Do you know who has access to what this is? The identity at the center podcast? If you're looking for identity and access management talk you've come to the right place and now on to the show, Welcome to the identity of the sender podcast. I'm on the road. Visiting my good friend Arturo here in Monterrey, Mexico. This is my last week of travel for 2019. So while I'm excited to be in Monterey and see the mountains, that's it's gorgeous here.
By the way, whether it's perfect, it's like 50 degrees Fahrenheit which is great for me. Clear skies mountains, all over the place. It's awesome. I thought it'd be a good time to catch up with Arturo. Kind of pulls out the year and talk about some of the different. I am experiences. So So welcome again to the podcast Arturo. How'd you? Thank you. Thank you for having me.
Thanks for setting aside some time and no and actually you are very lucky right now because we are having, as you say it, very clear skies right now, so you can have other pictures from the mountains. I hope to get some good pictures from Vermont, top of the hotel around. So let's dive a little bit into. There was some recent news around I am in Mexico and that was pemex getting hit with
ransomware. Depending Who you talk to or which article you read, it was either not a big deal according to the company wine but there were other articles that were quoting inside sources, saying it was a much bigger deal than maybe it was being led on and systems were down for much longer than we thought. The ransom was five million in Bitcoin which is quite a bit. Has there been any discussion in the Monterey? I am Community around that topic and how that might affect other things.
Yeah, well in get, I think that Indian and all he did. Cyber security Community. It has been along with the pemex hack few weeks back. They were some others companies in Mexico that were affected by the same type of attacks. I don't have details. If we're the same type of malware sample, or something different, but at the end, they were different companies that got hacked using this ransomware
attacks. And I think, like, in Here in Mexico different than in the u.s. we don't have a very tight regulation in terms of communicating properly, this kind of incident. Some of them they weren't public because they wasn't a public or a bigger company like that Max's case. And I think that I might agree with you that the the issue is more about the Vacation because we don't really know it was something important in terms of real application of the company or not.
And so a lot of big cases that are happening in some other countries. For instance, in the US, the good things that we have in some cases is that communication was very effective. So actually there are certain articles that they highlight that the very good action of the company after Interior was properly communicate, either the public or the customer, the customer got affected.
So some of the hacks at the end, I think that more than be ready to prevent the hack because it was providing, it was able to prevent or not, some quesadillas and some other not. But I think that the the ultimate point is they were able to react properly after they got hack or after they have the incident. Aunt, and I believe that the things to highlight or the companies who are more or we as a professional security professional.
We say, okay, this guy's seems like they're doing very good job or they were prepared to react are the are the good ones in. In the other hand, we have the companies who cannot react or they're having misleading communication of the incident. In this case, I think that that makes because it's a company of the government. So it was a lot of talking, Features or say one thing some other experts say other some internal sources to reporter made some totally different.
I think that the cows was more around the communication in this particular case. Yeah, I think that makes sense and I guess it is a glad you brought that up that pemex is a nationally controlled petroleum company. So my understanding from what I've read is the hack affected more on the billing side of things and sort of back office. I didn't really affect what may be customers of pemex might have seen, but it's probably more affected, B2B type things.
So people who maybe have a financial relationship, whether you're a creditor or, you know, some sort of Builder within the organization might have seen some more effects, but that does make me wonder because the communication was vastly different based on who you talk to. So it's not, you know, it's fine, everything's under control versus boy, things are real nightmare behind the scenes. Really ideal for Is of computers are down.
Can't do whatever. And I think, I still feel like, even in the US, that's still something that companies struggle with it's the response to this. So you know there's tons of information out there but really the focus that people are taking now is it's it's not if we get hacked, it's when we get hacked how we're going to respond to it. So it's interesting that the hack also that pemex face was also seen in the u.s. so companies like Merck, I believe there was a like a shipping
company. Any Mercy, I think is what it was, they had a very similar profile and they think that maybe those hacks were done by the same group. So there's clearly a targeted, you know, environment here, that people that are using this specific ransomware were looking for, very specific profiles for companies to try and breach, right? And in some other things that I just read these week is about how these type of Hearts like the pain makes and certain others.
That happened a few weeks back. Gaining the attention of the hackers because they say, well, there's a Target that seems to be easy to have, right? And then so they are probably try to look different companies based in Mexico that they can Mexico Latin America that they can take advantage of this. Yeah, I feel like the There's an opportunity.
If I'm looking for the Target to breach companies, that may be in the small to mid size range that don't have the technical controls in place, things around, privileged access management. Or maybe their users are all local administrators and I drop a thumb drive in the parking lot. And, you know, the person is trying to be helpful. I wonder what this is or they're curious and they plug it into their machine and bang. You know, now I've got their stuff and all their friends.
So it's just so I think something that companies are starting to pay attention more to. But at some point there will have to be some investment to try and mitigate that through security training, security, awareness. And then, you know what? The technical controls to try and block those things from even happening. The first place.
Yeah, and I think that the old, these things are good in general because drag the attention of the top Executives and they start making decisions based on this environment in general. But but the other hand, we have that all the sales guys are basically based their speech on our yet. This product is Magic, product can help you with everything including ransomware, which is, you are not very deep into Uh, George, you are manager, photos, and have a deep understanding
about everything. You can probably try to buy something to help you with the ransom. We're having our first, don't something totally different things like that. So you have to be cautious also in making this decision. Yeah. I mean you are you saying that sales people might not be honest and their products that would never happen.
I know some very good sales, folks, you know shout out to my guy Tim You know, he was he's really good and there are a lot of really good sales folks that really do a good job of position where they can help and where they can't. But there are eyes. I feel like there's way more, especially having sat on the customer side for so long of, oh yeah, this is the Magic Bullet. Like you said, it will solve everything solve, all my problems, Etc doesn't exist.
Right? Even the best magic bullet that is out. There will only reduce the chance of something happening will not outright eliminated. Yeah. But after that, Wild used are to identify these guys. Start to identify where even with the words that they are using, you never did you guarantee, you just knowing any guarantee to go to size. Exactly. Let's talk a little bit about. I am work done specifically this year and kind of the program that you've been working to set up here.
What are or what is the biggest? I am accomplishment that you're most proud of for 2019. I'll put you on the spot here. So we'll give you a second to think about it. But now, in terms of, I think, one of the things that I really proud of is that this year at the beginning of the year, we accomplished to enable multi-factor authentication to the Hokum again, that it took us some time to actually go and communicate and convince the user into that at the beginning.
But eventually after almost Four months or rolling out the solution to more than 23 case of users. I feel like we did it. I mean it's something I think that is very good milestone for security posture and and also it's like okay we are moving forward in terms of security or users and in this case the employees and yeah, it's like
big step. It's in terms of security and and and based on that, you start getting more traction on different security feature that you can enable along with this there knowing the near future, or I don't two years time, probably, the biggest achievement should be part World. A so that's what I'll say something related to that. So we are Step-by-step right? But this is the first step I think. So I would say that is the first one over.
That's a big one. MFA is huge and for 23,000 people and that's across the globe to. That's right. Not just a Mexican a different culture people who doesn't want to use their phone for that. And so the other thing is that technology right now using these conditional access or this context of the authentication in order to make decision? It's also Helps to right now. This because otherwise, we'll be more complex or even impossible.
I would say, because if you are not having this context of the user it, you cannot lowering the friction of the end user and at the end that will kill you though. So if you are going to prompt the MFA, every time that they are signing in is going to be too much for them. So being able to take advantage of that conditional access as part of the MFA was probably a big help, right? Yeah. Brody in our case, we doubt that
it wouldn't have gone through. It will be like just certain amount of you sir and certain condition but not like totally that's great. I think that's a pretty good goal or a pretty good achievement for the year for sure. Yeah and that's a second one. That is also important I think is to And moving out things around formal from licensed, the young program and everything related with that because it's a complex conversation and as difficult to get the message through top management.
And I know you and I have had several conversations special over the last several months. Making sure that the message of I am is being communicated effectively and received at the executive level so that you can set up up these programs and you've got to win through MFA. So yeah you want that went well and it's providing value to the company would reduce risk. What else can we do to help that?
So I think that was an important conversation to have and I'm glad to hear that that worked out you know the way that it did. That's I think that's very good. So let's flip the coin. What's something that maybe you wish had gone better in 2019 or something that you know on those lines of going better, I will say Say. And then this is probably, well, he needs related to the EMT program, implementation, or, or trying to really formalized am
program. And I will say that this, everything related with politics. I remember that last year that you were here and you were saying about, okay, Diem Program. And everything related young program is more politics and process and people than then. And the rest of the things, like technology. And New toys for the company and I was politically. Yeah, I get it.
We need that both at the end, I think that because of different things internally, here in the company and culture and the type of politics that usually the company has I think that could be a bear or we can improve that how we should probably try to make some connections, internally try to convince more people having or looking to expand the sponsorship that we have internally. And, and I think that this is different based on every company based on the organization.
And where are you seated in the organization, the organization chart? Well, and And culture. So probably politics here in Mexico is kind of different and Uso. I need to watch more house of cards. Also, cards game sometime hopefully. Yeah, it could be house cards. Could be Game of Thrones. Hopefully not, his bloody is either like those are. Its this is the real world, right? Yeah. People have thoughts and opinions.
And you know, that's that's something that, you know, earlier in my I am career was something that I wish I had done a little more effective job. 1M previous roles is understanding the politics of it because you get when you're working, you know, neck-deep in. I am a lot of things make sense, right? But there are larger discussions that are taking place above that, that can certainly impact
ability to get things done. So, being able to make relationships and, you know, play the game sometimes of bringing people in and understanding what their motives are and the psychology behind Find it. And I think politics is a huge part of it. And I know that, you know, whenever I'm working with, you know, clients and customers is, there's a quote from for store that I was like to use and I can't think of it. Exactly right. The moment but politics is
included as part of that quote. And it's the reason I like it so much is because it's one of the only quotes I've seen that includes Politics as this is something to account for as part of your eye and program is being able to play that game, understand it, you know, kiss the babies, shake the hands, you know. Politician, you know, being able to be as a big the parts of the picture and yep. Yeah, exactly. And I'm getting back on that.
I mean, going back to 12 months ago, it wasn't the same person in terms of politics either, so I hope next year, it's getting better better. So from a resolution standpoint for 2020, did I just is that, is that one of the resolutions you'll have is from a 2020 perspective when I am is politics. Yeah, but if you just believe, Beeps. Yes, and but he's also about started growing the Professional Network, including, I mean
inside the company for sure. But also outside, try to find folks are working on my MBA program for any M initiatives. In some other companies here in Mexico, to be honest, right now, there's not any GM Community getting together or having something like that. Since I saw the all the job that I deployed doing with the different user groups around the u.s. one of my ideas for next year or one of the resolution that I have is start or local group here in Monterey.
And and I think that one of the biggest challenge is to find the right people because here those guys are saying people who are working on identity, they are either developers working in some user interface for some application. So they are TAG themselves as a developer. I haven't met in coding and I'm developer and some other folks are working more on security size so they are Security Professionals knowing professional so I need to go and
leave that open. Okay, bringing a come with me. And let's talk about identity. And so it's going to be at the beginning that way, try to identify the The people threatened by people just to join us and start talking about different topics around identity. So hopefully next few months we will have some Community here. Yeah, that'd be great. I think do you think that you'll run into resistance with? Why are you talking to me? Like what are you trying to do like, will people be guarded at
first known really? No, I mean, they are very open and they are I mean I always see the it Community very Very friendly General Tso. And if you are always trying to share knowledge, they will be open. If you are trying to gain and probably the sales myself friend will kill me, but you selling this guy kind of events. When you advertise the meeting you have to say that it's free or free of sales grades are they are, there's no selling nothing.
And so it's just sharing information and need to be clear about that because otherwise you will be. People got scared and they won't attend. But if you are saying okay no it's just were talking about this topic and sharing information and that's it.
So, what I'll do is in the show comments for this, I'll put your LinkedIn. So if you're listening and sure Monterey or close by and Mexico and want to and, you know, help our turret with setting up an, I am group, I'll put your information, so they can reach out to you on LinkedIn. So, actually, in the next few weeks, I will start sharing both on LinkedIn as well. Great to have more information about that and hopefully, by the end of January, we will try and
set up the first one. Very cool. So, for next year, are there any conferences that you might be interested in attending? Because sometimes those are great hubs to be able to talk with other people. And yeah, actually happened last time when I met people from from Ida Pro and identity versus Washington this year. So, yeah, I am willing to attend identifiers. Be one of them in general, for me, I never attend black hat before, so it's still mine. Bucket list.
So I went to attend black hat, super, we get to wear a black hat. Black is interesting because it's not really an I am focused show but there are certainly, I am topics because how to breaches happen typically through a credentials, right? So being able to understand how that happens, is important, it can be expensive sometimes to go, but I found a cheap way to get to black hat.
If you are able to, if you're not able to get the full funding for the full path, which is Be like two thousand dollars or three thousand dollars in u.s. you can also get a what they call like a business Hall Pass which is only five hundred dollars, so you can still go go into the business Hall, talk with the different vendors who are there and see some of the sessions. So that's an option that I've used somebody do several times over the years as a way to say,
okay. Well, sometimes funding for conferences, might be hard to come by. What if I could get in there, little bit cheaper. And save some money for that. So that could be an option for folks who are listening that have never been to a black hat. It is it's a great conference to go to. I mean, definitely laid back. Definitely casual. You'll see everybody wearing, you know, suits and ties down to shorts and t-shirts and everything in between.
It's a fun one to go, too big to is like 30,000 people. I think that go to it, but sometimes can be expensive. So an option to consider might be something like a business, all pass and that would also apply to things like the RSA conference. Yeah. Ref a way I never attended. He's a successful in some other item in the bucket list but what I heard from that conference is that hotels are like crazy. It's ridiculous.
It's San Francisco. So there's already you know, the built-in cost of that but yeah, I think that's the biggest knock on RSA is it's a huge conference. It's in a great City, a great City. That happens to be really expensive. So unless you have a really good deal from a hotel perspective, that's another one that's tough to get.
Another one that I'll try and save money on sometimes is I'll just get the conference, you know, are the business Hall Pass and spend all my time going back and forth between the do for two different expose that they have, and sometimes they include Keynotes is part of that, so there are ways around it. But yeah, it is really expensive. Today, did he move to let you know?
I don't want to I've received surveys in the past that they might be considering that I know oracle, I think recently signed a three-year deal with the city of Las Vegas. So they're moving out of San Francisco. And moving to Las Vegas, their show and the hotel costs were one of the reasons they cited as being that and that's that's a big loss for San Francisco. I think I think was a 64 million dollar loss to the economy per year because of them leading that conference meeting the city.
So I love San Fran's. Well, my favorite season world, but yeah, it's expensive. And I hope they start to recognize that and maybe try to figure out a way to make it a little bit easier to have conferences there because otherwise Las Vegas is going to eat the world because they're so. Well designed and You know relatively affordable and it comes to certain things.
All right. Yeah. And I mean I heard that everything is a huge conference and probably going to be difficult to move some smaller cities. Yeah. But I like from Identity versus that they are moving each year. Yeah. Different city. So it's like a torso. You're attending every single year is not like you are going back to the same city, right? And you don't have nothing new to see or something like that. So you will enjoy, actually the city and all the cities you
never been there. I think the sheriff It's in Denver, I believe. Yeah, Colorado, so that'll be nice to you will be. Yeah. Mountains will be different than Washington, d.c., that's for sure. It won't be as hot as and humid.
Is it was this year, I hope the weather people who want to go skiing, they'll be I think you know relatively close to do that or outdoor type things and previous years, it was New Orleans and Chicago and yeah, they do a good job of picking cool spots to kind of go to and hopefully people are able to extend their trips. You know, go for a few days for identifiers and Add on a couple days to either do a vacation with families and stuff like that.
So, that'll be pretty cool. All right, well I want to have a kind of a quick conversation and take advantage of the time that we've had here and kind of get your thoughts down and accost you with our podcast. Again, all gonna be always very happy to have this conversation and all the offline conversation that we have while you are here and thank you for inviting me
again. Cool. I appreciate it. Just as a kind of a note for folks who are listening Just want to thank everyone who's been listening throughout this entire year. This is actually episode number 26 over the last six months. So we started to show back in the first week of July, of 2019 and Jim, and I have been putting out content every week. It's been a learning experience for both of us.
As we're doing this, we've never done a podcast before, I've never done anything as close to this, as far as editing. So you know, we're learning on the Fly and I think that, you know, things have gotten a little, you know, little easier and faster as we're going along, we That folks have enjoyed the ride so far. We both have time coming off time time off coming up next few weeks. So this is probably going to be our last show for the year.
I'm assuming. So we plan on picking back up in early January. So we're going to take a couple weeks off here for Christmas and the New Year's let our respective cases of holiday brain. Clear up as somebody if a cue from from the New Year's for the folks that are working in, I am operations.
Over this break, you know, mayor systems stay up and running, may your password reset calls go very smoothly because, you know, everyone's going to call January 2nd with I forgot my password that's you know, when the seasonal spikes like yeah. So I want to thank everyone for listening. Hope everyone has a great holiday and we'll talk with you guys early next year in 2020. Take care. You've been listening to the identity at the center podcast To access all episodes. Visit identity at the
center.com. To access all episodes. Visit identity at the center.com.