A fascinating discussion unfolds as Imperva's CTO for Data Security, Terry Ray, joins ITSP Magazine hosts Sean Martin and Marco Ciappelli to explore the ever-evolving landscape of data security.
In this latest episode of the Imperva Brand Story on ITSP Magazine, Sean Martin and Marco Ciappelli sit down with Terry Ray, CTO for Data Security at Imperva. Together, they discuss the pressing challenges and transformative innovations shaping the future of safeguarding information.
Unpacking Data Security Posture Management
Terry Ray introduces Data Security Posture Management (DSPM), comparing it to inspecting a home—where identifying vulnerabilities is just as important as fixing them. He emphasizes that data security requires constant vigilance, urging organizations to develop a deep understanding of their infrastructure while staying agile against emerging threats.
Moving Beyond Compliance to Real Security
The conversation highlights the often-misunderstood relationship between compliance and genuine security. While meeting regulatory requirements is necessary, Terry argues that true data protection requires a broader, risk-based approach, addressing vulnerabilities in both regulated and non-regulated systems to prepare for audits and unforeseen breaches.
The Power of Automation and Machine Learning
Terry underscores Imperva's dedication to leveraging advanced automation, AI, and machine learning technologies to process vast data sets and detect threats proactively. By adopting innovative strategies, companies can transition from reactive to proactive measures in protecting their digital ecosystems.
Fostering Collaboration and Security Awareness
A standout point from the discussion is the importance of collaboration across organizational roles—from compliance officers to database managers and security teams. By fostering a culture of continuous learning and teamwork, businesses can better allocate resources and adapt to evolving security priorities.
Embracing Security's Ever-Changing Nature
The conversation concludes with a powerful reflection on the unpredictable nature of cybersecurity. As new threats and technologies emerge, organizations must remain adaptable, forward-thinking, and prepared for the unexpected to stay ahead in an ever-changing security landscape.
Learn more about Imperva: https://itspm.ag/imperva277117988
Note: This story contains promotional content. Learn more.
Guest: Terry Ray, SVP Data Security GTM, Field CTO and Imperva Fellow [@Imperva]
On Linkedin | https://www.linkedin.com/in/terry-ray/
On Twitter | https://twitter.com/TerryRay_Fellow
Resources
Learn more and catch more stories from Imperva: https://www.itspmagazine.com/directory/imperva
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Data Security Posture Management — DSPM. What, why, when, and how: All The Insights You Need To Know | An Imperva Brand Story Conversation with Terry Ray
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco.
[00:00:02] Marco Ciappelli: Sean.
[00:00:04] Sean Martin: What, uh, what have you been up to?
[00:00:07] Marco Ciappelli: I don't know. Um, I heard that you can foresee the future in these days.
[00:00:13] Sean Martin: I can foresee the future and I know what you did. I've been watching your, uh, your file access and your database access.
[00:00:20] Marco Ciappelli: Oh, wow. Not last week because I was there in the future too.
[00:00:26] Sean Martin: That's true.
That's true.
[00:00:28] Marco Ciappelli: Ah, you're monitoring me, huh?
[00:00:30] Sean Martin: I am monitoring you.
[00:00:31] Marco Ciappelli: Well, that's good. You keep me safe, right? If you monitor me.
[00:00:35] Sean Martin: It's to keep you safe and keep the company safe.
[00:00:39] Marco Ciappelli: I'm good with that. I don't know. Let's see what Terry thinks about it.
[00:00:44] Sean Martin: Well, that's what, uh, that's what we're going to be talking about today.
We're going to look at Well, a couple areas. Some people call it data risk intelligence. Some call it posture management or configuration management for data, data security. Um, ultimately it's all about understanding how and where your data goes and ensuring that it's being used properly and within guidelines and Regulatory compliance requirements, all that fun stuff.
[00:01:10] Marco Ciappelli: We don't, we don't have three days. We're going to have to focus on something.
[00:01:15] Sean Martin: That's why we have Terry, because Terry has all the answers in short form.
[00:01:19] Marco Ciappelli: He has the good metaphors. That's, that's what, when I think about Terry, I think like he's going to come up with some good metaphor what we're going to talk about.
But before we go there, come on, let's be serious. Terry Ray, Imperva, I think we have, Uh, we had a list. Uh, this is a probably a fourth conversation that we that we share talking about what you do. And, uh, Why don't we just start there? What do you do Terry at Imperva? You've been there for a while.
[00:01:49] Terry Ray: It reminds me of the movie Office Space.
So what would you say you do here?
[00:01:56] Marco Ciappelli: What do you think you're doing?
[00:02:00] Terry Ray: I do a lot. I mean, I'll just keep it brief and short. My title is CTO for data security, but I, I, Try to talk with users and customers and, and, and in end users in the field, prospects, really anybody who wants to talk about data security.
And I think that's one of the, one of the advantages and luxuries I have as, as, as a, as a expert in the field that's been doing strictly data security for over 20 years. Uh, I may not always be right, to be honest, but I always have something to say. And so I, I love to talk. And so that's, that's what they let me do is they let me talk and have conversations and see where those conversations take us.
And so, uh, it lets me help drive the product and it helps me, uh, help customers get where they want to go.
[00:02:50] Sean Martin: And that's actually an interesting question perhaps is where, where do customers want to go? Um, yeah, I know what, what's changed recently.
[00:03:00] Terry Ray: Yeah, you, uh, you asked a good question, right? So for years I would ask customers, is your, is your data, is your data important?
Do you want to secure your data? And you arguably, we would say that's where customers want to go. They want to secure their data. But interestingly, time and time and time again, we talked to a customer and the customer says, I do want to secure my data, but, and it's a big, but that, but is But where I want to begin is with my most sensitive data, the data that is credit cards or whatever else, whatever type of private data is important to that organization.
And where organizations have gotten to in their journey to where they want to be is they've gotten to a place where they say, I've met my regulatory compliance. And now it's hard for me to justify doing anything else. Security, we like to think that justifying security isn't hard to do. In fact, in a lot of cases to go get budget, to justify a little bit more security can actually be pretty complex.
If you don't have real quantifiable metrics and numbers that go right along with your risk in the, in the organization and data, I think is one of those places where. It hasn't really had quantifiable metrics on it ever. And so organizations just kind of stick a finger in the air and they say, well, you know, you know, who's telling me I'm doing a good job.
My PCI counsel is telling me I'm doing a good job, so I must be doing a good job. Tick, I'm done. And they, and they wait until they get breached.
[00:04:38] Marco Ciappelli: You know, a funny story. Sean is trying to sell his house and, uh, I'm always trying to sell my house. We talked about that in preparing for this conversation.
There was a metaphor that I think we can develop then in what you just said, which is like where you drew a line when you just checked the boxes and when you could do a little bit more to actually improve even the value. of your posture and what you have. So tell me about that idea that you had about, you know, the house selling.
We don't need to talk about shop.
[00:05:16] Terry Ray: Well, no, yeah, I mean, so the analogy that I like to use around what the industry is calling this quantifiable metric, this ability to say, I know whether I'm doing a good job or bad job. They're calling this industry, the data security posture management. Uh, other people would know it earlier on as cloud posture management, where it wasn't about data.
It was about my cloud configuration. So all of this in general posture management, what is my configuration? How am I doing? I don't want to say it began with LinkedIn, but it's the one that pops into my head is when you go to LinkedIn, you set up a profile. It says, Hey, you're only 75 percent done. You've got six more things to go do.
Go do these and get your profile set up. Well, I think we do the same thing here. And it's a great analogy. I think is is a house. And I don't know how it works all around the world. I can only tell you how it works in the U S and in the U S if you're going to have a mortgage, if you're not paying cash for your house, which I don't think many people do, but if you're not paying cash for your house, you're borrowing money.
And if you're borrowing money, a bank says we need to understand really what's wrong with this house. We don't want to be buying something that just is way underwater. So, You hire a house inspector and that house inspector comes in and looks at everything in the house. If they're a good inspector, they look at it all.
And they tell you where all of your problems are and they fix exactly zero of them. They just tell you where your problems are. And, and for the, for the purpose of what you pay for, that's what they're there for. They're to tell you, this is what your problems are. And now you can begin whatever else you want to do in the, in your negotiation and buying and whatever else you're going to do.
And I think that's very much like the traditional and the more recent data security posture management, posture management systems, they tell you where you have problems in, in it, in, in, in your data, your data is not encrypted. It's not monitored. It's got public access to a cloud data store. It's got a myriad set of problems that are out there.
Do what you want to with it. Here's the information. Thank you. You, you paid me. I'm the inspector. I inspected your systems and. There's your answer. While that answer is really powerful and really helpful for the problem that I stated earlier, which is to try and get an organization over the hump of saying, I think I'm okay.
I think I'm doing a good job. Now this system's coming back and saying, well, you know what? You actually have termites. You have foundation issues. You've got a hole in the roof. You've got a lot of issues. You hadn't really thought about. It's just there in areas. You don't spend any time in so you haven't noticed and so it is a lot like that house inspector and that's to me That's that's that's it's a it's a double edged sword So what it comes down is is they're saying here's all your problems and the organization can say well I know now I know my problems and now I can choose to fix those problems or not Now the organizations have a little bit different issue.
The new issue is okay now for me to fix my problems What technologies, what solutions, what people, what skills, what is it that I need to go and fix this? And in some cases, they may tell you, yes, you need to go encrypt. They're not going to say go buy an encryption product or go buy a monitoring product.
They're just going to say, there's no monitoring. You figure out how to go do it just like an inspector would do. And that's the big gap I think that has existed in this space for years. Or now, now over the most more recent years, and that's the one that at least at TALIS, we're trying to trying to overcome and say you should be able to do more than be an inspector.
You should be able to be an inspector, a recommender, and ultimately a problem solver.
[00:09:00] Sean Martin: And I think one of the, one of the examples that I like to bring up on this is because you talked about cloud posture management and shifting to data security posture management. It's one thing to look at the house.
You mentioned foundation as well. But in my personal experience, there's also the hillside that might be coming down. You have to hire a geologist to see, are you in a fire zone? Some of these things, some of the things the bank wants to know from a mortgage risk perspective. Some things I wanted to know.
From a lifely, life saving perspective, is that how it's going to come down on me in a big rainstorm? And to your point, I have to, you bring people together to identify what's going on and then you have to make a decision. Is there enough? Is it risky? Where I have to fix it? Is it something that I can just deal with and kind of maintain over time?
And you need experts to do that. And then you need the experts to help you remediate. And I think That's where this story really comes together for me, Terry, is in the remediation and understanding, well, what, what systems is it? Are they in the cloud? Are they on prem? Are they databases? Are they data storage distributed throughout the world because of data sovereignty requirement?
What, what do I have that I have to deal with to maintain compliance, but also to maintain good security posture for my own business benefit?
[00:10:29] Terry Ray: Yeah, you're right. I mean, look, I think you bring up a really good point where here we talk about, you know, the, the analogy of the inspector really doing this for the mortgage company, right?
The, the company that's given you a mortgage, but really, when you look at the value to the home buyer, the, the person buying the house, what do I want to actually know? Do I actually want to know just what's wrong with my house? To your point, or do I want to know, am I in a flood zone? That's going to be a different vendor.
That's not the inspector. That's my real estate agent. They're going to be looking at that analysis. To your point, is the hill going to come down? Has there ever been a mudslide? And if there has, what was the damage associated with that? What's the crime in the area? That's going to be a different piece that I bring into this area.
This is, this comes down ultimately to risk. Right? And that's, that's the value that, that's, that's what the bank is trying to get out of it in terms of the property. The owner is trying to understand in this property, if I live here, am I in a cul de sac? Am I not in a cul de sac? Do I have lots of traffic?
Might I have kids that have higher risk by playing in the street or not in the street? All of those things have to come together. And I think as we see this industry of data security, posture, management solutions today, for the most part, DSPM, which is the acronym for all of that. DSPM, uh, tend to be focused in the cloud, which means they're not getting the complete picture of everything on prem.
So they're not getting that big picture. And they tend to also focus on just those configurations that you can get out of the cloud providers. So CloudTrail other tools that you get in Azure and other places, effectively readily available configuration information from the data stores themselves that.
That just about anybody could honestly get and they just correlate them and build a risk model around it. What I'm seeing now is a demand from users saying that information is nice, but I actually need a lot more to understand a true metric, a quantifiable metric. If I'm going to take this and say I'm actually doing a good job and there's a low risk of a breach, I need to know.
About my cryptographic, uh, capabilities, not just in the cloud where I flip a switch in AWS, but on prem where it takes equipment, it takes stuff, it takes work. I need to know to, to, to your point about, you know, a hillside that's happening on the outside. So it may not be a hill in IT in this case. It might be more around, um, uh, DLP.
So do I have DLP? It's a completely separate vendor, but it's context that comes into the environment. I think DSPM vendors ultimately are going to be very much, honestly, like SIEM, Security Incident Event Monitoring Systems, right? So I think they're going to be very much like those types of systems where they just bring in any data you want to.
I think an organization is ultimately going to decide whether I have one DSPM because it has that extensibility to bring in lots of different data sources together and allow me to marry those data sources to build my own risk. For example, I want to know if I have sensitive data, sensitive data relevant to GDPR.
Well, I want to bring in information from my audit solution that says under GDPR, these are the things, this is the type of technologies you need to have at play. Otherwise, you're at risk for violation of GDPR, as well as risk of a breach. I want two metrics that are inside there. My risk of a breach and my risk of non compliance.
I think there's a lot that people want to do with DSPM in the long run. I don't think DSPM is totally there yet, but I think we're beginning to see, certainly with TALIS, we're seeing this open framework to be able to say, I want to customize my risk. I don't want it canned. I want to bring in other sources.
And I want to be able to build a model That takes in all of the risk elements, not just the ones that are relevant to one environment or another environment or important to one person or another person. I want it to be something that the whole organization can use to drive up to the executive staff.
[00:14:28] Marco Ciappelli: So is, so the business is kind of changing the, the, the attitude, let's say it's kind of changing from they're telling me I need to fix this. If I, if I want to sell the house in this case, and that's all I'm going to do, but I'm going to get this much for the house. Is it anything that I should do to either, because I live here, I want to live a better life, or I want to get more money that can turn into an investment.
And I want to connect to your idea that you mentioned about the gamification of, you know, the LinkedIn or any other social media where you say, Well, at least with your profile and who you are now, you know, you, you could do a lot better. You can improve your, your status. You can be more, get more visibility, create more content, post at least twice a week or more.
So to go back at the question, is the attitude of the business changing or are they still because of budget limits to stock to I don't care. Whenever happen, happen. I'm just going to fix the bear minimum. And by bear, I mean the bears that Sean has on his property because he feeds them.
[00:15:48] Terry Ray: I, so I think there's, I think there's two elements there, right?
So the one element is budget's always going to be an issue. But what evidence can you bring into a budget cycle to get the appropriate budget for what you want to do? And at the same time, it goes right along with that to get executive buy in for a mission. And the mission is better data security. And we'll come to that.
I think the, the, the other piece is about understanding a maturity path, understanding what you want to do. The word is prioritization. Right, so how do I prioritize all of these things that I need to do if I have one file server or one database? I don't really need to prioritize anything. It's easy if I have a hundred or a thousand or I know financial services that have 40, 000 databases and trust me, they have a long way to go in their maturity cycle to get to where they want to be.
Uh, they need, they need something to help them prioritize that. And, and that's, that's the other aspect of, Uh, I think a strong data security posture management solution is not just telling you what your problems are and telling you what you can go fix, but helping you prioritize based on those, those, uh, those actions, those solutions, those priorities.
Switches you can flip, whatever it happens to be, that you can do today that will give you the biggest bang for your buck. And that buck isn't always a dollar. Sometimes it's five minutes of time. Sometimes it's a switch, sometimes whatever. But the point is, is what can I do today that's going to do the most reduction in risk?
That's what I want to do on Monday. And I think that's what organizations have been starving for, for years is to say, All right, this week I'm going to spend 25 percent of my time on data security. And if I'm going to spend that 25 percent of the time, I want to make it count. So what am I doing this week?
I'm going to solve for these three things that Impervitalis data security fabric is telling me, data risk intelligence, what we call it. Our solution is telling you, what We'll give you five points back on your risk. We will reduce your risk by five points. If you will go do this one thing, just do this.
I'll lower your risk. That, that's, that is helpful. I think for an organization to say this week, what did we do? I don't know about all organizations, but I know I, I typically give an update to. My, uh, my direct, my, my higher ups, if you will, and say, this is what I did this week. Isn't it great to be able to tell them, I reduced the risk on our riskiest asset by 10 percent this week by doing two things and it didn't cost me a penny, or I have a preparation in place.
I'm ready for the next budget cycle and I'm going to reduce it by 30 percent because I need to do something right. And I want to do this. I don't want to do it right. Going back to your, your point about budget. The other piece that works in tandem with this is, okay, now I've got a priority. Now I've got a plan.
Now I know exactly what needs to be done in my organization. And now I can decide of all of these things I need to do, some of them I can do, and they don't require budget. They barely require effort. They just need me to go do some things. There are going to be some things that, Probably will require some budget.
Maybe require a headcount or some education or something else. That requires me to go to my executive staff. And in my executive staff, I need to bring to them this quantifiable evidence and say, look, all the money we've spent so far, we're doing a good job on the systems that were our priorities. Our, our regulated systems.
They're great. Low risk. Here's the, here's the map. It's very low risk on those systems. We've, we've succeeded. However, as an organization, we agreed that our mission is not data compliance. Our mission is data security. And if we're all on the same page still now, after months or years or whatever it is, data security is still our plan.
I have put together A program and a plan over the next, whatever period of time you want it to be, that we want to turn this data compliance program we have into a data security program by covering all these assets that may not be regulated, but have all the highest level of breach in a quantifiable manner.
And here's my plan and here's how we want to do it. And the goal is to unblock the river, if you will, wipe out that, that, uh, Beaver Dam, get it out of the way and say, let's let the, let's let the floodwaters flow of, of data security. And let's do something different than we've done before. Let's not just be compliant.
Let's finally be secure and let's all be on the same page. And that's, I think that's the important thing is to bring the executive staff all together on that same page, recognizing that they need to be doing something different. And when you put numbers in front of them, I think that's helpful.
[00:20:28] Sean Martin: And. So in, in terms of that, so the, the conversation with executive staff, senior leaders.
Business unit leaders. Oftentimes the, here's what you need to do driven by compliance is by an auditor that speaks a certain language that drives a certain team to respond. Sometimes security is involved, sometimes they're not. Risk is involved, sometimes they're not. The database people are involved, sometimes they're not.
System maps and API folks are involved, sometimes they're not. So how, how do you see organizations kind of pulling all that together beyond just the compliance? Because I think that's also another area that can be difficult. If they're used to looking at things a certain way and hearing certain language and expecting a certain set of actions that now broader, more meaningful, but it require multiple, multiple stakeholders to actually get things done.
[00:21:22] Terry Ray: Yeah, no, I think, you know, one, one of the, one of the places I've been spending a lot of my time recently is not so much with security. I'm going to call it my spare time, but I mean, I don't have a lot of that, but the, the, the times that I'm not at RSA, I'm not at different types of large security events, I find myself at global ISACA events, audit events.
I find myself at the. International internal auditor events in Vegas and other places. My, I find the other half of my job, and I'm going to use the word corrupting, but the other half of my job is trying to corrupt the auditor and corruption is not really the right, bad word. It's just a controversial word to be able to put out there and say, look, what I'm really trying to do is I'm trying to bring the auditors on to ask them to ask better questions.
Really the auditors should already be here saying, Wait, so especially internal audit. So we have PCI servers and they're doing a great job. We, we, let's say we've used the data security posture management and we're doing a great job on these PCI servers, but as internal audit, it's not just about regulatory compliance.
It's about keeping the company safe. Keeping the brand safe. So tell me about those other servers that are out there, those other systems that are storing data out there. What's the risk on that? Oh, it's that's low risk. Also, it shouldn't be difficult. If you've got the, if you have the information, how am I doing on my regulated systems and how am I doing on my unregulated systems, I will tell you The overwhelming majority of data stores in the overwhelming majority of companies that are out there, the regulated systems will be given a mediocre score.
At least they'll be passing their audits. The unregulated systems will be the wild west development servers, test servers, user acceptability, testing, all these servers that all have private data in them, have almost no security on them whatsoever. And that should be really, scary to the organization, but most organizations don't have the quantifiable metrics to really understand the risk.
between those two systems. Now they do, and now that should be really easy to have that conversation with any cross functional department and say, shouldn't we be doing better here? Yes we should, yes we I have yet to fathom a response that would be a non positive response to say, yeah, I think we should be doing something better there.
[00:23:53] Marco Ciappelli: So, Terry, I want to go back to The idea of not only coming to point the problem, but actually having solution to fix it. Because we had a conversation not too long ago about when you can say, if you give me this budget, I can save you this much money.
And we were talking about this with e commerce or financial fraud prevention. So 2 million, I'm going to save you four. Here's the money. If I give you four, do you get, do you save me eight? Right. So I want to connect with going back to say, well, this is not only what the problem is, and then you deal with it.
But here's what the problem is. This is how you can fix it. We can fix it or tell you who can fix it. And this is what your return is going to be in the long run. I mean, it seems a much easier sell In order to get, to get the budget instead of waiting for a breach. That's usually when you get the budget.
[00:25:00] Terry Ray: Yeah, no, I think, I think it makes a lot more sense for organization. We, we, we see more and more consolidation every day in the cybersecurity space, cybersecurity vendor space anyway, and it makes far more sense for a, an organization to say, I want to hire somebody. Or I want to have a technology, whatever it is.
I want to spend some money to solve a problem. My problem is, I don't know where my problems are. So I'm going to hire somebody who has a truck and they're going to pull that truck up out front. When they pull the truck up out front, it's not a little pickup truck with no tools in the back and just a guy who gets out with a clipboard.
It's a big truck. With shovels and hammers and wrenches and machines and all the other tools necessary. So as that person digs around your house and does everything they're going to do, they say, here's all your problems. And here are the problems I can fix for you today. I can take care of it right now.
It's, it's under the same contract you've already done. Let's just wrap it all up. And get it all done right now and what I'm going to leave you with are the following problems that I don't fix, but they're just switches. You just need to go take a few minutes and go flip some switches for you. I'll take care of the hard stuff for you.
And to me, that's, that's, that's what's the power. That's the power here is to be able to bring all of the, The capabilities behind TALIS, the technology around cryptography and, and, uh, and key management, as well as all of the monitoring and all the capabilities that we've always known from, from an Imperva perspective, they've been put together to be able to make this happen.
So from a security perspective, you get the visibility, the observability, the ability to, to monitor anything you want and detect threats. You mentioned DLP to detect threats and all these things at the same time, If you don't want to allow somebody to have access to something because they're not supposed to, let's go into the world of AI, I get this, ask this question all the time.
I'm putting in AI, an AI chatbot, how do I prevent it from going places it's not supposed to? I need guardrails on, on the data it's allowed to access. How do I make sure people can't get access to the data AI's accessing directly? All right, so all of those controls can be brought to bear and it makes it really, really easy for an organization to say, I want to know what my problems are and I want you to fix my problem straight away and be done with it.
I don't want you to just tell me to go to three or four different vendors and me figure out where i'm going and doing because that's going to cost me a lot more money and time Because i'm going to test every single one of those vendors anyway And then go through projects and it becomes a multi year process which just doesn't make sense for most people
[00:27:27] Marco Ciappelli: And some may just be turning on and off a switch, as you say, and some may be making an entire new system going.
So again, go back to prioritization and say, well, at least let's do this right now and then plan for the future. For the next one. When, when the budget come,
[00:27:48] Terry Ray: that's right. That's right. Yeah. I mean, you know, when, in one case, the air filters are dirty, that's easy. The other case, the air conditioner doesn't work.
That's a big, different, that's a, that's a different case. Right. But
[00:27:56] Marco Ciappelli: I
[00:27:59] Sean Martin: want to go back to one of the things we talked about, because I think with the, we're creatures of habit as humans, and I think business becomes a creature of habit as well. And when we have predefined audits, we. We're kind of prescribed, or at least we report back to the auditors.
Here's the scope, right? And we set that scope and we kind of dust it off. And, and we say, that's where we're going to live within our audit year after year after year, until something changes where we think we need to readjust the scope. I think AI may be one of those triggers. Um, you may confirm that, but you, even without a trigger, Um, Are you finding there are AI as a trigger?
Are there other triggers that say We need to adjust our scope to move beyond the audit world to understand the bigger picture. Let's look at the land, the land around the building, the crime around the, the, around the neighborhood, that kind of thing, to better understand what the challenges are that we're really facing.
[00:29:07] Terry Ray: Before data security posture management, before DSPM, I would argue that apart from audit, which is going to happen every year and they're going to, you're going to decide through classification and other things, whether there's a new place that you need to audit for regulatory compliance, because you found a name or an address or a phone number or something apart from that, really the only needle mover.
Now I need to do something different on systems that are not regulated was either I got breached or my neighbor got breached that you have a breach. Oh, well, that opens up the pocketbook or that opens up a conversation at the executive level to say, How are, how is that not going to happen to us again?
Or how are we not going to be like company XYZ because they're in our same industry. And that happens every single time. And that's good for about three to four months. And then everybody forgets about it and they go back to where it was. So as a CISO, you've got a short window to say, let's make things happen now and make, and make a change with DSPM.
Now with the new technology, now it's every day, every day. The goal is to be in your face. Maybe it's a little annoying possibly to say, you know what? Hey, you did a little work yesterday, but you know what? There's still work to be done. There's still other things to be fixed. The system that you fixed yesterday is not nearly as at risk today as it was yesterday.
It was 80 percent at risk yesterday. Today, it's 70 percent at risk, but there's still about six or seven more things you could do. It will always, there's always risk. Right? If you're connected to the internet, if it's not mission impossible, like a server in a room and the guy coming down from the ceiling, and clearly there's risk there too, but you're not, you're not getting away from risk.
We're just wanting to get to a point of acceptable risk, something that we can tolerate and say, this is industry standard. This is kind of where we are going to likely operate 40 percent range is probably where we're going to be. So can you get it down there? I think that's where people want to go. And so this does give them now something beyond.
The normal regulatory audit which are guaranteed to have and there's a fine right behind it if you're not doing it Which is why they get budget or the breach which is insurance in essence So if you if you don't think you're going to get breached you might not get a cavity Maybe you don't need insurance.
Maybe you don't need that checkup. Who knows? Now you've got this other piece that's in your face every single day. This is the grandmother and DSPM is your grandmother saying you need to eat, right? You need to eat more. You need to clean up. You need to take a bath. You need to do every single day, always, always in your face.
And so that's, to me, that's the case. And now you have that reason, as long as you're using it, as long as you're paying attention to it, you have. Uh, the evidence that you need to do what you need to do to move from compliance or a knee jerk reaction on a breach to just everyday best practice, which is where we should all be anyway.
[00:32:02] Marco Ciappelli: Do you ever get the question, what else you got? Instead of being saying, Hey, you could also do this. It's like, Hey, keep it, keep it bringing.
[00:32:13] Terry Ray: There's always something new coming, right?
[00:32:16] Marco Ciappelli: Well, in an ideal world, that will be the question that you get. Like, what else can you do?
[00:32:22] Terry Ray: Look, we, we, we get that question commonly, and I'll say that probably the biggest question, you know, as a real question, the biggest question we've gotten over the last 20 years has been, You do everything that you do for databases.
What about my unstructured data? What about my file servers? Can you, can you help me there also? And so that's actually a big effort that, that Talus is, frankly, a big part of the, the reason Talus acquired Imperva is to say, we think we can do both. We think we should be able to do both. And in fact, you're going to see us doing both.
We can, we can bring in, if you've got AWS S3 or other systems or file servers on prem, we Interestingly, TALIS already has agents for those file servers. I won't go into the details of it, but point is, is being able to answer a really simple question around DSPM. Where do you have problems? Well, I have problems here, here, here, and here.
Well, tell me what Terry did. Terry's one of your problem people in your organization. Tell me what he did. I want to know every file he touched. I want to know every database he got into, every app he went to. I want to know every key he used. I want to know everything about Terry. In, in the world before this acquisition.
You had to go to at least two, probably three or four different technologies and piece all of this together to build the puzzle of what does Terry do? Our goal here is to give you one place with the puzzle already built and you just get the picture. What did Terry do? And here's your snapshot. This is Terry.
Everything he does. And that's, that's the most common question. I think I get at this point is why can't, if you can do one, why can't you do the other?
[00:34:04] Sean Martin: And do you have any, any examples you can share, Terry, around, I don't know, maybe an industry or two where organizations are looking to answer certain questions.
I don't know, they may be the AI driven ones, but to your point, what did Terry do with the AI chatbot or, or what did our customer do with certain things? So do you have any examples that, that help describe the business scenario that, that's really driving the reason to That there is data in the first place and users using it and the need to protect that connection.
[00:34:41] Terry Ray: Yeah. Yeah. And this is, this is aside from the reason for regulatory compliance, reasons why organizations would do this rather than somebody else told me I need to write a GDP auditor said, you go do this or else organizations come to us all the time and say, I need to know what's going on in my environment.
Now these are the security forward organizations. Oftentimes these are organizations who have been burnt in the past and now they're coming around and they're saying, I, I, I have the project, it is live and now I want to make sure this doesn't happen again in my environment. How do I detect this? And the biggest question that I get in this is, The organizations that are asking the questions just don't have the expertise in data security.
There are so few users. I'm pretty certain I've talked to you guys even about this before, but I'll say it again. And I pick on LinkedIn a lot, but if you go to LinkedIn and in quotes, you type in database security, you're going to find about 36, 000 people that claim to be database security experts. You can cut that in half and find the actual experts and the others are not expert experts.
Do the same thing for file security and you're going to find even fewer people that claim to be experts. There just aren't experts in security in the data plane. And so these organizations are coming to us saying, how can you help me? Augment my staff, and it's not about people, it's about automation and tools.
And so for a lot of this, you've mentioned ai. A lot of the use of AI that we see today is large language models and small language models and these other tools and things that we're seeing today. But we've been using forms of AI and unsupervised learning and others for, for many years, for decades. And one of the big value propositions behind leveraging, I'm just gonna call it ai even though it's a bit different field, but machine learning and others behind ai.
Uh, is the ability to consume vast amounts of data. And when we think about data security That is all it is, is gathering vast amounts of activity. I have to watch, I want to watch everything happening in an organization, not just your sensitive prioritized servers, because that's not a good data set. If I'm going to use machine learning, that's not a large language model.
That's a very selective language model. I want The big model of everything happening in your environment. That way I can compare Sean's activity to Marco's activity and Sean's activity to Sean's prior activity. All of that is really critical when you're trying to do data security, because the alternative to using machine learning to detect threats.
is using signatures. Signatures means that you are an expert and you know every bad way somebody could do every bad thing in your environment. And nobody knows all of that about their environment. So signatures just don't work in this space. You have to have a volume of data, broad data sets, the three or five Vs of data science.
You have to have all of that come together. into a model to be able to say, I know what Terry did and he didn't do it right. He's doing something really weird because I watch him. I watch Sean, I watch Marco, I watch my apps and I watch my AI. And I can tell you he's doing it like none of them. And he's accessing an awful lot of data.
I think I probably need to take a look. That's not a signature. That's just knowledge. And that's, that's the power I think that happens once you can bring all of this together. And that's, that's a big part of what we do.
[00:38:13] Sean Martin: So there's human behavior you're certainly speaking to there and also system behavior.
I look at things often from a workflow perspective. Things move from A to Z and they take different paths based on different user behavior, different business requirements, or that's just the way the systems are configured. It's running through. Do you find any, because a lot of this stuff is designed maybe well from the beginning and morphs over time, right?
Things, things creep, systems get added, companies get acquired, new database, uh, technologies come around and support new features. Um, I guess what I'm wondering is, do you find there are knockoff benefits beyond just security where users find better performance because the data is managed better and the systems using them are connected more tightly and therefore there's less delay or, um, maybe even some outward facing benefits of We, we were able to demonstrate a level of trust to our partners and our customers that we weren't able to before, because we've, we've shored up some of these things.
Are there any, any knockoff benefits like that beyond just the, you have a better posture?
[00:39:29] Terry Ray: Sure. Yeah. I mean, look, you've got, once you start looking at data, once you've accepted the fact that you should do the same thing in your data space. As you do on your endpoint, don't we, don't we all watch everything happening on our endpoints and don't we watch everything happening in our network with network filters and everything else happening?
Once we start doing that same practice in the data, what it now means is, it's not just about security exactly to your point. I can start to say in this database, in this database, I have a very long running query. It's a query that takes actually a very long time to produce and it's going directly to an API.
If I can shorten that query or do something in that workload, I can make my actual business and the operation between the business faster. We've had this report for a long time. I'll admit. I focus on security, but I've known the report was there for years, and I know our users use the report, but our security team typically, our security team and customers typically give access to these systems to other departments exactly for that reason, right?
So they'll give access, limited access to the to the interface and say, Okay, you're the developers. I know you don't need to know anything about the security and everything going on. But I do have a model of how this database or this file server or this application actually operates day to day. How fast is it?
How slow is it? Which queries might be might be broken? Which queries are operating efficiently? Use that. And the other piece to this is about user rights. User rights is a big part of this, and it's a huge gap that people have that usually they don't do anything with it. I would argue that it sits in security, but it benefits the organization quite a lot by, Minimizing the, the, the impact of a, an application or an API that would be using data, it really shouldn't be.
I'm going to tell you a story. I'm not gonna tell you the name of the company, but so there's, there's an organization that we work with. And for years they had been monitoring all of their data, monitoring, monitoring, collecting all the data. And the first time we brought out our analytic platform, we said, let's funnel all of your data that you've collected for years through it.
And let's just see if you missed anything. Because you, you, you've been using our system for years. Let's see how, how much better the analytic platform is than let's say pure regular expressions and signatures. They quickly identified that what they had is they had human users that were accessing data in a database that only.
The applications and the APIs ever access, or at least ever look at. There's, you know, when you look at data in a database, you can look at the data or you can manage the data, there's other things, but there's, there's the difference between opening a file and reading it and moving a file from point A to point B, same thing in a database.
So they had these human users that were actually looking at data that only the applications would. Now, normally you might say. What's the big deal? Well, the big deal here was that those applications and APIs were actually only accessed by federal law enforcement, homeland security, and others. They had very restricted access to these applications.
However, the people that were accessing were database administrators, and what those database administrators were doing is they were watching their significant other to see whether or not they were going through certain Uh, places on the road and it was able to track them and track them on those certain places on the road.
And they say, make sure, did you go to the mall this week or did you not go to the mall this week? You said you did. It wasn't nefarious. It was just personal, uh, you know, personal benefit if you will, but it was a violation of corporate policy. If not, I don't know if it's federal policy, but certainly a violation of privacy, although we don't have those laws in the United States at this point, but violation of personal privacy that they have there.
And so it's these kinds of stories. I think that organizations have to realize actually happen all of the time. I mean, how, how often do organizations really, uh, monitor access to Salesforce. com, to ServiceNow, to some of the places where there's a lot of private data, and if you think that you have a. A salesperson that if they're about to leave the company doesn't go and look at their Rolodex in salesforce.
com and maybe take a snapshot or print it off or something. I think you, I think you'd be really surprised. You shouldn't be, but how surprised you should be. How frequently that happens that people will go and do that. It's not arguably it's a gray area between a data theft and not a data theft, but are you monitoring it?
Are you looking at it? These are the kinds of things that organizations will come to us and say, It's not regulated data for the most part, but these are the kinds of things I'm trying to solve for. And usually they're trying to solve for it because they identified it at one point some crazy way, and they want to see how much more it's happening, and then they learn the truth.
[00:44:20] Marco Ciappelli: Well, I want to finish with a philosophical thought, which is when you think about ideal, they're meant not to be reached because they kind of go away from you. I kind of see security as that, right? And you know, you said it before, perfect security, we know it doesn't exist. New technology allow you to discover new things.
And you mentioned a few that maybe 10, 15 years, 20 years ago, you wouldn't even think about being a security issue. And, and, and I want to connect it with that bar. Right? Are you ever gonna get to 100? Or when you get to the closer you get 95, 96, then it kind of like get more and more away from you, but but that's not the problem.
The problem is not to act on it and thinking Because I'm never going to reach 100. I don't care. Right? I mean, you still need to thrive to the best you can do and be ready for what's coming next. So that's, yeah, I wanted to throw that there.
[00:45:24] Terry Ray: That's the problem we run into, right? It's why I think security people have a hard time getting budget.
You can use the analogy of it's a cat and mouse game. There's always something different. Tom's always got a different hammer and Jerry's always running a different way. Or, or you can say hackers are like water. They're going to take the path of least resistance. You put resistance, it'll find a way around it, through it one way or the other.
And that's the frustration I think that executives have, which is you just told me to solve this problem. I needed to do X and now, and now I need X plus one. So that's the challenge. And that is because plus one exists because we put X in place. The one wouldn't be here if we didn't put X in place, it'd be going through.
So it is, it's a cat and mouse game. And it's one of the reasons why I love what I do. You know, I know people that do the same thing over and over and over again, and they love what they do for me. I love the fact that this industry is constantly evolving and constantly changing. I realize that's a frustration for the practitioners that are out there.
But that's the world we live in, right? We are trying to catch the bad guys and they're always looking for another way around whatever control is in place.
[00:46:29] Sean Martin: Well, there are multiple Toms, multiple Jerry's, right? And then they're, they're scaling out of control. And I think, I think for me, it's the reason why a partnership with, um, you and your team in Imperva make a lot of sense.
So you said it's hard for the practitioner to keep up. In what? And that's where you come in, and that's where your investments in the Improvised Security Data Security Fabric come into play. And you just described a previous investment in the analytics, right? Bringing to bear a new capability. So I think, yeah, working with you and your team really helps the practitioner and their, their, their teams and their business leaders keep up to date and on top of things.
So, You take the brunt for it.
[00:47:21] Terry Ray: That's the case, right? You do
[00:47:22] Sean Martin: the heavy lifting.
[00:47:24] Terry Ray: That's where we are, right? And that's, that's where we've tried to do what we've tried to do with the new capability of data security posture management, what we call data risk intelligence, is to be able to give you shine a little bit of light.
Give you a little bit of that picture of there is a light at the end of the tunnel. It's just the tunnel continues to grow, but the light's there and it's not getting any further away. As long as you're doing something to maintain and keep up with it, you'll stay with the light. The light, you'll never catch the light.
You'll never get out of the tunnel, but you can stay with that light. And so we're, our goal here is to at least enlighten organizations and practitioners that there are things you should be doing today To stay with current events, do these things. And trust me, there will be some new things. You're going to, organizations are going to cause their own new things.
I don't know if it was Marco or Sean, one of you said it. You're going to go through an acquisition and you're going to see a spike in your risk because all of a sudden there's new assets. Call it, that's a bad day or it's a good day. You've got something to do. You've got something to go prove and go get something done.
Or yeah, now you've got a lot of work to do. However you want to look at it, but you've got a picture now, you know where the light is. Head that direction and go get those things done.
[00:48:35] Marco Ciappelli: Yeah, and if you level up before you're more ready than if you didn't do anything. So that's that's the lesson right there Um, I I always enjoy terry the conversations with you that people want to check the directory page in perl on on Itsp magazine They can find another three with you always always entertaining and and very very insightful As well as many other conversation with other leaders at Imperva So I that's what I suggest people to do and I for sure look uh, and I know there will be another one Um another conversation with you very soon
[00:49:13] Terry Ray: I'm looking forward to it.
It's always a pleasure for you guys. And, uh, it doesn't matter if you're in the U S or traveling all around. So, uh, it's always a pleasure with you.
[00:49:19] Marco Ciappelli: In the past, in the future, who knows?
[00:49:20] Sean Martin: That's
[00:49:21] Marco Ciappelli: right.
[00:49:23] Sean Martin: Oh, thanks Terry. And thanks everybody for listening and watching. Do, uh, connect with Terry and the team and, and, uh, stay tuned for more conversations.
And, uh, we'll see you here back on ITSP Magazine soon.