On this episode of the Futurum Tech Webcast – Interview Series, host Daniel Newman welcomes Dell Technologies’ John Boyle, Director, Platform Strategy, and Amy Price, Senior Manager, Portfolio Evangelist to discuss Dell’s recent study and research report, done in partnership with The Futurum Group, on-device trust and hardware-assisted security.
Their discussion covers:
- How security approaches and priorities have shifted since pre-pandemic times
- What is driving a deepened focus on hardware security
- Differentiations in Dell’s approach to security from other PC manufacturers today
- The concept of “secure-by-design” from Dell’s perspective
- The added perspective on the software side of security, threat-detection, and managing the internal issues contributing to risk factors
For more information, download our report, Endpoint Security Trends 2023, on our website.
Watch the video below, and be sure to subscribe to our YouTube channel, so you never miss an episode.
Listen to the audio here:
Or grab the audio on your streaming platform of choice here:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we ask that you do not treat us as such.
Transcript:
Daniel Newman: Hey everyone. Welcome back to another episode of the Futurum Tech Podcast. I’m Daniel Newman, CEO of The Futurum Group. Excited for today’s interview series. It’s data time, it’s security time, it’s research time. One of my favorite times. It’s why we started the business. It’s getting ahead of the trends and talking to the most influential voices in the industry. Excited today to be joined by two Dell leaders in the security space, John Boyle and Amy Price. Welcome back to the show. You’ve both been with us before and we are back and we’ve got some new data to talk about. How are we doing today?
John Boyle: Great.
Amy Price: Definitely good and really happy to be back talking about one of my very favorite topics. Thanks, Daniel.
Daniel Newman: Soccer?
Amy Price: No, in this case, hardware assisted security and what is happening at the hardware level.
Daniel Newman: When you just leave it open for me like that, I’m going to jump in. But yes, everybody on this particular podcast loves technology, and I think if anybody isn’t paying attention, that security is becoming a more and more important part of every company’s posture. That’s from the edge to the cloud, from the device to the data center. We need to think about it. And we’ve got some great new data. New survey follows up on a 2020 report that The Futurum group then Futurum Research did alongside Dell. And we’ve got another set of data that we’re going to talk about today. And this one is bigger and better and better with more respondents, more industries, more roles. And so a little bit of background this year, The Futurum Group talked to 989 respondents. We talked to across what, more than half a dozen industries, numerous different roles, top leadership, but not only cyber folks, IT folks, digital leadership across the organization. And we ask them questions about everything from their security posture, the stress and challenges that they’re having with managing the ongoing increase in cyber events. And John and Amy, I’m going to talk to y’all about what happened there today. That’s a good old Texas, hello.
John Boyle: All y’all.
Daniel Newman: Anybody out there?
Amy Price: Yeehaw?
Daniel Newman: Yeehaw. I don’t know about the Yeehaw, I’m kidding. But there is a heck of a lot of great insights in this report. So this, by the way, all the data 2023 and recent times, so this is really up to speed. We did one that was prior to the events of 2020, 2021, and now we’re in the back to work, people back in motion, back in commuting. And so it’s actually also a very good compare-contrast moment. So look, let’s get into this. There’s a lot to talk about. For everyone out there that wants to see this, we’re going to have links in the show notes. You can go read more because there’s no way that we can cover this all today. But let’s just start, John, by digging into what you see from both the data and just your general perspective on how security priorities have shifted since we did. Well, let’s just say since we did the last survey.
John Boyle: Yeah. I think first of all, the world’s shifted since the last survey. We had the pandemic, which initiated the work from anywhere, which was a lot more challenges for IT security. We had some very visible attacks in the press, like the pipeline attack, which people started to understand the vulnerabilities that we need to address as far as a proper security posture for critical infrastructure. Because as we say at Dell, it’s like, yes, there’s data, there’s brand, there’s the bottom line, but we’re very conscious of the fact that all of our customers are doing things for people around the world in our communities, and that when those things get compromised, then lives get impacted. And so we’re very focused on the fact that we want to make sure that we’re helping the security posture and those customers, their missions to security. The other thing is that the awareness of security, and I think Amy would agree that we talk about security and requirements, we hear from customers, security is top of the charts and that includes supply chain security. So for better or for worse, the awareness and the reasons for it is positive because people are becoming very proactive as far as their security posture. And this survey was great because it’s all regions globally, it’s all EMEA, APAC, Latin America, and North America, which is different from the previous survey. So sampling, we broadened out globally and we also focus more on the commercial critical infrastructure since we have a lot of information on the government requirements.
Daniel Newman: And John, I think it’s probably worth calling out here that the survey, while I know each of us probably has different parts of the security stack that are near and dear to our heart, it was very broad. And we did add some things with looking deeper into software, looking deeper into the supply chain. And we actually looked at some of the broader issues that companies are facing. We looked at talent, we looked at remote work, you mentioned we looked at the supply chain, and then of course we asked companies about the impact of things like policies and how things changed overall during the pandemic. And companies had to change their talent strategy most. In fact, almost all of our respondents, 95% were challenged by that particular situation. 90% were challenged by remote work. I mean, we all heard the rise of zero trust. It came out of the time over the remote worker and companies having less opportunity, less control.
I mean, IT wasn’t even getting their hands on devices like they once did. And people were using all kinds of devices that weren’t necessarily primed for work. And of course, I’m sure you all have opinions on that, but whether you think it needs to touch every device or it doesn’t, and if it can be managed remotely or it can’t, companies had to face the fact that people were introducing their own devices at any given time. I got three laptops on my desk right now. I’ve got the one that we’re working on here. And we bounce. Yeah, that’s you. We bounce between devices from iPad to work. This weekend… I know I’m going to say a dirty word, I’m say every word, but my wife uses a Mac and I needed to do something for work, and it was right in front of me. Guess what I did? I just dropped right into my application on the Mac. I logged right into it. And what I’m saying is, so in a day I might bounce between five devices. And that became super common during the 20, 21 years where people were just using whatever device was in front of them. Totally different than going into the office. So Amy, you actually, when we said favorite things, you said hardware security. You didn’t just say security, you didn’t just say cyber, you didn’t say resiliency, you said hardware. I’d like to get your take because again, a lot of data here, a lot of insights. But how do you think the landscape for hardware security changed in these past few years?
Amy Price: Oh, I’d like to tell a story to begin with this.
Daniel Newman: I like stories.
Amy Price: Would you buy a car without seat belts today, for instance? And you probably got a lot more besides that.
Daniel Newman: You don’t know me well, but I would say the average respondent would say no.
Amy Price: Exactly. The average respondent will say no. And yes, I am a car person as well, so I understand what you said. But in 1966, Ralph Nader wrote a book called Unsafe at Any Speed. And what that did is it single-handedly really drove a mandate for seat belts across the United States. And why this is important is because of that, auto manufacturers before that would spend more money on putting fins and decorative things onto cars than they wouldn’t investing in the safety of the automobile. And what has happened over the decades since, as we’ve seen additional safety devices from antilock brakes to breakaway engines to the design of roll cages in the overall passenger compartment to the extension of making seat belts and airbags work even better. And these ended up being market driven because the auto manufacturers… It was actually a couple things. Auto manufacturers were essentially told by the government you had to put seat belts in. But as people became aware of the additional safety they now had in their vehicles, they were saying, “Well, I’d like other things.” So initially people paid premiums for things like anti-lock brakes, and over time we have a safer automobile. But it took decades and now we’re a similar type of crux point I feel within the IT and PC industry in that CSA brought us a new initiative out called Secure by Design and CSA being one of our primary federal agencies involved in this. And that’s really about building security into the hardware itself from a secure supply chain, but also through having features built into the hardware that actually provide additional security.
And as you’re mentioning all the other brands along here, Dell’s been unique in that regard when it comes to client and that we started our work years ago by saying that just putting NGAV and encryption on machines, which is what most people think of as security, it’s not enough to have it at the software or at the operating system layer. You really need it embedded into the hardware. And that’s I think was the recognition that we saw. We got it a lot at our conversations, particularly with the federal government. But this increased focus is something we’re really happy to see. And this report’s backing it up because these hardware-based threats are sneaky and subversive and they can do a lot of damage. And that four years ago, for instance, when we did this before, we saw that 44% of organizations had at least one BIOS-level hardware attack. And that based on these findings, it’s grown to 69%. And honestly, I’m not surprised. And why? When organizations firm up and harden an attack service, the attackers look other places. And now this below the OS at the hardware level has traditionally lacked visibility, observability, and control. And now we’re moving into this new era of hardware assisted security.
Daniel Newman: Yeah, I love the data there. And by the way, the little seatbelt anecdote. Now, we still constantly face this tug of war with digital transformation cycles being shorter, the time between maybe when a security opportunity is identified and implemented in physical human, any sort of safety measure, it doesn’t take us quite as long. But right now, for instance, we’re still using lower cost sensing technologies in vehicles like camera when there’s higher technologies like LiDAR that could reduce accidents and vulnerabilities in terms of ADAS. And so this isn’t a vehicle auto, but it’s a great analogy. And the point is that with some of the newest capabilities that can be put under devices, new security metrics, new zero trust workflows, we could be avoiding even more. But we still have this balance with security where it’s always an insurer versus prevent strategy. Even in healthcare, we know these things will kill you, but we don’t actually always get in front of this stuff. But John, I mean, Dell has an opportunity to lean into this, do things differently, not be the same as every other PC, OEM on the planet. So how are you addressing this all the way down to the silicon layer?
John Boyle: So I think that what Amy made a good point on was that we have a lot of security and Dell’s… It’s not new to Dell. We actually lead the way as far as most trusted device. We’re expanding that whole look and view, which we talked about in the survey to most trusted workspace, which includes those peripherals like Dell peripherals are made securely, and we have a lot of security development lifecycle and that sort of thing. But as far as helping people identify what’s plugged in the computer and give them visibility, because at the end of the day, the security that we’re imbuing in the system, how we’re enabling it and security teams and the commercial fleet management to connect Dell devices to things like CrowdStrike or Splunk or the Microsoft environment or Carbon Black or the ServiceNow ticketing system, we’ve done that on purpose because what it does is that it gives them an illuminated endpoint in a Dell device. We feed them to telemetry from below the OS. Is Dan trying to downgrade the bios, and that’s not per policy. We see that as a indicator of attack potentially. That could be ingested into let’s say CrowdStrike, AI, ML engine and learned about the behavior. Whereas you talk about the other devices out there, you’re not going to know much until they’re compromised. They’re blind spots. And so we view the security, as Amy was talking about, standalone on the system. The system has a lot of security imbued in it, but when you also put it in a fleet environment, the way it contributes to the analysis of potential security threats, that sort of thing.
And our goal is to help companies reduce the mean time to detection. That’s a very big metric for IT and security, whether you’re talking about a failure of a switch or you’re talking about a security event, and then improve mean time to response.And you can only do that with as much information as you have about your fleet. And so the Dell capabilities allow the commercial fleet managers and security teams to proactively threat hunt with more information from what Dell’s providing versus other OEMs. A big differentiator. And customers really understand that because it also leverages investments that they already have. And that’s one thing we know Daniel, is that they spend a lot of money on a Splunk or a ServiceNow or a CrowdStrike, and they want to see things work with it. They don’t want to keep ripping and replacing things. And so Dell has prescriptively done that.
Daniel Newman: It’s interesting though because you covered a lot of ground there. You landed on applications. You talked a lot about hardware. In our survey, we looked at some of the data. I mean, look, it was in the sixties of percent by the way, of companies that had a hardware level breach. Many of them had more than 169 in the past 12 months, percent. Multiples, in this short period of time. And I think a lot of people think about the application layers, “Oh, our software passwords, people get in that way,” but having the wrong hardware, having the wrong policy bias, all those different things that need to be addressed. John started us there a little bit. Amy, can you expand a little bit upon that though about how everything from the selections of silicon to the supply chain that you’re using can create risk?
Amy Price: Sure. And I’d like to also focus back on the why. So when you look for instance at the Mitre attack framework, which is one of the really good frameworks that’s out there for understanding cybersecurity, every time I go into it, I learn something new. The Mitre attack framework, the majority of the exploits start at the end point at that client, at that PC. So hardening that and getting this to a point to where you could not only defend but also detect and then remediate within that whole device is super important. And then it’s also important to go back into the supply chain. It’s not just the things that are on the device itself, it’s also looking back to how it’s made. So you do realize now that your partner supply chain. Customers realize that their partner supply chain is now their supply chain. And that we’ve done a lot of work at Dell to really ensure devices not only offer this built in security we’ve been talking about, but they are built securely as well. And that’s actually part of the secure by design piece. So we have lots of controls in place, which govern our design and our supply chain, and we take everything very seriously here.
We have a very good paper, which exposes everything that we’re doing from a supply chain perspective and that we work to try to meet the customers where they are and give them a lot more transparency into how we do things and why we do things. And that maintaining that device trust honestly isn’t an easy feat. But there are protections from the secure development lifecycle that we have in place to everybody who touches the device from a design perspective is involved in to the way in which we manage and vet our suppliers, will we insist on written policies and procedures for them to have in place to the point where we can actually offer a secure component verification, which takes a digital thumbprint at the point when a device is ready to ship from the factory that stores it in a secure certificate. And when the customer receives it, they can look at it and ensure that what was sent was actually what they received. So nothing happened in transit. So these are some of the things I think that really customers are… There’s growing interest in doing this. So the first awareness is that security exists at more than just the software level, that there’s actually things that can happen at the hardware level, and Dell’s unique in that. And then secondly, to understand how devices are made securely and flow that entire process through.
John Boyle: I love working with Dell because as far as our supply chain and all the conversations we have, we’re very much ahead of the curve because supply chain conversations, especially some of the other analyst firms, they focus on the physical supply chain. We’ve always included the digital part of the supply chain, the patches, the upgrades, all that kind of stuff. And also the supply chain at Dell doesn’t end when we ship the computer. It also extends through the lifecycle. So that’s one thing that we see is that the people understand that the bits they receive from us or the replacement part, all that through the lifecycle is part of the supply chain conversation. And the thing is that with everything we do about supply chain, very proud to say that we are very transparent with customers and prospects about how we manage all the stuff that Amy was talking about and why. So it’s great to see that in every conversation that Amy and I have, supply chains, these questions are top of the list. We see them all the time, and customers are very well-educated now on the importance of supply chain. I think Amy, I would say that the May 12th, 2021 executive order was a big help in the visibility of the mission that we have to secure the endpoints and the environments.
Daniel Newman: Yeah, so Amy, I heard a lot there about what I believe in many conversations I’ve had with Dell in leadership from Michael and Jeff Clark. And of course the conversations here with you and your security teams is what you call Secure by Design. And I mean, I think that the thing is that can be very much rooted in every part of the business. And John, you reiterated the fact that it’s a physical secure by design, it’s a digital secure by design. It comes down to partnerships. So we all know there were some things that have happened in the past with the silicon, of course would almost… It wasn’t Dell related with every OEM had this problem and it was… These things do happen. And so the more you can manage the partnerships, the more you can manage the digital, the physical, and of course the educational part of helping… Dell is such a large part, a hundred billion a year, tens of thousands of customers around the world. This is something that really is important that we address.
So I’m going to bounce you to another topic about innovation because all this stuff you’re doing, obviously it can be looked at as a defensive posture or it could be looked as an offensive posture. And I think the key here is really about both. It’s about we’re doing all the right things to make sure the customers, when they get the end points and they get the devices, they know they can feel comfortable setting them up, deploying them in the enterprise and knowing that they’re secure. But how do you guys think about this as a way to differentiate and innovate your products and services and solutions going forward?
John Boyle: I think that one of the big things is that we try to be proactive with our approach. I mean, a lot of times it’s easy to address something, whether you’re the OEM making a system or a software provider or you’re the customer. When something happens, you take action reactively. Our approach at Dell in the security, whether it be any of our systems, the clients, the servers, everything is that it’s like a doctor visit. You want to go and have your proactive visits to make sure that you’re not going to have a major medical situation. And Dell’s approach for our security strategy and our security that we imbue in the system, the software that we partner with or develop, and then the services we offer around that is to help customers be as proactive and preventative as possible to look at zero trust as it relates to their mission and their company versus just the vanilla concept is zero trust. And so I guess the thing is that we have the general concepts around security, like hardware security, but we look at it, if you look at five hospitals, they all have different flavors to their mission and what they’re trying to accomplish for their customers. And so being from a medical family, I like to take the preventative approach, be proactive, have your annual visits. Let’s discuss what’s going to put us in a better posture.
Looking ahead to maybe the question about quantum computing or we have AI now, we know that AI provides threat actors scale and automation. So how do we make a better hardware footprint on top what we already have so that we continuously, proactively press that question and make Dell the best, most secure workspace possible and that it works with the other systems that customers use to threat hunt. So we do a lot of proactive digging around as far as requirements from customers. We pen test all of our systems proactively. We really try to make sure that we’re happy with the systems and the platforms we’re developing and we have a very good foundation of systems. And like I said, customer needs software for that. We offer that as well. And if they need an assessment for zero trust or they need education, they need a managed service or deployment, we’ve got services. And so Dell’s basically, I would say a fantastic technology and security partner, not just to sell you stuff, but to be there for where you are today and your security mission and where you need to get to and your posture tomorrow and be with you every step of the way. So I’m very proud of that. We’ve got a great team and we’ve got great solutions to offer customers, not just a product that we say will make your wildest security dreams come true.
Daniel Newman: Yeah, it always floors me the pace of growth. Dell’s been very ambitious in the strategy to expand. And of course I also think to some extent the company showed some very acute ability to focus. And right now things like the shifting trends in AI and what’s going to mean the next device. So although John, you and I, we talk a little bit about AI and various conversations that we have. There’s a lot of practical AIs. There’s of course the cool generative AI stuff. And what I mean is it’s going to change business and it’s going to also create a super cycle of future PCs. And I’ve seen little hints and glimpses of where this is going and it should be good from both what we’ll get from an experience, but also how we’re going to be able to better secure our devices. We only have a minute or two left here. So Amy, I want to put the last question in your court. One other area. We’ve talked a lot about supply chain, but what we haven’t talked a lot about is software. So I know you started off saying hardware security, so I’m going to ask you the question again, what you get excited about, and you’re going to say software security, but I would like to get your perspective on the overall software space. A lot of data in here, but of course this is a really important attack surface. So what did you hear? What did you see? What stood out to you about software?
Amy Price: For sure, looking at these most common types of software breaches that came back in the survey, internal attack within their organization. Somebody just doing something or somebody coming in and doing something. Internal or accidental incident and user error. So somebody not configuring something correctly. The third one being an insider attack where someone really has an ax to grind. The next one being something covering their business partners or third party suppliers. Remember our supply chain is now your supply chain. And then finally not patching software, not keeping bios up to date, not keeping critical software up to date. And it’s really interesting in many respects to have seen the rise in internal issues contributing to this. But internal, external aside, I think going back to something we said earlier that John mentioned was we simply have to be faster at threat detection. And what it boils down to is how quickly can you respond once you learn of an issue, go investigate and how quickly can you address it?
So you want to prevent the spread. And by doing this, providing this hardware-based telemetry that we’ve talked about, organizations get this capability, this hardware assisted security really takes your existing security software and super charges it by adding those additional data sources. And where that information come from, obviously it’s your hardware, it’s from in Dell trusted device and Dell commercial devices build this in and it’s something that sets us apart. Now, something else that I feel very strongly about. I want to live in a safe world where my credentials and my information is kept secure, where I don’t have to worry about somebody coming exfiltrating this and going after my bank accounts. So a rising tide lifts all ships. CSA did the secure by design. Dell has been following hardware-based security. I personally would appreciate seeing other providers, other OEMs getting on board the same thing. So that by adding hardware assisted security, it lifts all the ships in our fleet and performance benefits obviously to everything. One of the one I want to point out is zero trust. So zero trust is never trust, always verify. When you’ve got real information coming from the hardware, you’re already a step ahead in terms of implementing zero trust.
Daniel Newman: Yeah, you hit on a lot there. And from the 989 respondents, Amy, 68%, one or more software breaches in the last 12 months, almost identical to hardware. So companies are finding vulnerabilities in both.
Amy Price: They’re together.
Daniel Newman: And so There’s an intertwining, there’s an interdependence, there’s a co dependence, and it means security can’t be managed as either or it always has to be managed as and. There’s so much here, John and Amy, and I would love to spend more time, we’re at time on this particular show, but let’s make sure everybody out there that’s listening to this clicks in and checks out the show notes and learns more because this data, these reports are available or coming out. And we’ll put the links there and we’ll keep the links fresh as more content comes out. So you all can see all the coverage that we’ve had from this 2023 security index report that we did here at The Futurum group, alongside the team here at Dell Technologies. John and Amy, let’s have you back soon. Let’s not wait three more years because in three years is like four decades
John Boyle: Or until the next pandemic. I guess we’ll do that before the next pandemic. That’d be great.
Daniel Newman: But let’s not have another one.
John Boyle: I don’t want another one.
Daniel Newman: Let’s secure that. Let’s secure the supply chain. Let’s keep people’s devices secure. Let’s keep the AI technology being used for good in positive ways across humanity and let’s make sure everybody has a great day. So thank you both for coming. Thank you both for joining.
John Boyle: Thanks Daniel.
Daniel Newman: See you all soon.
Amy Price: Enjoyed the opportunity.
John Boyle: Pleasure. Thank you sir.
Daniel Newman: All right, hit that subscribe button. Join us for all of our Futurum Tech Podcast. We got many great interview guests. Today’s guests from Dell Technologies, we talk security, but there’s so many great shows here. We hope you’ll stay with us. For now though, I got to go. See y’all later.
Author Information
Daniel is the CEO of The Futurum Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise.
From the leading edge of AI to global technology policy, Daniel makes the connections between business, people and tech that are required for companies to benefit most from their technology investments. Daniel is a top 5 globally ranked industry analyst and his ideas are regularly cited or shared in television appearances by CNBC, Bloomberg, Wall Street Journal and hundreds of other sites around the world.
A 7x Best-Selling Author including his most recent book “Human/Machine.” Daniel is also a Forbes and MarketWatch (Dow Jones) contributor.
An MBA and Former Graduate Adjunct Faculty, Daniel is an Austin Texas transplant after 40 years in Chicago. His speaking takes him around the world each year as he shares his vision of the role technology will play in our future.