Originally aired on March 6 @ 6:00 AM - 6:30 AM EDT
In this CIO Week Segment, Cloudflare co-founder, President, and COO Michelle Zatlyn hosts a fireside chat with Kelly Bissell, leader of Accenture Security. Kelly oversees Accenture's full spectrum of security services including advanced cyber defense, applied cybersecurity solutions and managed security services. He is a member of Accenture’s Global Management Committee.
CIO Week Hub for every announcement and CFTV episode — check back all week for more! Hi, everyone. Thank you so much for tuning in. I'm Michelle Zatlyn. I am super excited to be here doing a fireside chat with Kelly Bissell. Thank you, Kelly, for being here. Michelle, it's good to see you again. It's great to be here. We're having CIO Week this week at Cloudflare and I couldn't imagine a better place to have a better person to have a conversation with than yourself. So I'm really looking forward to the next 30 minutes together. Thanks. Thanks. All right. Well, let's let's dive in. And so, Kelly, you are run the cybersecurity practice at Accenture, which is a large systems integrator. We're going to hear more about that. And I think there's probably some people tuning in who I'm not sure exactly what this means. So maybe for people who are familiar, tell us a little bit more about Accenture's global security practice, your client profiles and your mission as an organization. Thanks, Michel. Look, and I think it's pretty simple. I mean, Accenture is a consulting firm and it's not maybe a traditional consulting firm where we yes, we consult, but we also manage clients IT environments and security environments, too. So, I mean, to give you a little overview, we've got 8000 people all around the world. We're about last year. We're $4 billion in our revenue. I mean, so we're a we're a hefty security organization, if you will, maybe the largest security services company on the planet. And our mission really is to help secure the world. I mean, it is that simple. And it's airplanes and cars and airports and pharmaceutical companies and banks and governments. So that's our mission. And we've got we've done a lot of great stuff and we've got a long way to go. I think. It's great. And you know, you mentioned that Accenture has about 8000 people. Tell us a little bit about your clients. How many clients, how many projects do you help work with on client to help secure the world and your clients organizations on a on an annual basis approximately. Usually we run around 15,000 security projects a year and some of them are identity management, some are infrastructure security that we work on with you and other companies. But it's really about all how we secure maybe that pharma company from all the way from joint ventures to labs and research to clinical trials to manufacturing and distribution. And so our clients are usually those large, really complex clients that are trying to actually innovate, to serve their customers better. And we're helping them get there in a safe way. Well, I love this. And you've been at Accenture for 20. No, I've years. only been here for five and a half years. Five years. What happened? A few years back. But I've been in this game for, gosh, 25 years now since the Internet was really being adopted. So that's what all the gray hairs for, Michel. I call that scar tissue. It's it's it's wisdom. Okay, well, look, this is why I was so excited for this conversation because, again, over the last year, you've done 15,000 projects, 15,000 for that across a breadth of portfolio, all with a cybersecurity mindset. And when you're working with the largest organizations you are partnering with the senior leadership at these organizations. So I just think that you have such a unique viewpoint, and I really want to hear about kind of what's what you're hearing that's on your client's top of mind. And so let's start with SASE, the secure access service edge as well as Zero Trust, because these are were words and frameworks and topics that are everywhere. And I'd love to hear what is your point of view when it comes to SASE and Zero Trust? Yeah, one, I think it's super important and some might say, well, gosh, we've been talking about Zero Trust for years with least privilege. That is much more than least privilege when it comes to access. It's around how do we think about everything differently from our network and not trusting that network, if you will, to our applications, our ecosystems and our third parties. It's everything that we do. Even things like you might not think of otherwise, like merger and acquisitions or or developing a new product for your customer. So Zero Trust is a really great mindset and so a SASE, especially as we get to the edge because it's easier to secure the central IT. And as you get to the edge with wearables and all kinds of things, it's harder to secure this piece. And so I love that we're going down this path as an industry because I think it will make us better. It's great. It's great. You know, this kind of reminds me when I was first starting Cloudflare, we used to go to different conferences and I remember somebody walking around with a microphone saying, What does cloud computing mean? And I feel like a little bit ten years later, it's what is the zero, trust me? And going around and asking all these experts and everyone has a slightly different description and point of view, but it does feel like it's here to stay. And we're we're on the journey and. We're in it, and ten years from now, we'll be able to give a much more accurate description definition of exactly what it means, but definitely feels like it's here to stay. It's definitely here to stay. When it gets put into regulation, that's when you know it's really here to stay. Okay. Okay. There you go. Spoken like a true expert. So back to your clients. You work with these clients. And I'm just curious, bringing it more tangible. So how do you think about SASE and Zero Trust? How do you think about these frameworks as being helpful to your clients in setting policy and planning for what's next for them? We'd love to hear a little bit about how you tie those two together. So the practical side of this, and I love, as you know, I love to get into the practical side. It used to be that when a company had a network, no matter where that network was, once you get authenticated into the network, you could go wherever you wanted to your trusted. And really that's what Zero Trust is. Don't trust the person from the network all the way in. And so that's really what I like about what Cloudflare does and some other companies is it actually looks at everything from the network and doesn't trust any circuit or any configuration, any subnet, any system or whatever. So this is really what helps our clients really think differently to combat against either insider threat or a hacker that's gained access to part of the network. I know that sounds. I agree. I love that analogy. You know, the analogy we use, which I like yours a lot, is a capsule mode. Before it was a castle-and-moat you got into you got over the boat, you got into the capsule, you could roam around the castle. And I think a good kind of this idea of, well, no, now, even if you get into the castle, you still got to go unlock every door and the doors are locked and the windows are locked. And so you've got to go and it just slows everything down. You're still in the castle, but the amount of things you can do in 5 minutes are very different than if you could just roam freely across the castle. So I think that's a really good your description really resonates with me as well. When you when you talk to your clients about Zero Trust and Sassy, how do they think about how to even everyone's on a different part of their journey? Again, with these large organizations, there are some who are very far along. They're setting the trend. There's others who are in the middle, and there are many companies and organizations and industries that haven't even gotten started yet. And so when you talk to them, like, how do you how do you help frame where to start and is it a six month project for these organizations a year, or how do you frame that for your clients? I actually see this as a journey. It shouldn't be thought of, I believe, as a project, meaning I'm going to finish this in one or two years, but it's something that I'm going to actually create a journey. And so as my company continues to innovate new products and services for their customer, the consumer may be. I'm going to apply that same technique, if you will. So if you really wanted to get started, I believe you start with a few areas. One. Work on the network and you can have the network team, if you will, work on securing the network and have these untrusted subnets, if you will, and all the components there and then have the identity team also have this zero trust approach for not only privileged access users, but also internal users, maybe even contractors and even the customers themselves. So really look at these components and chunks, if you will, and start your journey, because the best way to finish a journey is what start it one foot after another. Right? I definitely agree. I think that the get started part is really interesting and we hear that all the time as well as get started. And you know, you mentioned contractors and that's often a really common use case that we see some organizations starting with because there aren't good solutions there. It's almost like they don't have to change anything else but this pain point of how do we onboard contractors, how do we offer contractors, how do we get them access to some of our internal workflows to our teams don't have to be cutting and pasting our internal wiki for them to see, which is just not productive time. That feels like a place where we see a lot of organizations starting saying this is a use case that is a real pain point internally and it's bite sized and so it's easier to start with. So then and once you start to see, Oh wow, this is actually a very easy where else can we go from there? And then again, you start the journey. That's right. That's right. I have a little go for you on Zero Trust if you want. I would love to hear that. All right. So why did the two engage couple? Why do they signed a prenup? The two cyber couple. To trust? Zero trust? I didn't say it was funny. I just said it was a joke. So I was like, there is some there's for sure something related to zero trust in there. So I'm just going to go answer with that. Did you come up with that, Kelly? Yeah, I don't know how they came up with this one, so. Okay. So let's just switch off the Zero Trust for a second, which I know it's related. And I do want to come back to your comment how you said when you know, when it's in policy, it'll be here to stay. Maybe before we move off, I'd love to hear a little bit more. What do you mean by that? And so if you've seen in the United States, there's a few executive orders that have come out around cybersecurity this past year, especially on the backs of what's happened with some pipeline problems and some other breaches that are happened that are affected, a lot of companies around the United States or even the world. And one of the executive orders that came out actually said, look, you need to deploy for all the federal government, EDR tools and zero trust approach and some other things. And so when I see these terms move into a regulation. Or in this case, it's executive order and then it moves into NIST. Now it becomes actually part of a standard that is now table stakes for what every company needs to think about. Yeah. No, I think that actually it's really good that it increased awareness on this point. I mean, it's terrible that some of these high profile security breaches happen. It's awful. And you can see how the panic and the confusion it causes. But I do hope it raises awareness for every business and citizen to realize we ought to take this seriously. And it's an opportunity for us to rise all tides. So. Cybersecurity is implanted in both citizens everyday life. Just you all doing things all online. We all need to be better digital nomads. But then also organizations start to say, wait, could this happen to us? What, what? What if this happened to us? Are we prepared? And so I think raising these awareness is really one step in the journey as well. Well, I actually think the awareness is good. And I think most of the security marketplace we've been talking about this for a little bit time, but I think the awareness needs to come much broader than that, the board level and the executives, because they need to understand these things so that they can think through their own business unit like card services. How do i actually adopt a zero trust mentality and partner with i.t, partner with security to solve this as a business imperative, not as an IT problem, but as a business imperative. And if we do that, then i think we can be safer. You know, when you work with your clients, do they ask you, Kelly, how do I get my peer over there to listen to me or how do I get our CEO to take it seriously? Or how do I get our board to pay attention? And because I think there's probably some people in the audience feeling like, I understand, but I can't convince others to give me budget or I don't know, whatever I'm saying isn't resonating. And if I've been told, if I say the word Zero Trust one more time, I'm I'm going to get thrown out of the room. I mean, what advice do you have for people who aren't experts to try and influence others in their organization or board level discussion of why this is so important to pay attention? I'm sure I've heard this so many times. You're right. Is the security organization or even the infrastructure team or like talking about this forever? But the business owners sometimes don't always understand or take it seriously until it happens to them. Then they're a believer, if you will. But I think this is where it sort of needs to change at the tone of a top, at the CEO level, at the board level. And I have seen, which is an interesting story. I've seen where we I helped a bank change the comp structure for the business unit leads. So if they're breached their bonus and their comp is affected, then all of a sudden they got religion. Then they thought it was serious and there was not a whole lot of selling to do, if you will. And it became a real partnership. And now that bank is one of what I would call a cyber champion, which is really good. And shouldn't every busy, every business want to be a cyber champion and be safe? I love that story. So they changed their compensation for the business owners to so that they feel bought in saying okay well I want to make sure that I'm not docked or negatively affected by impacted by an upcoming event. So let's get prepared. That's that's really interesting that it drove behavior. Yeah. Hold them accountable, right? Mm hmm. You know, another story I've heard from a so was they grade all their their employees of the organization. It's also a financial institution. When money is involved, obviously, it's really important. And they give everybody almost a cybersecurity grade. They have a grading scorecard internally based on are you being have are you being phished? Are you doing do you have good password hygiene? And it becomes part of their performance reviews internally as part of teams, not just within the security organization. Every single person that works for this organization. And it was it really made me think of like, wow, that is kind of top quartile where it's just like it's so embedded into what we do on a daily basis and people are reviewed and, and, and measured against how they're doing on that. So it's another version of that. I love that too. I mean, it's these good examples that we can share and help everybody as a whole. So you're right. I think you mentioned before. So where that the tide lifts all boats, you know. Yes, I love that. I love when tides raise boats. It's good. So let's just switch gears off Zero Trust for a second. Maybe widen the aperture. I see that you have a telescope in the back, so it's a good analogy. You know, the last two years we were 18 months. We went from very much being in the office inside the castle, a lot as a business organization to now with the global pandemic. People are working from everywhere, sometimes their closets, literally, or their cars or your home office or yeah, my garage, wherever I can get a piece of of serenity. And sometimes it's on the way to the office. And I'm just curious, you know, as you've talked to your clients, what else have you seen that's change as you kind of just reflect back, maybe some again, because you have done so many projects over the last 18 months, 15,000 per year. You work with so many different organizations. Any trends or things you can share with you with the audience of what might be interesting? Yeah. So look, I think the COVID thing actually shifted everybody to remote, as you mentioned. And I think it woke everybody up to the point where there is no network anymore. The network is actually the Internet and that's really what really is driven this zero trust. So that's that's the last thing I'll say on the Zero Trust, but it's also really sped up innovation transformations of companies where they go, Hey, wait a minute, we went through this COVID situation and I realize we can move much faster. So how can they transform this next piece, whether it be artificial intelligence or moving to a delivery system for their bricks and mortar business or what have you? And they've realized that they can move faster. And when they when they do move fast, it means how do we add security at the very beginning so we can like brakes on the car, not slow the car down, but allow it to move faster, if you will, in a safe way. And that is what I've seen so around artificial intelligence, around more commerce, around even things like clinical trials from a virtual standpoint, which is not really been done a whole lot before, safer security or plant security as we move to other products like connected cars and edge devices, securing that. So I think it really that sped up cycle is allowing us to innovate more with security built in by design, which is really where we should be. So let's go. I love that. I love that it's getting pulled up earlier. I think those are lots of things to be hopeful for, which is interesting and all being remote. It's interesting because I don't think we would have run this experiment if we weren't forced to have run the experiment. It turns out some things got better. I think as you as you're pointing. Out, necessity is the mother of invention, right? I guess this is why it comes. That's exactly where it comes from. That's that's exactly right. Do you see anything changing from the cyber threat landscape kind of from the last two years? I mean, you talked about new devices coming online. Do you see a new anything changing from the cyber threat landscape? Do I mean, you know, this is this is the sad part. I mean, we've seen more cyber attacks and ransomware than the year before and the year before that and year before that. So I'm worried that we're in pandemic mode of ransomware, and I have seen some positive changes in the market that might hopefully stem that. But right now we are in pandemic for ransomware so worried about. I'm worried about. Really a bunch of old technology within manufacturing plants that haven't been touched for 10, 20, even 30 or 40 years. And securing that is really a challenge. And the attackers have woken up to not only just attacking the corporate office, but those plants as well. And that can cause real harm and damage. And so I'm a little anxious about that. And then to quote a little French philosopher who said, look, with every innovation comes the good and the bad. We didn't have the shipwreck until we invented the ship. I think that does apply to everything we do, whether it be AI or Quantum or some other things. So I think we have to be careful about the future. . But the shipwrecks, I think those are good. You mentioned ransomware. We're seeing that from our clients as well. Just a rise in organizations receiving ransomware, incredible ransomware, threats and nodes. And that's a very. Violating. Terrible experience when you are on the receiving end of that and so I think it's a we've seen a big rise to over. I think it's up it's over 50% annual. It's a big it's a big increase in the last two years. I'm just curious when clients come to you, what do you tell them to do? Because, again, there's people listening and it's a little bit of I didn't know. Thanks for telling me. I don't want to be in that situation now. What do I do, Kelly? Well, you know what? I've gotten a call from a few CEOs lately and says, hey, I'm a victim of ransomware. I can't produce product, I can't ship it. I can't even feel calls from customers. I can't close my books. What do I do? This is this is a panic mode, if you will, in the crisis. And so we work through to figure out, okay, how do we actually get through the the crisis, through the ransomware. So we're looking at things like backups, getting key systems online, not the not the ones that maybe you think about. We don't care about payroll, bank process, the last payroll run, if you will, but things like systems to allow order, taking production and shipping so they can actually maintain revenue flow, if you will. And the last client that I was on was with a company that had plants all around the world and they were all down. But we fortunately we got them back up and operating within four weeks and they didn't lose a huge amount of revenue because we got those revenue systems on first, if you will. But my advice to everyone, whether you're a developer or you're a CEO of a company, is to actually go through a real simulation of a ransomware event. Because just like in a team sport. You can't just read the playbook and think you're going to be able to execute well on the field, on the pitch. You have to actually practice it in a real life environment, if you will. And that's what I would suggest everybody does with people who've lived through it, with stars like me and a bunch of others, Accenture, that's helped clients through this crisis. That's what everybody's got to do, whether you're a small company or a big company. I think that's really wise words. The second piece that you said around some of these assets or equipment that haven't been secure, that are sitting there, that resonate that also resonates with me. I mean, I think there's a bunch of businesses that have been born on the cloud the last ten years, so that's not them. But there's all these other companies have been here for a lot longer than ten years and they still are running really old systems. And it's non-trivial to tfeel like you can secure them or digitize them. And you use the examples of plants, equipment that's been sitting there for a long time. And so what again, for folks listening to me, like I have this and I was talking to a client recently, there are 100 year old company and they just you know, we've started here, but now we've got to go do all the hard parts that we're not even sure what to do yet. We're going to figure it out, but we're not sure what you would tell those clients who have who have been in business for a long time and have some of this legacy and they are not sure how to approach it? First of all, I think it's okay. I don't think everybody should panic and have this fear, uncertainty and doubt. But there are there are good plans. And so there are some old things that we can't replace because it's not cost effective or there's not a real replacement. And that's okay, let's ring fence those things and protect those environments. And I think that's good. But the second thing is figure out where are your crown jewels throughout your whole value chain, if you will, and figure out surgically, if you will, what do I do for this one? And it might be a different approach for that one and this one and the other crown jewel. So to have a very specific plan for each as opposed to a peanut butter where you spread everything exactly the same is important. Second thing I will say is don't forget about your third parties. Most companies work in an ecosystem of a bunch of other companies. And so if they really think about your third parties who are really processing sensitive information and data for you that really, really affects your business, it could be as simple as fuel management. If you can't get fuels to the trucks, you can't deliver packages as an example. Right. So I think to really understand your business and create a very actionable surgical plan for each crown jewel that you have, and it's not that hard. Yeah. No, that's great. I think when you break it up, it's almost it's a little bit like when we're going back to the analogy with Zero Trust, it's a journey. Find a place to start and start. This is a little bit of work. Look at the portfolio, break it up, categorize it, and then you can start to make progress against each of those each of those work streams. There's there's some similarities in the approach there. So zooming out, you spend so much time speaking to C-level executives, the government, the largest organizations of the world, and all these guys and all the different policy makers. Again, just such a unique vantage point when you think if you could distill all those conversations, I mean, all of us aren't there sitting on your shoulder for all those conversations. What are what are some of the lessons that you've learned from those conversations? Are there certain topics that you're like, wow, people that give you that you're excited about, are there do you feel like there's some lessons that people are the same mistakes people are making over and over again? And any words of wisdom you can share with the audience here? I mean, and this may resonate with a bunch of people watching, but one is, I think generally the board want to do the right thing. They really are truly wanting to do the right thing, but they generally don't have the skills. They don't understand the cybersecurity or the I.T. elements to ask management the right questions, because most of them are in their sixties or even older. And when they were in business, they didn't they didn't really have this problem. So that's one. The second thing is executive management generally wants to do the right thing as well. And so they because they want their business to thrive. The challenges. The security team wants to do the right thing, but somewhere in the middle, it gets lost. It's what I call the Oreo cookie. It's hard on the top and hard on the bottom, but it's squishy in the middle, if you will. And I think that this is where governance matters and that sometimes when you have a dollar to spend in technology, you spend it on bells and whistles, features and functions of a product, or you spend it on securing the infrastructure, which generally nobody sees. Many times it goes this way. It doesn't go that way. And I think it's really about making really good business decisions about how to create trust with your customers by securing their data, keeping it private, and keeping it available, if you will. And that's really what your customers really want. And so the lessons learn is everybody wants to do the right thing, but we don't really always have the right skills and the right attention and the right focus to be able to secure those things throughout the whole environment. And I think that it's up to everybody to think about not just what they do, but how do we look across the whole business to make sure it's safe. Now, what you said about the first part that really resonated with me. You're like boards want to do the right thing, but they might not know the right questions to ask, and then they end up asking the wrong questions. And it kind of you're like, this isn't not productive and not meeting the business goals. And so let's say there's someone listening who is that 16 year old, 60 year old business leader? They've had a really great career, but these are new things. They actually aren't sure about the right questions to ask. What should they read? Where should they go look and how can they start to ask the right questions? Any advice for those people? Well, just like anything, you have to keep learning, I believe. And so spending time with experts, Michel, like you and Kevin Mandia and a bunch of other people I think is really valuable because you can learn a lot from from these people. The second thing is there are there are sort of executive training areas that some universities put on. And I think going through that and through an ASD around cyber things might help directors learn but. You know, you've got to dig in and maybe even bring some experts along with you to help with the nuances between what the company is trying to accomplish. Maybe. Maybe that's a good recipe. Yeah. Yeah. No, I think that's great. And how about the opposite end? How about the developers who are just out of school starting their career? Super excited. We have about a minute left. Any advice for them of things that they should pay attention to? Oh, look, if you're a developer, you're at the core, the nucleus for actually how to keep things safe, I believe. And so you're going to have this pressure of developing code super fast to be able to get the product out the door. But the ones who actually secure it better are the ones that are most valuable developers. So my suggestion is think like an attacker. If you are a bad person, what would you do and how would you break into your own code? And if you can think that way, then you can keep it safe. So for all the developers out there, I think you are truly at the core center, the nucleus for keeping us safe. I love this. Oreos, nucleus, chips, shipwrecks, castles. So many analogies. Kelly, this was such a great conversation. Thank you so much for tuning in. Everyone really enjoyed your all your remarks. Thank you so much for being here today.