In this episode of Enterprising Insights, Krista Macomber, Senior Analyst at The Futurum Group, joins host Keith Kirkpatrick, Research Director, Enterprise Applications, at The Futurum Group, for a conversation about enterprise cybersecurity, focusing on the current threats to organizations, how AI is changing the threat landscape, and best practices for organizations to harden their defenses. We’ll also cover some recent news and newsmakers in the enterprise software market. Finally, we’ll close out the show with our “Rant or Rave” segment, where we pick one item in the market, and we’ll either champion or criticize it.
You can watch the video here and subscribe to our YouTube channel if you’ve not yet done so.
Listen to the audio below:
Or grab the audio on your favorite streaming platform:
Disclaimer: The Enterprising Insights podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Transcript:
Keith Kirkpatrick: Hello everyone. I’m Keith Kirkpatrick, Research Director with The Futurum Group, and I’d like to welcome you to Enterprising Insights, our weekly podcast that explores the latest developments in the enterprise software market and the technologies that underpin these platforms, applications, and tools. So we’re going to begin by taking a really deep dive into the issue of enterprise cybersecurity, which is a topic that should be for top of mind for not only CISOs, but for everyone within the organization.Next, we’ll cover a little bit of recent news and newsmakers in the enterprise software market. And then finally we’ll close out the show with my favorite segment called rant or rave, where we pick one item from the market and we either champion it or we’ll criticize it. Now, I’d like to introduce my co-host for Enterprising Insights this week, Krista Macomber. Krista is a Senior Analyst with The Futurum Group, and she has spent more than a decade covering data security, protection and management. So welcome, Krista.
Krista Macomber: Thanks so much for having me, Keith.
Keith Kirkpatrick: Absolutely. Well, Krista, let’s just get right into this deep dive of the week, which is our focus on enterprise security. It’s clearly a really large topic, so I’d like to first focus on some of the key security threats the enterprises are dealing with here in 2023. Maybe we can just start talking a little bit about what is it that cyber criminals are after? Why are they targeting large companies? And then of course you can get into how are they doing it? Can you just talk me a little bit about that? Why are they even going after large companies?
Krista Macomber: Sure, sure. So I think large companies in particular, I mean there’s going to be a very large base of potential employees, of course, that they can target to obtain personal identifiable information and things of that nature. Another thing to consider, Keith, when we think about targeting large enterprises is that there can be a greater ripple effect, I mean, really even across the economy. One thing we think about when targeting managed service providers, for example, is that if a cyber criminal can take down a managed service provider, then they’re of course going to have a ripple effect across their entire customer base.
Keith Kirkpatrick: Okay, I see. So the concern is not just for one entity, it’s that again, that sort of chain as you go downstream of opening up other security holes or other impacts. Is that kind of what you’re referring to?
Krista Macomber: Absolutely. Absolutely.
Keith Kirkpatrick: Okay. Yeah, I mean, let’s take a brief example here. I’m picking up let’s say the whole supply chain. It would seem like if there’s a way to get in through one, say a component vendor that could open up a real risk for a manufacturer, distributor, and even down to the retail level.
Krista Macomber: Yeah, absolutely. Absolutely. So the supply chain attacks, I mean, they’ve been becoming more and more common these days. And exactly for what you’re mentioning, this is a way to gain access to their customers systems and data as well for any kind of third party vendors and service providers that are in use, and again, it really can kind of have that ripple effect there. So one thing that we certainly would advise customers is to make sure that you’re evaluating the security posture of any partners and third parties that you’re looking to work with or that you’re currently working with, and be sure that things like access controls and things of that nature are in effect to be able to minimize the potential for an attack to occur, as well as the potential fallout from an attack as well.
Keith Kirkpatrick: Right. We’ve all heard about different types of attacks. Everything from, if we go back several years ago, basic phishing attacks where, someone gets sent an email and they click on it and oh my gosh, they’ve downloaded some malware. But one of the things that I’ve seen recently is this rise in the number of ransomware attacks, where let’s say a cyber criminal is somehow able to get into a company and then basically lock up all their data and then say, “Hey, you need to pay us X millions of dollars in order to release that.” In your view, is that something that continues to be a problem even for large enterprises these days?
Krista Macomber: Yes, yes, certainly. I would say ransomware attacks are definitely, they’ve been making headlines and for good reason, I think they’ve not only increased in terms of the number of ransomware attacks that are occurring, but also just the damages in the fallout resulting from ransomware attacks are increasing as well.
Keith Kirkpatrick: It’s also a case of the fact that it’s becoming so sophisticated that it’s not just a matter of someone handing over a ransom note and saying, pay me this.
Krista Macomber: Yeah. Oh, yeah. They’re definitely becoming more sophisticated really in their approaches. So I know one thing that you and I kind of chatted a little bit about off camera, Keith, is AI, and I know you mentioned kind of phishing, right? And so phishing is a very common way that malware, including ransomware can be introduced into the enterprise. And so what we’re seeing is that AI is being used to do things like generate emails that are more deceptive and more likely to be clicked on by a user.
They’re also using AI to do things like to assess how effective particular tactics were and really kind of become more sophisticated from that nature. So I would say that’s really kind of one of the big problems that we’re seeing when it comes to ransomware is just that the attacks are becoming more sophisticated in their damages and fallout are really increasing.
Keith Kirkpatrick: Right. It’s interesting how one of the ways that I’ve seen this happen is, and actually I’ve gotten sent these things where someone will pretend to be impersonating, let’s say your supervisor, and they’ll say, “Hey, I can’t get to a computer now, but just contact me here and get me this information because I need it for a presentation,” or something like that. I feel like even with the sophistication that you’re talking about in terms of AI being used to test phishing emails to see where are the vulnerabilities, where is this most likely to get clicked on, which still comes down to making sure that workers are trained in how to respond or what not to do actually and what to look for.
Krista Macomber: Yep. Oh yeah, absolutely. And that’s another great potential use for AI as well is to supplement some of these training activities and really to your point, help to arm just your everyday user on things like security hygiene and best practices. Because we all know that preventing an attack from recurring to begin with is really your best defense. And so really anything that we can put in place to prevent those bad actors from gaining accesses is going to be very important. And while there’s a lot of responsibility on the part of, we’re talking a lot about large enterprises, so there’s a lot of responsibility on the part of IT organizations and departments and our technology vendors themselves that we’re working with. But there’s also, I mean, security is a team sport and we all have a role and responsibility. So really that end user training and really instilling in the end users at the end of the day, these best practices is going to be important.
Keith Kirkpatrick: Right. Well, let’s say that organizations are trying to do that to really educate their workers, but sometimes things happen. So one of the things I wanted to ask you about is I’ve heard that there are solutions out there that are specifically designed to quickly detect any kind of intrusions or anomalies within a network. Can you talk a little bit about what that is and why there’s value there, particularly in a large enterprise where something can snowball very quickly?
Krista Macomber: Absolutely, Keith, and I’m really glad you brought up this topic because when we think about security related technologies, this is probably the area today from my perspective, that there’s maybe the most amount of almost gray irrigate and confusion. So, Keith, I know that your coverage area, your audience is very much focused on enterprise applications and software. And for me in particular, I come from a background that’s more focused on data security, data protection, kind of really that infrastructure layer. So I think we can have maybe a very complimentary conversation about this. And the reason I bring it up is because, so I work a lot with kind of backup software and data protection vendors, and they’re building in some of these capabilities that you’re discussing around anomaly detection. So really looking at the data itself to identify anomalous user behavior or to identify, for example, large scale encryption activity that’s very abnormal and this type of a capability is going to be very complimentary even when we look a little bit up the stack.
Krista Macomber: So things like endpoint detection and the ability to detect anomalous behavior or for malware signatures and things of that nature kind at the endpoint level. So I guess really what I’m trying to say is that it’s really, the term is kind of defense in depth, and really there’s a lot to be said for that approach because there isn’t necessarily, unfortunately one silver bullet that’s going to kind of be the catchall for detecting malware. So the more kind of safeguards we can have built in really across the infrastructure stack, whether it be at the application layer or the infrastructure layer to be able to flag and quickly bubble up this anomalous activity that could indicate kind of an attack is going to be important. And the more these solutions can kind of work in concert with each other is going to be important as well.
Keith Kirkpatrick: Yeah, you made a really good point there. There is no sort of silver bullet when it comes to security out there. Is that why if we’re thinking about this, it has to be sort of a multilayer different solutions for perhaps different types of anomalies and different types of where your data is being held within the network. Is that the approach that you would recommend?
Krista Macomber: So I think it’s definitely the reason why we see so much splintering, I would say, in terms of the number of security tools that are in use by any given enterprise. It’s just such a very, very fragmented landscape and there’s just such a large number of tools that enterprises are using for security, and it’s really for the reason that you’re mentioning, it’s to be able to be sure that we have all of these different bases covered.
I would anticipate moving forward over the next few years that we may see some consolidation within this landscape. I know that with Cisco’s acquisition of Splunk being kind of, or the planned acquisition being a really great example of that, and I think that we do see a move for customers to try to consolidate as much as they can this view into some of these SOAR and SIEM tools as well. So that’s I think something to keep on the radar. And I think that in terms of the consolidation, I mean that’s really going to help security operations teams to be able to respond more quickly when an attack is occurring and really be able to have that centralized visibility to make sure that things don’t go, fly under the radar.
Keith Kirkpatrick: When you’re talking about consolidation, you’re talking about the consolidation of the technology stack. Instead of having, let’s say four different ERP systems and three CRMs, you’re going to try to consolidate that so you again, have much more visibility into what’s going on. Is that correct?
Krista Macomber: Yes, yes, exactly. I think the fewer points you have to worry about the better, but also the more that you can have some sort of centralized vantage point into the environment so that way alerts can be bubbled up into one centralized management or visibility plane for security operations teams and really kind one centralized point for data and insights to be fed into. So again, kind of drawing on my background from a little bit more of a data protection perspective, we’re seeing that a lot of these backup software offerings are being able to feed into tools like Splunk to be able to give that broader context. So I think yes, the more from an ERP for example perspective, the more consolidation that can happen, obviously within reason with what is possible for the business, the more consolidation that can happen there, I think the better in terms of giving that visibility. But I also think that in terms of the tools that are being used by security operations teams, the more we can kind of consolidate that number is going to help as well.
Keith Kirkpatrick: Right. That makes sense. Well, before we finish, I wanted to ask one additional question, and clearly we know that sort of traditional perimeter based trust approach to security, it’s not sufficient anymore because you have insider threats, you have distributed compute resources all over the place, you have hybrid networks, all of that kind of stuff. I wanted to ask you about a topic called zero trust, which seems to be sort of a guiding principle in both private sector IT systems as well as increasingly in federal ones to really drive up that resiliency and the security of different networks and systems. Can you briefly just talk to me about what is the principle of zero trust security and how enterprises should think about the claims?
Krista Macomber: Yeah, yeah, absolutely. And I think you touched on a couple of important points, Keith. So I think what we’ve seen is that this term has been used a lot and it’s been used by a lot of different vendors across a lot of different spaces. So there’s a lot of maybe kind of gray area in terms of what exactly it means. You alluded to the fact that it is kind of becoming a driving standard for public sector and private sector. And what I would say is that what we’re seeing is that the NIST standards, those are actually being used by the Biden administration. And so I would say the NIST standards really have sort of become the more de facto standard, and they’re really what’s kind of guiding what we see customers are beginning to look for when it comes to the rubber paving the road, so to speak, for an actual architecture for zero trusts. So a big thing from my perspective is the continuous verification.
So verifying the access across all of these different resources that you’re mentioning, I mean, certainly we’re seeing various devices, these multi hybrid cloud environments, for example, and so that becomes important in terms of making sure that there is no nefarious access. Another thing that kind of jumps out to me is any tools to limit the blast radius, so kind of micro segmentation and that if a data breach does occur that it is as consolidated as it can be within the network and the environment.
But then another area as well is when we think about the response, the identification and the response really. So we’ve already been talking a little bit, Keith, about behavioral data and getting context across the entire IT stack, that becomes important from a zero trust perspective because it helps to again, give that context into access, and then if breach does occur, it helps to kind of guide the response to make sure that that response is accurate and is as speedy as possible. So again, there’s a lot to unpack there, but hopefully that gives at least a little bit of a starting point for context.
Keith Kirkpatrick: Yeah, absolutely. That’s really helpful. One point I wanted to dive into a little bit more there is you’re talking about continuous verification. Can you give a couple of quick examples of how that would look in practice? Because again, it’s one thing to sort of log in, get verified, but then who knows what could happen, you could have a user switch, whatever. But maybe you can just talk a little bit more about how that is actually deployed.
Krista Macomber: Yep. Yeah. So we actually have been working with one particular client called TeleSign that I would say kind of plays in here. And TeleSign, what they do is they provide authentication from an omnichannel perspective. So their platform is helping businesses to allow their customers to verify their access across any means that really is kind of convenient for them at the time, depending on, again, the device that they’re asking… Excuse me, the device that they’re accessing through and the means whether it be, for example, through email, SMS, things of that nature. So that’s kind of one example that just bubbles up top of mind to me because again, it’s really about helping to provide that kind of omnichannel perspective for access. So that way, regardless of the device or the method that the user is accessing, that you really can be sure that it is the proper user with the proper credentials that are looking to access the particular data or network.
Keith Kirkpatrick: Okay, that makes a lot of sense, absolutely. Well, thank you very much, Krista. There certainly is a lot going on in the enterprise security market, and I’m sure that we’ve just scraped the surface, but I have to quickly move on and I’ll be bringing you back in a minute or two, but let’s take a look now at some of the companies making news in the world of enterprise software. So the past week I was actually out at an analyst event at Zendesk. They are a provider of CX software, and they just made an announcement that they’re releasing some more generative AI based tools and features that are really focused around deploying better self-service tools, as well as AI generated conversation summaries and transcripts that are designed to help agents, live agents help their customers.
The most interesting thing to me out of all this, because let’s face it, every vendor is releasing regenerative AI tools right now, you can’t get away from it, but the most interesting part about that announcement was that they were revealing some new data privacy and protection tools to help ensure that generative AI is safely and securely deployed. Things like making sure that customer data is not feeding back into the model, making sure that any content that is going out is properly grounded or if the model goes and touches any kind of data is grounded in Zendesk’s own repository of data. Because the last thing you want when you’re dealing with generative AI is to have hallucinations because ultimately customers will not trust that technology if it’s not reliable.
Now, another interesting announcement from the week is that Workday announced they are launching an AI marketplace that is designed to help customers find and deploy industry AI and machine learning solutions. The idea here is that the world of generative AI is big and it’s only expanding, and there’s really, it’s very, very difficult to understand or to find which solution might be right for a particular use case or a particular company, so what Workday is doing is creating this marketplace that’s going to feature AI and machine learning applications that are going to integrate with Workday data by APIs, and they’re just making this all available in one place, which is a real help to customers who are quite honestly, essentially pioneers in this space. So I think that’s a really interesting story from the week.
And then finally, I was also at an event not too long ago, which SugarCRM, which is obviously a CRM vendor, they are also announcing new generative AI functionality within their SugarCRM platform. These capabilities are really going to be deployed across three product areas, generative AI for sales, generative AI for marketing, and generative AI for customer service. And again, the interesting thing here is they’ve been very, very deliberate about how they’re going about the use of AI. They’re only using right now a model from OpenAI and all that model is being grounded in Sugar’s data. They’re taking a very, very conservative approach, not overpromising what the benefits are. I mean, it’s basically the low hanging fruit of things like summarization, helping organizations deploy some self-service tasks that are not terribly complex, but the idea is to roll this out, make sure it works, and give their customers confidence that generative AI actually has business value.
Okay. So now we’ll come to my favorite part of the show is the rant or rave of the week, and I’d like to invite Krista back in. So this is where I’ll throw out a topic and then she will get a couple of minutes to either rant about it or rave about it. And of course, because today we’re talking about enterprise software and security, I wanted to ask her about the idea of cybersecurity training programs. So what a lot of companies do is they will send out random phishing emails to their employees and just to see if, hey, let’s see if we can catch these people. And it’s interesting because we actually don’t do that here at The Futurum Group, but, Krista, I’m sure you’ve been part of organizations that have done it in the past. Is this a good idea sending out these emails and basically trying to make employees aware of these risks, or is this something that is kind of a hassle and does it kind of create unnecessary hysteria? What are your thoughts?
Krista Macomber: Sure. So Keith, I’m going to give you kind of an analyst answer here, which is going to be kind of a two-parter, a little bit of both a rant and a rave, I guess.
Keith Kirkpatrick: Okay.
Krista Macomber: So first let’s maybe start talking about, okay, what are maybe some of the downsides, right? So there’s obviously a cost, right? That’s going to be associated with training some of these fake phishing and things of that nature, and that obviously can be very expensive depending on the size of your organization, depending on how complex it is too. So for example, how much are your employees able to access data from personal devices as one example.
The second is, of course, there is always going to be a debate in terms of how effective some of these campaigns can be. They could either be too easy, they could either be too difficult. And what that translates to at the end of the day is that it wouldn’t necessarily hit the mark in terms of actually helping employees to identify a real attack. There also could be a little bit of a culture of distrust, potentially, or maybe making people be a little bit desensitized to attacks as well. So those are some of maybe the potential downsides that I can see with the training in some of these fake phishing attacks.
Keith Kirkpatrick: Right.
Krista Macomber: Now that being said, the flip side of the coin is that it can go the other way, and especially if these spoof attacks or fake attacks are executed in the proper way, it can really help to drive a culture of awareness and being very security minded, so of course, that’s obviously going to be very important. It can really also help the enterprise as a whole to identify where there are areas of vulnerability or risk and where are the areas that they really need to double click down into for additional training. And especially if we talk about trying to make the time and the investment most effective, that can be really valuable because that way you’re not wasting cycles on educating employees in an area that they’re already very well-educated on. And it can really, again, identify where you might have some weaknesses within your security posture. And then of course, it can help employees to identify attacks.
So there might be things like particular requests for personal information or particular types of links that, for example, that employees just aren’t necessarily aware of, that could be indicators of attacks. So I would say in general, I would be in favor of this training and of some of these fake attacks, if you will, to support that training just as long as some of those pitfalls that we talked about are kept in mind and hopefully avoided.
Keith Kirkpatrick: Right. It would sound like though the key to all of this is having a real strategy for training education and not just sort of haphazardly throwing out fake phishing emails and just seeing how many people are clicking on it and then sending out a quick, “Hey, don’t do that,” type of response.
Krista Macomber: 100%, Keith. So I think we have to be mindful of the types of phishing attacks that are common. And so continuing to evolve the strategy as the types of attacks evolve, and getting that feedback on what is effective for the employees, what do they know about, what do they not know about, and again, really understanding where are those critical areas of vulnerability. So again, definitely doing it like you say, in a mindful way with the strategy that is going to be evolved over time. Security isn’t just a one-and-done type thing. It’s definitely something that needs to evolve with time with the organization and as attacks evolve.
Keith Kirkpatrick: Right, absolutely. Well, thank you very much, Krista, for joining me this week. Had some really great insights there, and we really appreciate all of your expertise, so much appreciated.
Krista Macomber: Thank you so much for having me, Keith. I really appreciated the opportunity to be on today.
Keith Kirkpatrick: Thanks Krista. And thanks for joining me here on Enterprising Insights. Next week, we’ll be focusing on the world of customer experience and key enterprise applications that are helping organizations deliver excellent experiences from marketing, sales and support and throughout the entire customer life cycle. Thanks to everyone for tuning in. Be sure to subscribe, rate and review the podcast on your preferred platform. Thanks and see you next week on Enterprising Insights.
Author Information
Keith has over 25 years of experience in research, marketing, and consulting-based fields.
He has authored in-depth reports and market forecast studies covering artificial intelligence, biometrics, data analytics, robotics, high performance computing, and quantum computing, with a specific focus on the use of these technologies within large enterprise organizations and SMBs. He has also established strong working relationships with the international technology vendor community and is a frequent speaker at industry conferences and events.
In his career as a financial and technology journalist he has written for national and trade publications, including BusinessWeek, CNBC.com, Investment Dealers’ Digest, The Red Herring, The Communications of the ACM, and Mobile Computing & Communications, among others.
He is a member of the Association of Independent Information Professionals (AIIP).
Keith holds dual Bachelor of Arts degrees in Magazine Journalism and Sociology from Syracuse University.