Transcript
Hi, I'm Rob Krawczyk. I'm a Global Strategist with One Identity as well. So Alan, I was recently at a trade show, I was speaking to someone and they said they'd experienced a breach. The interesting part about it is, they didn't know how long the breach had been going on. What do you think about that? That's the most normal thing I've ever heard. The only reason that you found out that breach, because when you went looking, it hurt you. It wasn't a problem until it was a problem. How many of you are investing in compliance because you have to, because you've been told to, because you get punished if you don't? So most people, when they invest in compliance tools, it's because they've already experienced some sort of stress. Whether it's an external audit, it's an internal detection that they've found out about, it's something brought to their attention through an unconventional means. So how do you address that? How would you address a breach in today's modern environment? Don't react. Proact. Now, when you do that, you're going to have customers, you're going to have paying customers, you're going to have credibility, you're going to be collecting data. And if you're doing that, you will be held accountable to various regulations, to laws, etc. The list is long. There's common sense places to start. Least privilege. Why have privilege if it's not needed? Why have privilege if it's not being used? Why would you give somebody your car keys if they're never going to drive it? So defense in depth. Would you consider that part of least privilege or is that more of a zero trust model? Those are mantras. Okay. Those are guiding principles. But there is no more sobering guiding principle than do this or you will be fined. So you're saying that earlier, you know, I asked you how would they address this potential breach that they had? And you mentioned the word proactive. So proactivity means that you're looking at the security standards in your environment pre-breach. Yeah. And a lot of organizations don't. So how would you, if you were to walk into a, talk to a customer today, a potential customer, and you were to say, hey, what's your risk posture? How are you positioned to address future risk? What would you tell them? How would you help them address, or how would you help them maybe answer that question for themselves? So, I mean, you've heard me say it over and over again, compliance, compliance, compliance. Okay. But it's not something to be feared. First thing I'd say to the customer is what are the frameworks that you are challenging yourself to make it easier to be compliant with? Because whether you're compliant or not, is it a choice? Okay. It's not something that you want to do or you like to do. It's something you have to do. Right. And in doing so, there are ways to do it profitably, and there are ways to do it painfully. An old saying comes to mind when I think about compliance and security standards, an ounce of prevention is worth a pound of cure. So when you're developing a modern compliance framework for your organization, when you're establishing governance, you're establishing a least privilege or zero trust model, it's always best to be proactive and create an environment that can adapt to future risk and future stresses. As Alan just pointed out, when you're reacting, you're paying usually. When you are being proactive, you can mitigate a lot of that risk and a lot of that financial cost so that your organization, as it moves through the future iterations of whatever technology is introduced in the environment, you can adapt to it easily instead of reacting and constantly readjusting your risk posture. So for more information, go to the One Identity website, or you can reach out to local representatives or you can call Alan directly.
