Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 59. This week is another one of those special weeks. We actually don't have a guest. This week we have Mark and he's going to talk about something that's near and dear to his heart, but more on that in a moment. First up, let's take a little quick lap around the news. Sarah, why don't you kick things off?
Sure. I haven't got too much news this time around, but the one thing that is exciting is, we announced a public preview release of Gateway Load Balancer. So what that is is a load balancer that is actually designed for use with NVAs or network virtual appliances. So if you're not familiar with what those are, that is generally our third party firewalls. They have to run as NVAs in Azure.
So previously, other load balancers didn't work with them, but of course, load balancing is important for firewalls. If you'd rather use a third party firewall rather than an Azure, you can now have a look at the Gateway Load Balancer to do your load balancing across those NVAs. So yeah, pretty exciting. I think that's going to be super useful. So go and have a look if you are using NVAs in your environment. Then my other exciting bit of news is, get to go to Black Hat and Def Con this year.
Hooray. So that'll be really exciting. It's of course, really exciting to go back to doing some in-person events. That Gateway Load Balancer, that's a new load balancer. So it's another one that we've had, it's a list of load balancers. Is that right? Yes, it is. It's a new one because our other load balancers couldn't work with NVAs. They would only work with native Azure devices. So this one is NVA aware. So yeah, it's a brand new type of load balancer.
An NVAs network virtual appliance, is that correct? It is, yes. That's right, Mark. So usually when we're talking about an NVA, we're talking about if you choose to use a Cisco ASA, Palo Alto, a checkpoint, some non-Microsoft firewall in your environment. In Azure, they run as NVAs and the architecture.
This is a whole we won't go down, but architecturally, because they're running on top of a virtual machine, we have to set them up a little bit differently to a native, like say Azure firewall or Azure WAF. One of the things that was a disadvantage was that the Azure load balancers couldn't work with those NVAs, but now this new one can. So that's why it's important and exciting. All right. I've got a few news items. The first one is that Azure Confidential Ledger is now generally available.
Now, a few weeks ago, we had a discussion about Azure SQL Ledger, which is not the same as the Confidential Ledger. Now, one thing that's really cool is that the SQL Ledger can use Confidential Ledger. So Confidential Ledger is basically at the back end using blockchain-like technology to provide things like tamper-evident data streams and so on. I've been working actually with the folks at Microsoft Research in Cambridge on some of the sample code that they had over the last few weeks.
Long story behind that, but fantastic technology, very simple to use. It's basically a whole bunch of APIs you can call and you'll end up building yourself a Confidential Ledger at the back end. Also, now that I'm in the Azure Database Platform, Azure Database for MySQL flexible server now supports data encryption with Customer Managed Keys. That is in public preview. So this is where you can store your keys in Key Vault and that way you can do any degree of key backup, key rotation.
So basically the whole key lifecycle is totally up to you rather than having the platform manage the key. The last one is that we've now had added Trusted Launch support for some new VM types. So DCS version 3 and DCDS version 3 VMs now support Trusted Boot or Trusted Launch. So this is another thing that's from the stable of Confidential Computing.
Essentially, if you're familiar with the way TPMs work, Trusted Platform Modules work in Windows, where you can do what's called a measured boot to make sure that the whole boot sequence is free of malware and root kits and boot kits. Same thing. Exact same thing. Big differences rather than being a TPM, it's a VTPM, a virtualized TPM, but the technology is essentially the same. So that's all the news I have.
So with that, let's turn our attention to Mark, who's here to talk about something that is absolutely near and dear to his heart, and that is a new Chief Information Security Officer workshop. So, Mark, why don't you give us a quick overview of what on Earth this thing is? Yeah, we'd like to call it the CISO workshop.
I actually finally decided on the pronunciation of that when, at one of our CISO summits, Brett Arsenal asked the audience of these top 50 or 100 CISOs, how do you actually pronounce it? And it was like overwhelmingly CISO, so that's actually what I go with. But ultimately, this is an update of a workshop.
It's a pretty significant overhaul of something that we had initially put out, and I think it was 2016 or 2017, that's still fairly popular, something like a couple thousand unique visitors a month. And so we decided, especially with all the changes and all the things that we've learned in the past five years or so, we decided to go ahead and update this. And then, so this is the new version of the CISO workshop.
It pretty much covers just about everything that someone in that role, or a similar role, because not everyone gets that title, that does the job. We would need to care about it, and as many insights and lessons learned, and best practices and models as we could pack into it, to help the folks that are doing that job really learn from all the things that we've been learning, both inside Microsoft as well as across our customer base. So I don't even know where to start with this.
I'm going to be totally honest with you. So what are you trying to achieve with this thing? And also, I guess that if it's five or six years old, as you said, it's a big overhaul, my guess is the threat landscape has changed significantly. The attackers' methods have changed as well as the defenders' methods have changed as well. So you want to just give our listeners an overview as to who this is aimed at, and what are you trying to achieve with all of this?
So ultimately, we aim this at, and I think it's on the landing page itself, that we talk about it's CISOs, CIOs, so those sort of executive leaders, and whatever title they happen to be. Generally, they're the director reports and the directors that run a function or a department for them. And then any other roles that have sort of an enterprise-wide scope, such as a lead architect or a team of architects within the organization,
or a governance lead, et cetera. So anybody that deals with all of the security across an entire technical estate or organization is really kind of our target audience. A lot of other folks would get a lot out of it, but that's really where we aimed it at. The thing that we've seen that's really changed in the past five years is just they've got a much more mature view and understanding of what the CISO faces as a job,
because it's one of the toughest jobs in security, period. You have to be literate and conversant on technical topics, and so you can sort of understand those. You have to be literate and conversant on security topics and kind of the dynamics of security,
the threat environment, et cetera. And you also have to be literate and conversant on business topics and risk and how the organization and senior leaders and board members view the world, how they think about things, how they manage risk, the taxonomies that they use, whether it's informal or formal. You've got to be able to talk to them about what are their business initiatives, where are they going to be looking for revenue, what does risk mean to them in terms of actual
loss and what do they care about, what do they not care about. So the CISO is really a bridge between a lot of different worlds, and it's a really, really tough job. Basically, the goal of this is to help people be successful with that job. That's the primary goal,
so they can mature their programs and be successful with it. And then a lot of it, honestly, is there's so many people that aspire to this role, and we need people aspiring to this role because it's a very important job, and folks need to understand kind of what they're getting into and just sort of learn that. So we fully expect folks, we use this as a ramp up as well, to sort of learn the job, even if they want to do it or not.
So Mark, I know a little bit about this being that I did help you out on some of those videos, just a little bit. So why don't you tell us a little bit more about the structure and of the workshop and how we go through the material? To Michael's sort of comment earlier, ultimately, the first thing that we start with is context, right? So the threat environment is one of the big pieces of that context, and how has that evolved?
And we've seen a lot of maturity, as it were, in the not so good sense of the attackers and the way that they buy and sell things and their business models through Extortion Ransomware and other things, as well as the data theft is matured as well. So we've seen a lot of sophistication get put into there, whether it's business model or technical sophistication.
And so the first part is really focused on not only the threat environment, but also the business environment and how is that changing security and how are the cloud and technical platform changes changing security and these sort of drivers for modernizing. And then, in the first part, we also cover roles and responsibilities and how are those jobs changing and how do all these things connect together and what are the sort of jobs of the future or jobs of
the current. And then strategy and how do we recommend, we basically include a reference strategy, including defining very specific initiatives with outcomes and goals, etc. And these bring in our trust principles and they tie in our cloud adoption framework of how organizations are modernizing and adopting the cloud, etc. So the first section is all about
context setting, right? So that, okay, let's start with a common baseline. And then the second and third sections are kind of, I guess the easiest way to think about it is the top half and the bottom half of the job, right? So the top half of the job is how do you align your security program to the business, right? To the organization you're in, how do you align it to the risk management, taxonomy and system? And how do you engage business leaders and make them successful?
How do you integrate with your IT departments? And what is the north star of the program that you're trying to achieve? Business resilience, that's the short answer. And then the third section is a little bit more of sort of the bits and bytes of the program itself and the strategy. So it's not getting into technical stuff, but it is the disciplines that you need to run and you need
to have a sort of an ongoing, we're going to do this for a very long period of time. So things like access control, security operations, asset protection, governance, etc., and innovation security. And like these are the things that you need to do on an ongoing basis and have sort of an ongoing program of record that makes sure this is always getting done. And so it's really kind of that three parts, the context, that top half of the program, how do you connect security to the rest
of the organization and that bottom half of how do you structure security. And that bottom half, we actually lean heavily on some of the work with the open group that we've been part of sort of what does a modern, zero trust enabled security program look like? That's super interesting, actually. I'm going to have to dig into this just because I'm nosy, but tell me more about your partnership with the open group. That's very interesting
that I just want to know more about. Oh, absolutely. So I was actually, I just flew in today as of the recording of this from a conference with the open group. And so they're a standards organization that dates back to, I believe they actually defined the UNIX standard, if I recall correctly. I said, I guess I should say weak because I'm part of the open group as well. But I was definitely not a part of defining UNIX. I'm much too young for that.
And then things that folks might have heard of in the security industry, the Jericho forum was actually hosted by the open group. It's since retired and become part of the security forum in general. But the folks that put out the Jericho commandments and deep parameterization back in the early to mid 2000s were hosted there. The TOEGAF standard, the open group architecture framework, I think, which is a very popular architectural definition and certification
and lots of things on digital transformation as well. So it's basically an open standards organization. And we're actually working towards, and that was the talk that I gave with my co-chair of the Zero Trust Architecture Forum, working group rather there, was about the upcoming standard for Zero Trust that we're defining for a Zero Trust reference model.
And one of the cool things, and this is just me personally because I've been working hard towards this, is one of the things I really, really liked about the conference today is we had a Microsoft perspective, which actually was from Joseph Davis. And then there was a open group perspective, which was the one that I session that I did as well as the one that Jim Hightell did. And so the open group had a couple of different perspectives on the Zero Trust. And then there
was also NIST there. So Ruzia Supaya presented on the NIST perspective and their update from their National Cyber Security Center of Excellence project, or NCCOE for short, and on Zero Trust. And they have something on the order of a couple dozen vendors in there implementing Zero Trust in the lab. And so it was really fascinating to hear all these different perspectives and present it in my case. And they're actually all pretty closely aligned. There's a lot of people
that remarked on that. And it's like finally giving me hope that, hey, in security, we're actually starting to agree on something. We actually have consensus on what Zero Trust is, which was really awesome because we've had such a sort of like fractured, individual, specialized view of security for so long. We're all finally agreeing on how to modernize the thing. So that was particularly exciting for me. That is super cool. And as someone who has also done
a little bit with the NCCOE as well, that's been really cool as well. I helped out with the lab a little bit. So not nearly as exciting as Mark. But so how would you say all of that's feeding in then to the SISO workshop? Is there anything else you can add there? Are we going to see a lot of
Zero Trust stuff in the SISO workshop? Yes. Effectively, Zero Trust, the way that we think about it, and I can say we in a much broader sense now, having had that confirmation, is it's, if you think about what's starting with a digital transformation, the businesses are shifting. And we talked about this quite a bit in the SISO workshop recordings.
Businesses are shifting because, hey, you got these startups, no longer startups like Netflix and Amazon and Uber that have really disrupted the industries that they're in and taken a whole different view of it using cloud-based technology. And then that starts off this cloud transformation because organizations, in order to compete with that, businesses especially, have to actually meet customers where they want to be and not just run things like they used to in retail and all
these other industries. And so you end up with this business transforming and figuring out its processes. You find the technology through cloud is transforming everything and changing it. Like everything changes at least a little bit, sometimes a lot. And then security, basically, zero trust is that third leg of the transformation. It's how security is modernizing and thinking of things differently and linking into those strategic changes. And so when we say zero trust is a part
of this, it's basically woven throughout. And there's very concrete zero trust principles. There's very concrete technology that's different than the way things used to be. But ultimately, it's also changing roles and responsibilities. And it's changing mindsets in the way people think about it. I mean, it's a full top to bottom end transformation where, yeah, you can see the old in it when you look at it, but you also see that it's very different than it used to be.
So it's sort of just underpinning all these different things. And we kind of call it out in a bunch of places. So I don't want to elaborate too much unless we have to, but so you mentioned zero trust. I mean, the open group has a particular stance on that, right? Like they have, there is a zero trust working group within the open group. Oh, exactly. I'm one of the co-chairs of it. Yeah.
Yeah. And so sort of to Sarah's point, I mean, are we seeing more customers adopting zero trust principles, not necessarily every single one, but starting somewhere and working towards what it means to go on a sort of a zero trust journey. Are we seeing that sort of picking up more steam? I realize this really doesn't have a lot to do necessarily with the CISO workshop, but I'm just curious more than anything else. Oh yeah. And we do talk about this,
I think in several of the videos in there, but the answer is yes. So ultimately this transformation, we're seeing a lot of customers on the journey. I mean, many of them explicitly call it out. And many of those that are sort of transforming and modernizing are actually using the zero
trust terminology. But just about every organization, if you're going to cloud, you can't just get away with a firewall IDS IPS and call it a day like we used to, or throwing a bunch of logs in the SIM and not actually, and having a whole bunch of false positives that burn people out. Those sort of like classic security problems of previous generations, everybody's trying to solve those problems. And so ultimately, just about everybody's on this journey, whether they know it or not,
and whether they call it zero trust or not. Some people say they're adopting SASE. Great. SASE is basically a subset and a component, a specific architecture that fits within zero trust. SASE is a secure access service edge SASE. I don't know why they pronounced it SASE, but everybody does. But yeah, just about everybody's
on that, on that journey. It's interesting. Now that I've taken this position sort of on the back, the back end of Azure as it were, it's interesting how important zero trust is to the actual running of Azure. I see a lot of documentation. I see a lot of issues getting raised and so on around core zero trust principles, especially things like assume breach and lease privilege. You're probably the two of the biggest ones that I see referenced the most. I think,
I'm not going to say that they're the easiest to do necessarily. I think that they're easiest to sort of understand really quickly. Yeah, we're seeing a lot of references to that. Again, that the Azure back end. When you sort of step back from it and you sort of understand the
zero trust information, you kind of think about it. In many ways, all we've done with zero trust is we've taken away one bad assumption that we used as a shortcut, which is that we can create a safe network and then everything on it is de facto safe, which was a bad assumption. We essentially got called on it by the attackers and we got called on it by the business that's operating outside with SaaS, software as a service, and mobile devices, and all these other kind of
things that are outside of your perimeter. Essentially, all zero trust is resetting security back to where it should have been, which is let's think through this problem completely. Without this assumption, we are on a safe network and therefore everything in it is magically safe. All we've done is ripped out that one huge assumption that was a shortcut that just wasn't valid. Okay, so Mark, as you know, I know a little bit about this because...
A little bit. Come on, you were literally there during the recording. Yeah, I know a little bit about it because I was helping you do the recording. So, I don't know, just for those of you listening, I got to myself and our very awesome colleague, Elizabeth, helped do the recordings for this, which will be public that you can go watch myself, Mark, and Elizabeth do the recordings for this workshop. Mark, let's talk about
that recording time and some of the things that we did. I'm going to let you go and start this one off because I could tell lots of stories, probably half of which are not relevant. So, I'm going to let you go first here. Okay, so for the most part, most of the sections, most of the videos that you're going to see are pretty much a reference presentation, similar to how we would actually engage with the customer and present and discuss a particular
topic. So, that's really the basis for all of these different sections that it's broken into. I can't remember how many. It feels like a dozen or two videos. They're anywhere between six, eight minutes and like 20, 25 minutes. But the one that sticks out in my mind that I remember the most, because I honestly didn't have a plan for how to record this going in, there's a very special section in Part B. So, Part B is the one where you're
aligning to the business. And we decided that we wanted to not just say, here's all the stuff you have to do and just kind of leave it there. We wanted to actually give people a set of slides and the ability to have a conversation. If I'm sitting in the CISO role, maybe I'm new to it, maybe I'm trying to bring a business leader to my side or to try and build a relationship. How do I as a security leader engage with a business leader? How do I talk about security
in a very simple, straightforward way that they can relate to? And then how do I ask for the things I need to make my program successful? And so, as we got into this one, I think it was like two minutes before we were starting the recording, it's like, hey, do you want to do this as a role play? It's like, okay, cool, we got three people. Elizabeth, CEO, Sarah, CIO, Mark, our hapless CISO trying to convince them to come along with this security journey thing that they probably
classically don't care about. And so we did. And it was just about 100% improvised. And in retrospect, it was fun. In the moment, it was tough because Elizabeth played an amazingly tough business leader, like hardcore military-style business leader. And she made it tough for me as a CISO. And so I was doing everything I could to keep it on track and keep it focused. And I think, I don't think it made the final cut of it, but at one point I was like, okay,
you got to give me an opening, you just shot me out completely. I've got no chance of showing how to engage with a business leader. But we did have a lot of fun with it and really kind of showed that interplay. And the toughest possible situation so that we could give people kind of some material that they could use and copy as they're engaging their business leaders
and bringing them into understanding security and how to help security be successful. Because the thing that we learned, and this is a huge, huge learning as we work with our customers, is security cannot be successful without their business leader support. Like ultimately, the way that accountability and responsibility are typically laid out, customers, doesn't set people up for success. Because if security gets blamed for everything, they're sort of
in a CYA or cover your assets mode, right? Because they're just waiting to be blamed for the next thing. And then if business doesn't include security risk as part of the rest of the things, they worry about like legal and political and natural disasters and economic and monetary rate kind of things that as a business owner, a factory owner, a product line owner, like if you don't include security in there, you just dump it on the security dude, then you're not making a
good balanced decision. And so there's this sort of, you know, how do we bring security into that conversation and help make the business folks literate to have that conversation? And so we had a, I don't know, I just had a lot of fun with that role play, fun being painful at the time. And I had a lot of fun with that. Yeah, I just got to talk about some of the arguments that I've heard in the upper echelons of IT management and well, not even IT management, just general business
leadership, because there's a lot of conflicts there, right? I mean, who's going to take care of things, how much it's going to cost, blah, blah, blah, blah, blah. So yeah, I thought it was really fun. Yeah, and you got to watch me squirm too. Yeah, I know, I know. And the reality is that, you know, this is the stuff that comes up. It doesn't matter what industry vertical you are, how big you are, like, these are the same sort of challenges that everyone will have when trying
to implement this. So hopefully for those of you who are in SISO leadership positions, at least you feel like you're not alone. Just real quick. So what was the role, no pun intended, what was the role of the role playing? Was it just to sort of play different positions and then see how you would respond or you're using material that you had to sort of help guide
some of the responses? So we roughly stuck to the material that was in that section. I think it's about five slides, six slides, I think, and then there's some optional ones in case it goes dark. We didn't end up going dark, which is, okay, this is what a ransomware attack is really like, and let me explain it to you in terms that you understand. So we didn't really cover that one
there, but the slides are there for that. But, you know, we roughly stayed to that storyline, and that was the thing I was doing as the struggling SISO was to try and keep the conversation on track, you know, despite Elizabeth's efforts. Does that make sense? It does, yeah. And then... Elizabeth was a very strong leader. I was a little bit intimidated. So these role play videos, this role play is available in the videos?
Yep, that's one of the videos. It's the engaging business leaders on security one. Yeah, that'd be cool. And then the other thing that we had a lot of fun with was we didn't really
cover it too in depth. It's more for the slides and PDFs and whatnot. But we did cover the maturity models because that's one of the things we included in the SISO workshop is maturity models for your overall program and how it integrates with the business, as well as the governance over the different pieces of the program and how those progress, and then how do you get from maturity
to model level one to two to three to four, et cetera. And we put a lot of effort into those because we didn't want to have some abstract academic, you know, basic to standard to optimized to dynamic or something, right? Which is a typical way of doing maturity models, or rather at least a common way. And we focused on, you know, what are the actual journeys organizations take? And sometimes they overpivot on like security operations, because, hey, we got
a big incident. And then they realize, oh, my gosh, we haven't invested into prevention as much as we have. Otherwise, you know, because if we don't, we're going to have to hire like 200 more security analysts in the sock. And so we tried to really, you know, have each of those levels of maturity reflect the real journey and kind of encourage people to skip the, you know, the off balance mistakes as possible. But those are those are something that we also included in there.
So Mark, one of the things I remember, because, well, I know you, you wrote all of this material, so you know it off by heart. But one of the things that really sticks out for me is when we were talking about the strategic initiatives part of the workshop. So just for our audience, do you want to give us a little bit of a summary about that and what that involves and what we cover? Yeah, that's a really good point. So one of the things we introduced in
that first part in the sort of context is that reference strategy, right? Like what does good
look like from a security strategy standpoint? And you know, this is very much in contrast with kind of classic security, which really built a strategy around a single tactic, which is, you know, a security perimeter based on network technology, you know, it's like taking one page out of a out of a military handbook and saying this is the one thing that we're doing is kind of what we did without meaning to in the early days of security, because so many folks focus so heavily
on that network perimeter. And so we really broadened it out to a genuinely aligned with, you know, the typical default trend, digital transformation and cloud transformation strategies. And then we broke it into, okay, here are the six different specific modernization initiatives
that most organizations are either on take undertaking or should start undertaking. So modernizing identity to access all types of access, including network access, modernizing security operations, OT and IoT, infrastructure and development, which I know is near and dear to Michael's heart. And, you know, so modernizing each of those and, you know, coming up with that coherent thing. And that actually is those strategic initiatives is how we structured
the follow ones and the architecture design sessions. So they're discussed in the CESA workshop, but they are not out yet. We're still in the process of finishing those up and, you
know, getting the recording schedules scheduled, etc. at the time of this podcast. But ultimately, but ultimately, those become that sort of structure for the rest of the guidance of, you know, here's all the different things that you need to do to modernize your program and take it from wherever it's at, you know, with maturity models and plans and all that to help that journey
along. But ultimately, you know, here's, here's those six work streams that, you know, you might have a different priority depending on whether in your manufacturing or whether in your retail or, you know, whether in banking, you may or may not care about OT or IoT at the same level as as a different industry. But, you know, these are the six modernization things that just about
every organization we've seen tends to structure around. And then all the lessons learned that we could pack into their reference plans, reference architectures to help people be successful. And so a lot of that is still to come in the architecture design sessions as we get into the technical details. But we do introduce those and, you know, and work through those in the CESA workshop. You know, I'm going to ask you, right? Because I just kind of helped myself. I think there better
be something in there for developers, right? We actually put that in the innovation security area. And the reason that it doesn't have sort of a familiar term like dev sec ops or development security is because we wanted to make room for not only professional developers that are really moving from that securing a waterfall approach to a securing dev sec ops or something in between.
But we also wanted to include this emerging trend of citizen developers. So we're starting to see like normal, non-technical people using things like Power BI and Power Apps to connect systems and data across the organization, which is, you know, very much an early emerging space right now, but it's an area that, you know, as soon as you can create business value of it, you can create risk,
right? And so that double-edged sword dynamic. And so we're very heavily focused right now on the dev sec op elements and how do you integrate security into a dev ops process and not get in the way of the developers and not dump a bunch of false positives and a long report to them, but to actually, you know, give them clean alerts, actionable stuff they can do, embed the knowledge in there. So very much focused on that sort of dev sec ops approach. But yeah, that's the innovation
security discipline. And then that gets modernized by that infrastructure and development security initiative, which is going to be module four of the architecture design session. If there's a section called innovation, what other sort of topics are in there? It's mostly those two, the professional developers or the dev sec ops scenario, right, that everybody's trying to get to. And then the citizen developer sort of power apps,
low code, no code. So those are the two types of how do you secure the innovation that's happening. So it's much more a recognition of the innovation happening in the technical and business realms and how do you provide security for that without slowing it down? Fun fact, my uncle, who's in his 80s, he's been doing Excel development for a long, long time. And yeah, he can crank some stuff out. So he's a probably more advanced citizen developer the most,
but definitely not a software engineer by any stretch of anyone's imagination. But yeah, he's a whiz when it comes to Excel, I'll give him that. Well, you know, as well as all of us, but we always like to ask our guests, if you had one thought to leave our listeners with,
what would it be? In addition to the obvious, please watch the videos and of course provide feedback, etc. The big thing that I would keep in mind for folks is as you're going through this and as you're thinking about this topic in your day to day job, recognize that it's a big transformation. And, you know, in the way the best way to sort of get through something that's, you know, where everything is changing or could change around you that you're familiar with and
used to is, you know, set a North Star and keep going, right? And this is, I think it's one of the tips early in the workshop, and that you're going to be making continuous progress each day. And so you just want to make sure you have a clear vision. So when you're walking as much as you can on that day or in that hour, that you're walking in the right direction, but just kind of have that expectation that this is a longer journey, it is a longer transformation. And just, you know,
just expect that you're going to make continuous progress. So do what you can now and just always be working in that direction. That's, that's the big thing that we've learned, you know, as all this is happening. And, you know, it's always a mix. Also, it's, you know, kind of a mix of the old and the new, right? So a lot of the things that we've learned in the network security and all these things will still apply. We're not taking firewalls down, right?
But recognize you're going to have to learn new things. Like, I mean, even you look at network security, it's becoming a part of like three or four or five different jobs. It's not one job anymore. And so just kind of expect that a lot of things are going to change. But, you know, have that clarity of where you're going and have the confidence that, hey, I'm going to do the best I can today. That's, that's kind of, you know, the way I think about it.
I'll brief you a look through some of the material. I think it's absolutely fantastic. And I think a lot of our listeners will get a great deal of use out of those documents and the videos. So again, thanks for, I'm going to say thanks for joining us because you're here anyway, but thanks for joining us. And to all our listeners out there, thank you so much for listening. I hope you found this useful. Stay safe out there and we'll see you next time.
Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Setpod. Background music is from ccmixter.com and licensed under the Creative Commons license. Background music is from ccmixter.com and licensed under the Creative Commons license.