Well, I’m here with Kerry Kilker. Kerry is a longtime veteran of Walmart, 32 years. In the last 11 years of that, you were the Chief Information Security Officer. Pleasure to have you here today to talk a little bit about some of the threats that are going on in the enterprise that you typically see. And what companies should be thinking about. It’s good to be here. Experts in the industry have talked a lot about this notion of assume breach. What does that mean to you and how do you think about the world in that kind of mentality? I think organizations certainly they want to try and protect their environment and keep all bad things out. That’s very hard to do in today’s world. So, I think until you have vetted your organization, you have to assume something bad has happened. Soon you’re going to get compromised, assume you’re going to have to recover. And infosec job is never done. And you’re never good enough The threats that we’ve seen have become more impactful. So in the early 2000, we had SQL Slammer and it knocked out a bunch of servers on the internet. More recently, we’ve had WannaCry and NotPetya. Regardless of the technology underlying it, it seems like the threat, scope and size is increasing. Do you see this as an escalating problem? Do you think it as a problem that’s going to get bigger and bigger over time? Or how do you see this playing out? Well, in the 11 years that I sat in the CISO seat, it’s been like a hockey stick. I mean, the threat landscape around cyber is just the trajectories just going straight up. And I don’t, I don’t see that changing. I mean, the threats are only getting more and more sophisticated, more and more advanced. And it’s going to be harder and harder for organizations to detect and mitigate and recover from these kinds of situations. That’s pretty sobering. It’s scary. It’s scary. You know, it used to be that the threats came from inside. First, when you didn’t have the internet, then you had the internet and you built walls, perimeters to protect from external threats. And nowadays, the more common scenario is you have mobile users that are accessing your corporate data from pretty much anywhere in the world, maybe their corporate devices, maybe they’re not corporate devices. And in that reality, now the old perimeters have broken down. One of the very few points of control you still have is around an identity system who can log in, who has user accounts, who what access do they have? I mean, how do you see this affecting the threat landscape and how do you think about identity as really the only control plane that you have in this kind of new world? People forget that everything starts with an ID and a password. Credentials or identity for access go unnoticed until something bad happens. And then the first thing you’ve got to recovery is credentials to do any other kind of recovery. I think organizations need to not only protect Active Directory or credentials, but also build a plan to be able to recover and restore in the event something does happen. An important point there is that you want to have something in place to protect your identity systems on an ongoing basis from either inadvertent activity or threats. You’ve got somebody in the environment. You want to be able to know that they’re in the environment. But then if the worst happens, we’ve heard so many stories about entire corporate identity systems being encrypted by ransomware and taken offline, and that company’s down for days or weeks. At the tail end of that, you need to be able to get back to a basic bring the plumbing back online. So that you can keep the rest of your organization moving forward. When do you recover back to that’s good. Is your recovery backup corrupt as well? So, you want to know that you have a good recovery point. If everything else fails, you’re sort of left with having to recover this environment. It’s sort of your last line of defense. And if it’s an identity system, like an Active Directory, chances are all of your business applications, even all of your administrative, potentially even all of your DR applications are dependent on that being up first. I mean, how do you think about identity recovery in the context and the context of disaster recovery? I think you have to plan for a cyber even the same way you plan for a natural disaster. So, lots of organizations plan for hurricanes and fire and tornadoes. They need to plan for a cyber event in the same way. And I think it is an area that companies need to improve upon. It’s a topic at the Board of directors’ meetings. They want to know what companies are doing around information security and cyber preparedness. Now, that’s interesting. Yeah, I mean, I think that’s a good point. So, we always prepare for those worst-case natural disasters, but we see in the news every day these cyber disasters happening and with frequency that we would never experience in the natural disaster world. And the sophistication of them is only going to get greater.
