Originally aired on January 26 @ 5:00 AM - 5:30 AM EDT
In this CIO Week Segment, Cloudflare co-founder, President, and COO Michelle Zatlyn hosts a fireside chat with Kelly Bissell, leader of Accenture Security. Kelly oversees Accenture's full spectrum of security services including advanced cyber defense, applied cybersecurity solutions and managed security services. He is a member of Accenture’s Global Management Committee.
CIO Week Hub for every announcement and CFTV episode — check back all week for more! Hi, everyone. Thank you so much for tuning in. I'm Michelle Zatlin. I'm super excited to be here doing a fireside chat with Kelly Basile. Thank you, Kelly, for being here. Thanks, Michelle. It's good to see you again. It's great to be here. Well, we're having CIO Week this week at Cloudflare, and I couldn't imagine a better place to have a better person to have a conversation with than yourself. So I'm really looking forward to the next 30 minutes together. Thanks. Thanks. All right. Well, let's dive in. And so, Kelly, you run the cybersecurity practice at Accenture, which is a large systems integrator. We're going to hear more about that. And I think there's probably some people tuning in who are not sure exactly what this means. So maybe for people who aren't familiar, tell us a little bit more about Accenture's global security practice, your client profiles, and your mission as an organization. Thanks, Michelle. Look, and I think it's pretty simple. I mean, Accenture is a consulting firm, and it's not maybe a traditional consulting firm where we, yes, we consult, but we also manage clients' IT environments and security environments, too. So I mean, to give you a little overview, we've got 8,000 people all around the world. Last year, we were $4 billion in our revenue. I mean, so we're a hefty security organization, if you will, maybe the largest security services company on the planet. And our mission really is to help secure the world. I mean, it is that simple. And it's airplanes and cars and airports and pharmaceutical companies and banks and governments. So that's our mission. And we've done a lot of great stuff, and we've got a long way to go, I think. That's great. And you mentioned that Accenture has about 8,000 people. Tell us a little bit about your clients. How many projects do you help work with on client to help secure the world and your clients' organizations on an annual basis, approximately? Usually, we run around 15 ,000 security projects a year. And some of them are identity management. Some are infrastructure security that we work on with you and other companies. But it's really about all how we secure maybe that pharma company from all the way from joint ventures to labs and research to clinical trials to manufacturing and distribution. And so our clients are usually those large, really complex clients that are trying to actually innovate to serve their customers better. And we're helping them get there in a safe way. Well, I love this. And you've been at Accenture for 20 years? No, I've only been here for five and a half years. Five years and a half and a few years. OK, perfect. But I've been in this game for, gosh, 25 years now since the Internet was really being adopted. So that's what all the gray hair is for, Michelle. I call that scar tissue. It's wisdom. OK, well, look, this is why I was so excited for this conversation because, again, over the last year, you've done 15,000 projects, 15,000 before that, across a breadth of portfolio, all with a cybersecurity mindset. And when you're working with the largest organizations, you are partnering with the senior leadership at these organizations. So I just think that you have such a unique viewpoint. And I really want to hear about kind of what you're hearing that's on your client's top of mind. And so let's start with SASE, the Secure Access Service Edge, as well as Zero Trust, because these are words and frameworks and topics that are everywhere. And I'd love to hear what is your point of view when it comes to SASE and Zero Trust? Yeah, well, one, I think it's super important. And some might say, well, gosh, we've been talking about Zero Trust for years with least privilege. But it's much more than least privilege when it comes to access. It's around how do we think about everything differently from our network, and not trusting that network, if you will, to our applications, our ecosystems, and our third parties. It's everything that we do. Even things like you might not think of otherwise, like merger and acquisitions, or developing a new product for your customer. So Zero Trust is a really great mindset. And so with SASE, especially as we get to the edge, because it's easier to secure the central IT, and as you get to the edge with wearables and all kinds of things, it's harder to secure this piece. And so I love that we're going down this path as an industry, because I think it will make us better. That's great. You know, this kind of reminds me when I was first starting Cloudflare, we used to go to different conferences. And I remember somebody walking around with a microphone saying, what does cloud computing mean? And I feel like a little bit 10 years later, it's what does the Zero Trust mean? Going around and asking all these experts, and everyone has a slightly different description and point of view, but it does feel like it's here to stay. And we're on the journey, and we're in it. And 10 years from now, we'll be able to give a much more accurate description, definition of exactly what it means, but definitely feels like it's here to stay. It's definitely here to stay when it gets put into regulation. That's when you know it's really here to stay. Okay, okay, there we go. Spoken like a true expert. So back to your clients, you work with these clients. And I'm just curious, you know, bring it more tangible. So how, when you think about SASE and Zero Trust, how do you think about these frameworks as being helpful to your clients and setting policy and planning for what's next for them? I would love to hear a little bit about how you tie those two together. So the practical side of this, and I love to, as you know, I love to get into the practical side. It used to be that when a company had a network, no matter where that network was, once you get authenticated into the network, you could go wherever you wanted to. You were trusted. And really that's what Zero Trust is. Don't trust the person from the network all the way in. And so that's really what I like about what Cloudflare does and some other companies is it actually looks at everything from the network and doesn't trust any circuit or any configuration, any subnet, any system or whatever. So this is really what helps our clients really think differently to combat against either insider threat or, you know, a hacker that's gained access to part of the network. Yeah, I know that sounds, I agree. I love that analogy. You know, the analogy we use, which I like yours a lot is a castle moat. Before it was a castle moat, you got into, you got over the moat, you got into the castle, you could roam around the castle. And I think a good kind of this idea of, well, no, now, even if you get into the castle, you still got to go unlock every door and the drawers are locked and the windows are locked. And so you got to go and it just slows everything down. You're still in the castle, but the amount of things you can do in five minutes are very different than if you could just roam freely across the castle. So I think that's a really good, your description really resonates with me as well. You know, when you talk to your clients about Zero Trust and SASE, how do they think about how to even, everyone's on a different part of their journey. Again, with these large organizations, there's some who are very far along, they're setting the trend. There's others who are in the middle and there are many companies and organizations and industries that haven't even gotten started yet. And so when you talk to them, like how do you, how do you help frame where to start? And, and is it a six month project for these organizations a year, or how do you frame that for your clients? I actually see this as a journey. It shouldn't be thought of, I believe as a project, meaning I'm going to finish this in one or two years, but it's something that I'm going to actually create a journey. And so as my company continues to innovate new products and services for their customer, the consumer, maybe I'm going to apply that same technique, if you will. So if you really wanted to get started, I believe you start with a few areas. One, work on the network and you can have the network team, if you will, work on securing the network and have these untrusted subnets, if you will, and all the components there. And, and then have the identity team also have this Zero Trust approach for not only privileged access users, but also internal users, maybe even contractors, or even the customers themselves. So really look at these components in chunks, if you will, and start your journey, because the best way to finish a journey is what, start at one foot after another, right? I definitely agree. I think that the get started part is really interesting. And we hear that all the time as well as get started. And, you know, you mentioned contractors, and that's often a really common use case that we see some organizations starting with, because there aren't good solutions there. It's almost like they don't have to change anything else. But this pain point of how do we onboard contractors? How do we offboard contractors? How do we get them access to some of our internal workflows? So our teams don't have to be cutting and pasting, you know, our internal wiki for them to see, which is just, you know, not productive time. That feels like a place where we see a lot of organizations starting saying, this is a use case that is a real pain point internally, and it's bite size. And so it's easier to start with. So then, and once you start to see, oh, wow, this is actually very easy. Where else can we go from there? And then, you know, again, you start the journey. That's right. That's right. I have a little joke for you on Zero Trust, if you want. I would love to hear that. All right. So why did the two engaged couple, why did they signed a prenup? The two cyber couple? To trust. Zero Trust. Zero Trust. I didn't say it was funny. I just, I said it was a joke. So. I was like, there is some, there's for sure something related to Zero Trust in there. So I'm just going to go answer at that. Let's get, did you come up with that, Kelly? Yeah, I don't, I don't, I don't know how that came up with this one. So. Okay. You know, okay. So let's just switch off Zero Trust for a second, which I know it's related. And I do want to come back to your comment, how you said, well, you know, when it's in policy, it'll be here to stay. Maybe, maybe before we move off, I'd love to hear, hear a little bit more. What do you mean by that? And so if you've seen in the, in the United States, the, there's a few executive orders that have come out around cybersecurity this past year, especially on the backs of what's happened with, you know, some pipeline problems and some other, you know, breaches that are happening that are affected a lot of companies around the United States or even the world. And, and one of the executive orders that came out actually said, look, you need to deploy for all the federal government, EDR tools and Zero Trust approach and some other things. And so when I see these terms move into a regulation or in this case as executive order, and then it moves into NIST, now it becomes actually part of a standard that is now table stakes for what every company needs to think about. Yeah. Yeah. No, I think that that's, I actually think that's really good. That increased awareness on this point. I mean, it's terrible that some of these high profile security breaches happen. It's awful. And you can see how the panic and the confusion it causes, but I do hope it raises awareness for every business and citizen to realize we got to take this seriously and it's an opportunity for us to rise all tide. So cybersecurity is implanted in both citizens, everyday life, just you're all doing things online. We all need to be better digital nomads, but then also organizations start to say, wait, could this happen to us? What if this happened to us? Are we prepared? And so I think raising these awareness is really one step in the journey as well. Well, I actually think, yeah, the awareness is good. And I think most of the security marketplace, we've been talking about this for a little bit of time, but I think the awareness needs to come much broader than that, the board level and the executives, because they need to understand these things so that they can think through their own business unit, like card services. How do I actually adopt a Zero Trust mentality and partner with IT, partner with security to solve this as a business imperative, not as an IT problem, but as a business imperative. And if we do that, then I think we can be safer. You know, when you work with your clients, they ask you, Kelly, how do I get my peer over there to listen to me? Or how do I get our CEO take this seriously? Or how do I get our board to pay attention? Because I think there's probably some people in the audience feeling like I understand, but I can't convince others to give me a budget or I don't know, whatever I'm saying isn't resonating. And I've been told if I say the word Zero Trust one more time, I'm going to get thrown out of the room. I mean, what advice do you have for people who aren't an expert to try and influence others in their organization or board level discussion of why this is so important to pay attention? Sean, I've heard this so many times. You're right. Is the security organization or even the infrastructure team are like talking about this forever, but the business owners sometimes don't always understand or take it seriously until it happens to them. Then they're a believer, if you will. But I think this is where it sort of needs to change at the tone of the top, at the CEO level, at the board level. And I have seen, which is an interesting story, I've seen where I helped a bank change the comp structure for the business unit leads. So if they're breached, their bonus and their comp is affected. Then all of a sudden they got religion. Then they thought it was serious. And there was not a whole lot of selling to do, if you will. And it became a real partnership. And now that bank is what I would call a cyber champion, which is really good. And shouldn't every business want to be a cyber champion and be safe? I love that story. So they changed the compensation for the business owners so that they feel bought in to saying, okay, well, I want to make sure that I'm not docked negatively impacted by an upcoming event. So let's get prepared. That's really interesting that it drove behavior. Yeah. Hold them accountable, right? Another story I've heard from a CISO was they grade all their employees of the organization. It's also a financial institution when money is involved, obviously it's really important. And they give everybody almost a cybersecurity grade. They have a grading scorecard internally based on, are you being phished? Do you have good password hygiene? And it becomes part of their performance reviews internally as part of teams, not just within the security organization, every single person that works in this organization. And it really made me think of like, wow, that is kind of top quartile where it's just like, it's so embedded into what we do on a daily basis and people are reviewed and measured against how they're doing on that. So it's another version of that. I love that too. I mean, it's these good examples that we can share and help everybody as a whole. So you're right. I think you mentioned before, it's where the tide lifts all boats. Yes. I love that. I love when tides raise boats. It's good. Okay. So let's just switch gears off Zero Trust for a second and maybe widen the aperture. I see that you have a telescope in the back, so it's a good analogy. The last two years or 18 months, we went from very much being in the office, inside the castle a lot as a business organization, to now with the global pandemic, people are working from everywhere. Sometimes their closets, literally, or their cars, or your home office, or my garage, wherever I can get a piece of serenity. And sometimes it's on the way to the office. And I'm just curious, as you've talked to your clients, what else have you seen that's changed as you kind of just reflect back maybe some, again, because you have done so many projects over the last 18 months, 15,000 per year, you work with so many different organizations, any trends or things you can share with the audience of what might be interesting? Yeah. So look, I think the COVID thing actually shifted everybody to remote, as you mentioned. And I think it woke everybody up to the point where there is no network anymore. The network is actually the Internet. And that's really what really has driven this Zero Trust. So that's the last thing I'll say on the Zero Trust. But it's also really sped up innovation. Transformations of companies, where they go, hey, wait a minute, we went through this COVID situation, and I realized we can move much faster. So how can they transform this next piece, whether it be artificial intelligence, or moving to a delivery system for their bricks and mortar business, or what have you? And they realize that they can move faster. And when they do move fast, it means how do we add security at the very beginning, so we can, like brakes on a car, not slow the car down, but allow it to move faster, if you will, in a safe way. And that is what I've seen. So around artificial intelligence, around more e -commerce, around even things like clinical trials from a virtual standpoint, which has not really been done a whole lot before. Safer OT security, or plant security. As we move to other products like connected cars and edge devices, securing that. So I think it really, that sped up cycle is allowing us to innovate more with security built in by design, which is really where we should be. So it's good. I love that. I love that it's getting pulled up earlier. I think those are lots of things to be hopeful for, which is interesting. And all being remote, it's interesting because I don't think we would have run this experiment if we weren't forced to run the experiment. It turns out some things got better, I think, as you're pointing out. Necessity is the mother of invention, right? I guess this is why it comes from, that's exactly where it comes from. That's exactly right. Do you see anything changing from the cyber threat landscape, kind of from the last two years? I mean, you talked about new devices coming online. Do you see a new, anything changing from the cyber threat landscape? I do. I mean, now this is the sad part. I mean, we're seeing more cyber attacks and ransomware than the year before, and the year before that, and year before that. So I'm worried that we're in pandemic mode of ransomware. And I have seen some positive changes in the market that might hopefully stem that. But right now, we are in pandemic for ransomware. So I'm worried about that. I'm worried about really a bunch of old technology within manufacturing plants that haven't been touched for 10, 20, even 30 or 40 years. And securing that is really a challenge. And the attackers have woken up to not only just attacking the corporate office, but those plants as well. And that can cause real harm and damage. And so I'm a little anxious about that. And then to quote a little French philosopher who said, look, with every innovation comes the good and the bad. We didn't have the shipwreck until we invented the ship. I think that does apply to everything we do. I mean, whether it be AI or quantum or some other things. So I think we have to be careful about the future. About the shipwrecks. I think those are good. You mentioned ransomware, and we're seeing that from our clients as well, just a rise in organizations receiving ransomware, credible ransomware threats and notes. And that's a very violating, terrible experience when you are the receiving end of that. And so I think we've seen a big rise too over, I think it's over 50% annual. It's a big increase in the last two years. I'm just curious when clients come to you, what do you tell them to do? Because again, there's people listening and it's a little bit of, I didn't know, thanks for telling me. I don't want to be in that situation now. What do I do, Kelly? Well, I've gotten a call from a few CEOs lately and says, hey, I'm a victim of ransomware. I can't produce product. I can't ship it. I can't even field calls from customers. I can't close my books. What do I do? And this is a panic mode, if you will, in a crisis. And so we work through to figure out, OK, how do we actually get through the crisis, through the ransomware, start looking at things like backups, getting key systems online, not the ones that maybe you think about. We don't care about payroll. Bank can process the last payroll run, if you will. But things like systems to allow order taking, production and shipping so they can actually maintain revenue flow, if you will. And in the last client that I was on was with a company that had plants all around the world and they were all down. But fortunately, we got them back up and operating within four weeks and they didn't lose a huge amount of revenue because we got those revenue systems on first, if you will. But my advice to everyone, whether you're a developer or you're a CEO of a company, is to actually go through a real simulation of a ransomware event. Because just like in a team sport, you can't just read the playbook and think you're going to be able to execute well on the field, on the pitch. You have to actually practice it in a real life environment, if you will. And that's what I would suggest everybody does with people who've lived through it with scars like me and a bunch of others at Accenture that's helped plants through this crisis. That's what everybody's got to do, whether you're a small company or a big company. I think that's really wise words. The second piece that you said around some of these assets or equipment that haven't been secure that are sitting there, that also resonates with me. I mean, I think there's a bunch of businesses that have been born on the cloud the last 10 years. That's not them. But there's all these other companies have been here for a lot longer than 10 years and they still are running really old systems. And it's non-trivial to feel like you can secure them or digitize them and you use the examples of plants, equipment that's been sitting there for a long time. And so what, again, for folks listening to me, like I have this and I was talking to a client recently, they're a hundred year old company and they just, we've started here, but now we've got to go do all the hard parts that we're not even sure what to do yet. We're going to figure it out, but we're not sure. What do you tell those clients who have been in business for a long time and have some of this legacy and they are not sure how to approach it? First of all, I think it's okay. I don't think everybody should panic and have this fear, uncertainty, and doubt, but there are good plans. And so there are some old things that we can't replace because it's not cost-effective or there's not a real replacement and that's okay. Let's ring fence those things and protect those environments. And I think that's good. But the second thing is figure out where are your crown jewels throughout your whole value chain, if you will, and figure out surgically, if you will, what do I do for this one? And it might be a different approach for that one and this one and the other crown jewel. So to have a very specific plan for each, as opposed to a peanut butter, where you spread everything exactly the same is important. Second thing I'll say is don't forget about your third parties. Most companies work in an ecosystem of a bunch of other companies. And so you have to really think about your third parties who are really processing sensitive information and data for you that really, that really affects your business. It could be as simple as fuel management. If you can't get fuels to the trucks, you can't deliver packages as an example. So I think to really understand your business and create a very actionable surgical plan for each crown jewel that you have. And it's not that hard. Yeah, no, it's great. I think when you break it up and it's almost, it's a little bit like when we go back to the analogy of zero trust of it's a journey, find a place to start and start. This is a little bit of, okay, look at the portfolio, break it up, categorize it, and then you can start to make progress against each of those, each of those work streams. Right. There's some similarities in the approach there. Okay. So zooming out, you spend so much time speaking to C-level executives, the government, the largest organizations of the world and all these guys and all the different policymakers. Again, just such a unique vantage point. When you think, if you could distill all those conversations, I mean, all of us aren't there sitting on your shoulder for all those conversations. What are some of the lessons that you've learned from those conversations? Are there certain topics that you're like, wow, people are real, that give you, that you're excited about? Are there, do you feel like there's some lessons that people are, the same mistakes people are making over and over again? Any words of wisdom you can share with the audience here? I mean, and this may resonate with a bunch of people watching, but one is, I think generally the board want to do the right thing. They really are truly wanting to do the right thing, but they generally don't have the skills. They don't understand the cybersecurity or the IT elements to ask management the right questions. Because most of them are in their sixties or even older. And when they were in business, they didn't really have this problem. So that's one. The second thing is executive management generally wants to do the right thing as well. And so they, cause they want their business to thrive. The challenge is the security team wants to do the right thing, but somewhere in the middle, it gets lost. It's what I call the Oreo cookie. It's hard on the top and hard on the bottom, but it's squishy in the middle, if you will. And, and I think that this is where governance matters in that sometimes when you have a dollar to spend in technology, you spend it on bells and whistles, features and functions of a product, or you've spent it on securing the infrastructure, which generally nobody sees. Many times it goes this way. It doesn't go that way. And I think it's really about making really good business decisions about how to create trust with your customers by securing their data, keeping it private and keeping it available, if you will. And that's really what your customers really want. And so the lessons learned is everybody wants to do the right thing, but we don't really always have the right skills and the right attention and the right focus to be able to secure those things throughout the whole environment. And I think that it's up to everybody to think about not just what they do, but how do we look across the whole business to make sure it's safe? I know what you said about the first part that really resonated with me. And you're like, boards want to do the right thing, but they might not know the right questions to ask. And then they end up asking the wrong questions. And it kind of, you're like, this isn't not productive and not meeting the business goals. And, and so let's say there's someone listening who is that 16 year old, 60 year old business leader. They've had a really great career, but these are new things. They actually aren't sure about the right questions to ask. What, what should they read? Where should they go look and, and how can they start to ask the right questions? Any advice for those people? Well, just like anything, you know, you have to keep learning, I believe. And so spending time with experts, Michelle, like you and, and Kevin Mandia and a bunch of other people, I think is really valuable because you can learn a lot from, from these people. The second thing is there are, there are some executive training areas that some universities put on. And I think going through that and through NACD around cyber things might help directors learn, but you know, you got to dig in and maybe even bring some experts along with you to help with the nuances between what the company is trying to accomplish. Maybe that's a good recipe. Yeah. Yeah, no, I think that's great. And how about the opposite end? How about the developers who are just out of school, starting their career, super excited. We have about a minute left. Any, I mean, any advice for them of, of things that they should pay attention to? Oh, look, if you're a developer, you're the core, the nucleus for actually how to keep things safe, I believe. And so, you know, you're going to have this pressure of developing code super fast to be able to get the product out the door, but the ones who actually secure it better are the ones that are most valuable developers. So my suggestion is think like an attacker. If you were a bad person, what would you do and how would you break into your own code? And if you can think that way, then you can keep it safe. So for all the developers out there, I think you are truly at the core center, the nucleus for keeping us safe. I love this. Oreos, nucleus, ships, shipwrecks, castles of boats, so many analogies. Kelly, this was such a great conversation. Thank you so much for tuning in, everyone. Really enjoyed your, all your remarks. Thank you so much for being here today.