? It was Captain or officer and Spock was definitely an officer. Although he did take command at certain times based on what was happening. You know, at the time with with Kirk, I'm surprised nobody brought up the end of Troy or well.
I was going to say, I thought it was only the curry captain, and who's definitely achieved my food not for a plug for the new show part, but a lot of them are back on there. So it's wrist to see them acting, you know, decades into the future on from the Next Generation. Yeah, it's exciting stuff out there rod on all fronts Star Trek so yeah they boldly went where they are already before I guess. It would be the way to put that one. Mikey been super cool.
With your time was start to get things wrapped up here, I really enjoyed the conversation today. I learned a lot sort of from that Dev SEC Ops mindset. What is something that people who are listening here? Just this conversation. Just now should be taking away from from what we talked about, the dep SEC Ops takes time and effort to build, you know, a program in your organization. You're coming at it from the cyber 30 practitioner side, think about how you can start
ups killing yourself. I kind of equate that to, you know, you don't need to become a software engineer, but you should know computer science, fundamentals, because the shift is happening. And you at least want to have the Baseline of understanding of how things are done. And accomplished is everything, becomes everything is code or it is code. And it's I'm super excited to see where the market goes with around this.
It's I We're very very Forefront of this even though you've heard that's a cop's for you know years. Now I think we're getting to the point where it's starting to truly accelerate but it's one of the basis of devstack cops. It's change and that's very difficult for any organization. And so that's a think of driving factor is the industry shifting faster so fast that organizations have to adapt and
change. And I like to say with that said, Now, choosing a Star Trek phrase resistance is futile. So fruit prepare to be a citizen to be assimilated. Jim. How about yourself final thoughts for this? Episode of? That was so good. So good. Yeah, but I think, you know, kind of come from the, I am program manager point of view and think about this is it's got to be a partnership. Don't go in and try and take
things over. You know quote unquote insert yourself understand from you know your users your developers and your infrastructure team. What are their needs? What are their concerns? And you let them know here are our needs from infosec standpoint. I think when that gets on the table then you can start to solution around what those needs are.
And we can, you know, if you pursue this as kind of a partnership all parties leading to try to make sure that all the needs are taken care of. That's the right approach, that's what I say. Yeah, collaboration partnership is exactly what I was thinking to know what is expert in everything, you know, be a good partner, I guess to the rest of the business. We're whichever side you fall on, okay. I think that'll do it for this week. I will have in our show notes, Mike's. LinkedIn.
Hopefully, you're cool with that, and connecting with people out there, and also a link to Sophos. Hopefully, I pronounced it correctly that time. So you can learn more about what's happening there. Good. Okay, cool. And, you know, obviously you can check us out on the web identity at the center of.com. We're on Twitter at idac podcast. You can check out our live streams which again we're trying to do those weekly slowly growing, it slowly, figuring it out, but having interesting
conversations there as well. You can find us on YouTube at idea c.y. I've and yeah, with that, we'll go ahead and leave it my Q. Thanks so much for your time, Jim sinks for your time and we'll talk with everyone. The next one Jeremy guys, Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.