This episode features actionable insights on navigating culture change, discussing the importance of data protection and identity management. Guest speakers James Carnall and Quent Strandburg join hosts Tom Tittermary and Tom Gianelos to discuss the need for integration of cloud solutions and AI to enhance security in a multi-vendor environment. They focus on faster, smarter approaches to cybersecurity workflows through collaboration.
Zero Trusts Given Expert Perspectives on DoD Security Strategy with Quent & James
Tom Tittermary
Yeah. So Hey everybody, welcome to another episode of Zero Trust. Given I am your host, Tom Tittermary, with me, as always is my brilliant, wonderful co host, Tom Gianelos, say Hi, Tom, hey everybody. So today, guys, we have a super special episode. We're taking a look at Zero Trust as a whole, as a practice, and in a really meaningful way. So I have with us a couple gentlemen from Red River, and we're going to get in deep about how they approach the topic and how they run workshops with individual customers to discuss on the topic. So I'm going to let you guys introduce yourself. Quent, if you can go first,
Quent Strandburg
Yep, thanks for having us. Quent Strandburg, I'm a DOD se manager over here at Red River. I've been here about 1213, years, a lot of experience in the DOD. I was actually in the Navy, got out and did some security while doing that, worked at an integrator for a while, and I've been over here doing the engineering here at Red River.
James Carnall
Awesome. Hi everyone. James Carnell here, head of cyber at Red River, and been with the company for about two years now, and really excited to to be helping with cyber security. My background is open source intelligence and cyber security for last 20 years. So thanks for having us All right.
Tom Tittermary
Awesome. So guys, just to tee up the conversation, so Tom and I are Z scaler, right? So we have a very specific part of the Zero Trust thing. But we always talk about it takes a village, right? So there's there's been other episodes. We've brought in other vendors, where we team up together to bring better results around this whole Zero Trust thing. And we talk about the notion of Zero Trust as a whole, what it should be, how people should look at it and implement it. But one of the biggest questions I get is, Tom Zero Trust. It's a buzz word, Tom Zero Trust. Where do I get started? I know I know I got to be done by 2027. People don't know, like, hey, where can I go? Have an aggregate discussion about, you know, Zero Trust, how we're looking at it, and how I can move forward. So I wanted to have you guys in the show today, right? It seems like the practice you guys have in if I think about what I've heard about the methodology of how you go about it seems like exactly the way that I see a lot of these agencies and build apps. Should, should go about this. So I'll leave it open to you guys. Could you guys. Could you guys tell me a little bit about the program we
James Carnall
can go from there? Yeah. So thank you very much. I think the key thing for us was we had to start where everybody else did right? We you essentially have a multi vendor environment. You know, no one in the DoD particularly has a handle on on all of their capabilities. And so we started with with our partners. We started with our vendor. So we started with C scaler and others. And sort of said, Hey, can you send us over how you map to the DoD strategy? These 152 activities. Now, again, some of them are more advanced. Some of them are target, right? So we start with the 91 target, but we go through a mapping process for all of them. But before we get into the nitty gritty tactical side, you've got to start with, can I level set with everybody? You know, we've got people in the room that have it very advanced understandings of it, and technical requirements and nest and standards, right? In DoD particularly, there's a most people understand the idea of defense and protection and and there's a stove piping that sort of comes along with with sort of that pillar structure that we have. So we like to start with the culture. And so what we found was we had the level set and go in and have a conversation, right? Get everybody comfortable with the fact that Zero Trust is an idea about culture change from end to end across all of the areas that you're involved in within the security stack. And so that is sort of how we started our process. Right one for us, we started to go through with the OEMs and map out where they align and what they covered of the 152 activities, but with the groups within you know our customer, if you will, we needed to work with them on the what is the culture of Zero Trust? What does it mean when we say, you know, trust, but verify, right? You know, assume breach. You know, having to re authenticate at every stage, whether you're an app or a person, or, you know, a device,
Tom Tittermary
yeah. So it's, I think, the culture piece we talk about technology a lot is engineers. You know, typically, we're having engineers in on the podcast, and we talk about engineering because it's a math problem, right? And it's, if I add one plus one, it equals two. And that's, you know, that's typically the response. Well, it's always the response you get around one plus one equals two. But the cultural piece is like a much softer piece of this, right? And it gets to be a really interesting part of the conversation. So when I'm talking to folks about Zero Trust, I'm typically walking into an environment where, you know, somebody has spent 510, years building an infrastructure and a protection mechanism, right? And what I run into, from a cultural perspective, is I run into a lot of beliefs and very few thoughts, right? And it's I talk about this notion of like thoughts and beliefs. I like to have a million thoughts and very few beliefs. And it goes back to the Zero Trust conversation, right? Trust, but verify? What can I What can I pull around the data around each of these individual application interactions, user interactions, to be able to make better decisions? Visions, right? And take a step back and say, it's not enough that I've got the perimeter around this sorted out. How am I getting really granular about how I get these individual pieces? How do those cultural conversations typically go with you guys? Because I almost find that the most difficult part,
James Carnall
I would agree. I think, look again, part of the wonderful discipline in certain areas of it, and certain security is where checklist motivated, right? We have a beginning, a middle and an end to a task or a setting. But threat actors are evolving, and the way we use the tools, we have evolved. The tools themselves evolve, some of them end of life, so we can't rely on the tools alone. And the other thing is that, you know, you might have your cyber team, and you might have your IT team and your firewall team and and and hardware team, you know, storage or data, and these teams have to work together as part of Zero Trust, right? The strategy is it's across all the pillars those cross cutting. And although we do want to micro segmentation. We want to imply that we want to challenge any authentications that come in at different stages. That doesn't mean that we we can't work together. And so it's been very difficult to sort of sit down and say, okay, you know that stove pipe nature that I don't share, I don't I'm very controlling of what I have now. We have to have a conversation. We have to develop the thoughts and concepts around an ecosystem and and that's true in the in the DOD, obviously, in the commercial world or in the civilian government. It's also a change, right? I mean, we have to understand that. We have to work together, collect telemetry data, for instance, from all of these different areas, and bundle it together and centralize it. That's how we get better visibility. So these are, these are, you know, we understand how our our area of focus, our specific job works, and the tools that we work with. But really a lot of that education is, how do we work in an ecosystem together? What is the point of doing this? Because I think most people understand what Zero Trust is as an idea, but they may not know. And again, the DoD did a particularly good job with giving us, you know, an iterative, very, very broken down structure to work with, to have a very deliberate process to get to some form of 00, trust by 27
Tom Tittermary
Yeah, I think it's interesting, right? So all credit to Mr. Randy Resnick, right? Like I've spent my amount of time in his 152 controls, right? So 91 target and 61 advanced, right? I run into a lot of people where I have conversations, and you know, it's, it's behold upon us as these individual vendors right Tom and I are part of this. How do we affect and which ones of those controls do we affect? But I see this trend in industry, when any time you know, either I talk to another vendor, or customer engages with another vendor, they get very button hold and very down to the weeds, very specifically right forest, from trees. They focus on the tree that they involve in, and they talk about very specifically, like, how I can affect this one field in the Excel sheet, right with my product around this one individual thing. But what you guys are doing, which seems really interesting me, and it goes back to culture, is sure you can go through and check these individual boxes. And I want to get later on, remind me, I want to talk about, like, variance of degrees of compliance. What's the difference between a check box and a really functional way to do these individual things. But once I've checked all the boxes, the big part is, how does all this work together? Right? And use the great word ecosystem. And that also goes back to culture. There's really a thought process about you have to change the way that you think about how these different parts work together. Could you speak to that part a little
James Carnall
bit? Yeah, I think for us, one of the key parts were at the same sort of thing. We so the the strategy was rolled out. We had the 152 activities we had. We worked with a number of partners and OEMs as our customers have to to try and understand how they map and how they comply, or how they help us meet that that control, right? How do they how do they address that activity as it's listed and, and you can imagine that from from a vendor perspective, you had a way. It's almost like, you know, we need more green on the sheet, right, right? We need to, you know, sort of have people in the executive space like, I need that all filled in. How do we get there, right? And again, I understand that, right? Everybody wants to feel like they're well represented in that but, but there are areas where out of the box, we meet those, or we can achieve those, or help our customers achieve them and others. We need other vendors to be plugged into us, right? We support that. We we enable that capability, right? And it was very difficult for our customers to understand the difference between what enable. Between what enablement meant and whether they had all of the stack to do that, or whether they actually had this within the tool. And then, of course, there's the other part of it. Is like, well, I have these tools, but have I implemented essentially, you know, those capabilities? Did I turn them on or did I configure them correctly? Right? All of these. Other parts of it. So, so from our perspective, once we went through an exercise of mapping out, you know, these different capabilities, right? Maybe not talking about vendors, but capabilities that were in the tech stack, right, the software, hardware lists of our customers, we started to map that out. And then, by mapping that out, we we basically then went through an interview process with the customers and said, Okay, you know this 152 activities, let's ask a couple of questions. We got it down to about 77 questions that we felt, felt really covered, essentially those 152 in a way where we had enough insight to say, Do we have something yes or no? Are we working on rolling that out? Is it in place, and is it, as a level of maturity, where it meets that target? Right now, right? Not even talking about the advanced let's just talk about the target and and for the first time, for a lot of our customers, that gave them the ability to have visibility into where they are, right? You can imagine somebody who's running a Zero Trust program, you know, Larry, you're head of our IT group. Where are we? We're doing great. What does that mean? Right? A lot of greed in the sheet, right, right? And and so from from our perspective, it was like, you know, we we get it right, just providing a visual. Because when you say, Well, what do you need in the way of resources? I don't know. Anyway, how much time is going to take you, I don't know, right? So we were able to provide a sort of a tool as part of our you know, again, the questionnaire provides the cultural overlay, gets everybody bought in, makes them feel like they're in a safe place that they can share with one another, so they're not finger pointing at one another about what do you mean? You're not doing this right? We're not getting that. We're having that conversation about level set. And then we say, well, how do I know where we are? And so then that conversation starts in regards to, let's honestly share with an organization like Red River the information they need so they can plot it for me into a tool that then I can hold a piece of paper up in the air and say, This is where I am. This is where, based on the DoD guidance, they've given me a time frame. They've given me how long, like a Gantt chart, I should take to do that. And so now when we meet with our customers, once we have that exchange, we can say, you haven't started this by the DoD guy, you should have already completed this, right? How does it map to the mission that you're in or the service you're in? Right? Because they have slightly different guidelines and guidance as well. And so the power in that, that again, success breeds success, is I had a conversation, I feel like my team are better educated on on what we're trying to achieve here, not not the mandate of doing it, but what we're actually here to do, which is to protect the war fight right, to make us safer, to put make us more secure, and then beyond that, to give leadership and the teams in the trenches. Ah, I'm used to checklists now. I have something tangible to work on. I know that I'm red and I need to get to orange, and then I need to get to green. And what does that actually mean?
Tom Tittermary
Yeah, it's just, it's funny. I draw a lot of corollaries Tom and I have done a lot of work with the federal system integrator and DIB community around cmmc, right? So, right? It's a daunting list of individual requirements and oftentimes, right? These are presented to security teams that already had a full week planned, right? They've got 40 hours. Hey, by the way, now take these 250 controls and map them cleanly against your environment. By the way, you lose every federal contract if you don't, it's terrifying. So you can break into a conversation and say, Hey, so just the way that you were talking about, where are the gaps relative to what we're working on, and start that conversation around that piece. But most people that I talk about, we get back to the term buzz word around Zero Trust. Like, I know I have to do Zero Trust. I'm terrified about it. There's these 152 controls what you're talking about really seems like a clean methodology to get from, you know that fear, uncertainty and doubt about like, I don't know how many get there. Two. All right, here are my timelines and plans, and now I can actually punch it into my work cards and schedules to figure out how to get there individually. Like, do you have any customers that you've been talking to where you know the you've experienced that from the the pre and post, where it went from like, this thing out in the ether, down to like, All right, we have marching orders and
James Carnall
a plan. Well, yeah, I mean, we've had a number of success stories, and in a fact, again, part of providing the the the insight, the visibility, we've been contacted by their leadership, right, these different, you know, because, of course, we're all part of an ecosystem here. So, you know, you put your hand up and say, Hey, I'm this division, and I've got some visibility now, and I actually have a plan, and I know how I understand, in a in a new way, what Zero Trust is for me, and I have an actionable, you know, stepping stone to get there right. And it's not some sort of dream or some fuzzy thing or yeses and nos nodding in a board room. It's actually I know what I'm doing and what i. To do next, how many people I need, how much it's going to cost me, what tools? But we were surprised. We shouldn't have been, but it's one of these things, things evolve. When leadership said, Well, you've now spoken to a number of our missions. Can you give me essentially an executive dashboard? Because if you could do that, I could now see the the status of multiple programs. And we're like, Sure. I mean, let's work on that, right? And so we have some very talented people that that sort of said, you sure I could shake and bake that. And they come back and said, is this sort of what you're looking at and and what the takeaway from that was, was, so now we have, you know, six different groups mapped out, and the leadership could say, well, that's interesting. You know, in the identity pillar, three of my my teams are in green, but I have one in in orange, right? So they're working on it. So that's fine. I would expect to see that, but one's red. Why don't I take the ones in green and sort of analyze those programs and see what they did, and help this obviously struggling team to potentially, you know, is it a licensing issue? Is it a tool issue? Is it a people issue? Is it a knowledge issue? And so I can start to analyze licensing and accelerate programs by getting these teams to work together, they didn't have that visual before. They didn't know what the status of the different teams or groups were, and so as a result of that, we're seeing an accelerator there, which is like you need to go and start working with them to get that visibility, because me and the leadership, I have to plan for resources across my entire team into my entire mission. And now this is a way they can, they can do that. So this was one of the other areas of value that we that we saw from our customers, sort of putting that pressure on us, yeah.
Tom Tittermary
So try to kind of change in talk tracks a little bit, right? Going back to, you know, the 152 controls are daunting, right? And some of those controls can be pretty broad in terms of, I'll give you one that's, that's one of my favorites. I'm a old hat data authorization guy, so that's like, that one is near and dear to me, right? Because it involves tagging and access. And, you know, I think people say we need to protect the data and stop talking, and that problem when you really start peeling the onion there, right? So it's okay. Well, I need to have really clear context about all my unstructured data, my semi structured data, the data semi structured I call like cloud services, 365 right? It's an unstructured data that sits in a structured thing, and then my structured data at the same time, right? And I think I've run into people that say, Yeah, I'm doing DLP, because they have a DLP policy somewhere for something, right? And they assume that, hey, no, I check the box. It's green, right? Like, what kind of level of granularity if we could, if we could hair pin it around that one, right? If I'm doing, if I'm accomplishing, what that the spirit of that law, instead of the, instead of the, you know, the words in that law, I'm doing data loss prevention and managing my data across structured, semi structured and unstructured, and I'm mapping it against identity, and I have clean tags in the back end. But a lot of people be like, No, I have DLP turned on in Z scale, or I have it turned on in my my 365 instance, or whatever. How, like, how do you guys dig into something that's that's like that? To give a little bit more
James Carnall
insight, yeah. I mean, from our perspective. So again, what is it and what it what it isn't, right? So our engagement is is more around the technology side. It's not so much focused on do you have the people you need to implement this? Do you have the policies and procedures in place? Right? We see that as a next stage and next step for us, because, again, with every iteration you know, our customers come back to us and say, Hey, you helped me out last year get visibility. Can you run that again to essentially let me know how I've improved right as a status check. And now, you know the guidance that that was released in regards to the NIST mapping towards the you know? And of course, there was an update recently, so, so every time our customers come back to us and say, Hey, can you update this? Can you give us more visibility? It's really that interview that we have with with the team, right? And again, we, we basically block out four hours, you know, again, after we've had the workshop, and after we've we've asked for the hardware, software list. And you know, what is their ATO? And you know, we collect all of this information from them. We want to have a interview with them for four hours. I mean, sometimes it's less. It depends on who's in the room and what have you, and and, and we're getting into the questions of, like, you know, what does this actually mean? How is it implemented? Right? We have our technology team, our engineers, going through trying to understand exactly what you're saying is, like, talk me through what your process and procedures are and the technologies you're implementing and have from the people in the seats that are doing the work on that actual and activity by activity. And so we're getting, you know, in. And it's a very raw conversation, right? Because you're getting into the detail that you're talking about. It's like, you know, how is this all working together and, and let's be honest with ourselves, because that's part of it is, we just want to say yes and move on. Well, there's
Tom Tittermary
the angle to about, like, no, no, I'm green. I already put this to bed. I checked that box right, and then you get into that, well, could I justify if somebody came in and inspected this on the far side, if I went through a pen test? Well, well, and that's
James Carnall
where Randy resnicks really sort of poking at right, this sort of red team that includes the Zero Trust aspect of it. Not just simply, do you have a vulnerability risk, but but how are you implementing and, you know, and mapping to Zero Trust in that process. Yeah, Randy's
Tom Tittermary
getting a lot of air time today. My dream is one day to get Randy on the show, Randy, if you're listening, that would be amazing, but it would be awesome to have you in the chair and sitting down
James Carnall
and talking to well. And so in part of the conversations we've had with Randy, and part of the mission that we had, right, is like, Well, again, going back to that trust, but verify, right? How do we determine that? You know, OK, does working nicely and working the way they should with with Z scaler, and Z scale is working with crowd strike, what have you you really have to put that in a lab environment, right? And so we had, we built out this multi vendor lab environment to test these controls. And part of the success in that conversation is we didn't just sort of say, Hey, we're here to promote the features and capabilities of the of the vendor, right of the OEM. We went in and said, Look, how are customers implementing this? What are the challenges they're actually trying to protect themselves from, and how are these things correctly implemented? And and so we basically work with the customer first use cases, working with Z scale and others to what are you seeing? What are the challenges the customers have? How can we go and sort of with a catalog of like, not his capabilities, but here are problems that we know that you're dealing with and managing. And this is how all of this ecosystem works together, and that's been a great tool in this conversation of trust. And you know, one of the challenges I think that Randy brings up quite a lot as well, is like, you know, you're selling a thing, a widget, but, but tell the customer, tell the DoD how they're going to get value out of that widget, and how it works with all the
Tom Tittermary
other widgets. Yeah, well, it's funny, right? So fun fact about your host, Tom Tina Mary here, you know, I'm in my formal education. I'm actually like a comparative literature and languages guy, so I tend to, you know, take words and break them apart. What is the what are these? I think a lot about what I think, right? So we say Zero Trust. So often you say a word enough times, it loses meaning, right? Zero. Trust. Your trust. It's, I say it's the new cloud. In terms of, like, when you wanted to justify I want to get a meeting with a customer, I got to talk about cloud, and I used to blank it turned down. And two jobs ago, I would blank it turned down if you gave me a meeting. Said, we want to talk about cloud decline the meeting, because clouds not it's not a topic of conversation. Like I got to get the weeds and have an individual conversation about this. So we talk about Zero Trust. Trust, trust like it kind of loses its meaning. You see it on everybody's board. When you go to a show, every vendor has got Zero Trust in AI, there's, I'm calling us out specifically. Yeah, those are the two that are up there. And then, no, I'm the Zero Trust guy. I want to offer this up, and this is I'm, you know this, this may or may not work. We'll find out. Right? I was thinking about the word Trust last night, and I was like, what is I was like, what does that actually mean in this context? And there's a word that I thought of that you could actually supplant in there, which might you're not saying trust anymore, so you actually have to think about the word again, okay? And the word I want to throw in there is faith, right? So if I think about all, right, so let's break down the definition I could swap out, like, I have a lot of trust in Tom, I have faith in Tom. They're almost synonymous in a lot of ways, right? But the connotation of that word faith means that I don't have all the data, but I'm gonna believe in x, y, z, right? So if I think about Zero Trust, right? If I put somebody on a network and they have access to all these things, I have faith that that person, since they went through the security training, and they're a good person, that they're only gonna go to go to the places that they're supposed to go, right? I don't have data around that, right? I can collect data about what they did after the fact, but I'm basically giving them. I'm putting my faith in that individual that they're going to go and do the right things. I'm giving them trust in that way, right? So let's give a little bit meaning back to the word Trust, but trust for it, like Zero Trust for me at the end of the day, is faith is a great thing for many parts of my life. I don't think it's solids. Think it's solid security policy to lay as a baseline for 7 million enlisted. If I go across and I say, we're going to start with faith, and I'm going to trust that you're all going to do the right things, and I think the big model here is no no. What's all the data I can collect, right? How do I validate and verify this? Every time before I hand somebody access to a thing, and it goes back to trust, but verify too, right? So it's so I've laid all that out. So one, I don't know what you guys think of that, but like in the context of what the work that you guys are doing, what is the gap that you're filling with with services and the products that you put in the mix to take that faith out of the mix and replace it with real data people can make decisions around. I.
James Carnall
Yeah, well, I think if I'm correctly answering that question, right, there's a couple of things that that that are gaps that we're sort of providing or addressing. One One is that that, you know, most people in security, and it understand why they get up every morning and what they do, right, certainly from a DOD point of view, right? That's part of their core training and job, regardless of what role you're in. You know why you're there? We do very we do that quite well. But I think to your point about the word, right? And that is the first thing that we started with, which is like, how do we make this not intimidating? How do we how do we cut through the noise and get round to the core idea? And then people like, Oh, I totally get this right, because they live in a house. They lock their door, they shut their doors, they don't leave the windows wide open, right? They understand, oh, jeez, I probably should, should go around and do that. They push the key, you know, the button on their keys, and lock their car. I mean, they have to stand the principles when you when you make it a physical conversation, right? Or use an analogy of, you know, working through the airport and the security checks. Or when you go into a building and they give you a badge and they escort you around the building and say, Hey, you have to go here, and then you have to walk back out. We understand that from a physical world point of view. And so those principles, you know, with a coaching, with a training, with an education, we just sort of make that real for people. And certainly that helps. And so once they understand that, then we say, Okay, well, let's talk about the hand off between technologies and systems. You mentioned it before, right? How who is in my ecosystem, walking through the front door or getting into the castle, right? What? What systems do I have to keep people out that I want to keep out, and who's in? And how do I know who's in and where can they go with it? You know, can they get through the crown jewels? Right? Probably have more guards there, right? That's different than the bathroom, right? So there's those principles, right? There's a concept of, you know, there's a reason why. Between the castle, we have woods, right? We have that area where I can see anything approaching from the woods, and then I have spies in the village, right? That's your senses. That's your telemetry data in regards to what's happening. You know, did I have somebody logged in here? Did they access that follow, did they try and access that file? Or what data are they collecting? Are they trying to exfiltrate? Are they trying to print, right? Did they come into the weekends, right? All those sort of concepts that we want everybody not, but we understand in this industry, those sort of concepts. And so when we relate what Zero Trust is and to those human understanding, right, or that training that we are all inherently getting or have, and then we sort of say, Okay, well now we have to go through this exercise. You know, if the crown jewels is the data the Australian accent, yeah, the data, if it's the data right, and identity is around, who gets in, who or what right gets in. You know, I don't want a person with a camera to get in my castle, but I don't want a thing with a camera, a drone, to get in either, right, to be able to take photos of this, right? So, is it an application? Is it, you know, is it a device? Is it a API? Is it? Is it a person? What is it that's accessing my ecosystem, and what sort of restrictions do I put around that, right? So, so we go through that education piece. We go through a very methodical process that, again, I compliment the 152 activities is a is a very prescribed way, and structured way, which is great for large organizations like the DOD to go through, and giving a time frame, puts that pressure right, puts the pedal on it, of figuring out, you know, from the leadership point of view, how do I Get my people, my policies and technologies in place to get there and then where we our commitment right from, from our organization, is to help organizations understand right? You know, how do these things work together? How do I make sure I understand the most up to date have turned everything on right? How do I how do I talk to the OEM about understanding how they work together in an ecosystem? If I have a gap, how do I make sure that I am purchasing the right technology for the ecosystem I have? Because I'm not going to rip and replace. I can't make 27 if I rip and replace. I have to go with what I've got and then fill those gaps, and then sure I can come up with a continuing strategy, right? Zero Trust is not a date. It's not a set it and forget it. It's an ongoing, evolving strategy, right? So you know, if I need to level up, which I will at some point, in some way, because the threats, you know, keep increasing and velocity and speed and sophistication. And there's, there's real skin in the game, right? We're protecting the war fight here. So, so I know why I'm doing it, so you tap into all of that and raise all boats, right?
Tom Tittermary
One of the so it's interesting, right? That the notion of, how do I get the Zero Trust with what I've got in the house, right? So I was having a conversation a while back with a gentleman named Wes school, a brilliant guy. He was a Zero Trust lead at transcom at the time, a friend of mine that's in the room, he'll be on the next show, is there with me when we had this conversation. But he said one of the most brilliant things, and this was early days of Zero Trust and West school, he said to me, he goes Tom, there's a lot of Leroy Jenkins Zero Trust pilots going on out there. So if you don't know Leroy Jenkins, go YouTube, it hit pause, come back, right? You'll have a, you have a fantastic chuckle. And the notion is, right, like, I'm gonna grab what I have and I'm gonna run down a lane, and then things are gonna go, how they go, based upon what I have, right? So I have to imagine, like, you want to get as far as you can with these, these individual customers, you're talking about the tools they have in house, right? Yeah. But a lot of these things, I see a lot of Zero Trust pilots collapsing under their own weight. And the reason that they're collapsing under their own weight is the complexity of the individual products they're starting with. So what's the inflection point in the conversation where you have you say, Look, this is a phenomenal product that you have in house, right? But I want to recommend a new product injection here, because this will cover you for 1000 users. But when you start talking about the admin, the complexity, the management, the security gaps that that additional admin and complexity is going to bring, there's potentially another solution that's going to get you farther, faster, right? So if you have, if you're the Air Force, and you've got, you know, 1.0 5 million end users, right, you're not, you can't, in a holistic sense, use the same tools you would use for 1000 users. So what are those? What are some of those conversations look like when you have
James Carnall
those? So the first thing is that you have to do you have to get them to understand where they actually are, right now, right? Because again, going in saying, Hey, I'm here to sell my product here, here I am to sell you a capability. You know that that's not the, you know. I don't think you were, you know, you wouldn't take that from somebody who basically came in and said, Hey, I need a I need another room on my house for my family. And they're like, let's just pull the whole thing down and start from scratch, right? You You have to get there in a certain way. So I think that my response to that is that, you know, we engage with where they are. We we show them, right, how the tools they have mapped to, we facilitate the conversations of their existing team so they understand, like they can see the pain in the eyes of their own team, saying, This is going to be heavy lift. We bring in the existing OEM to have the conversation with, with the customer, and then if they get to a point through guidance, through visibility and insight, through conversations where they're like, Hey, I do need to level up at this time. It makes sense for me to make that jump now and and then. Essentially, we bring in, you know, the capability with the OEMs that meet their standards and needs. And again, it is up to them to make that decision, but we show them how, again, in a lab environment, how this works together, how it achieves that, how it will accelerate, how the simplicity of implementation, how quickly it can be installed, set up and deployed, and takes away the administrivia head ache again. That's one of the reasons why we like to to work with Z scaling, right? It allows us to to be a force multiplier for the customer in regards to these sorts of deployments when they solve these sort of problems. And technologies like that, like technologies that work with other technologies that get it like, I'm here to help you solve your problems or solve your security challenges are a real benefit in these conversations, because there's, there is a platform play in a lot of cases, and there's a there's a place for that, right? I want to simplify my tech spend. I want to have an ecosystem where there's compatibility from end to end. That's great, but Zero Trust is not that you can't achieve it all. So you need to pick players in your ecosystem that integrate the play well, that are talking to one another, right? It's not. And I think this is one of the frustrations we hear from the customer, is like, I have to do all this work to understand this and figure this out, or I have to trust, have faith that the sales person who walked in the room and said, Yeah, this will work and out of the box. And my big one of those, those fans of like, you know, batteries are not included, or batteries included at Christmas, right? I don't want my kids sitting down there, and I didn't buy the batteries for them to play with that tool. So one of the things that we were very passionate about with, with the mapping exercises that a lot of the OEMs did, was, okay, what's out of the box? What do you help them with? And where do they have to buy other technology to plug into your technology to achieve that? Yeah. So I think even
Quent Strandburg
on the flip side, they may have the technology already, they might just not be utilizing the licensing or the feature set of it to, you know, to meet some of the and we see. That a lot? Yeah, yeah, absolutely, yep. So that that's, that's something else that we talked with customers about as well. So
Tom Tittermary
yeah, we got into a conversation the other day about Donald Rumsfeld, known knowns and known unknowns and like, there's this category relative to technology, about these unknown knowns, about you've gotten this inherent feature capability in a product you already have implemented and installed. It's a licensing feature away, right? You can go, take a massive pivot and coordinate different products. But a lot of times, there's something in the stack that you can turn on. They just, they don't have the notion, by the way, that it could, it can come back and and check one of those individual boxes against the 150
James Carnall
to get that a lot we, you know, to, I think, to attach to this conversation a little bit. So, you know, we know we're going into a brown field type conversation with it, you know? Because, again, it's not you already have elements of this, and they start to check that, oh yeah, you're right. We're following these standards, and we've been doing this for years. So I'm like, Look, sure, it's got a new name, but, but you've done this before, right? This, this is a rebranding of some of the principles that you've had in the past, right, defense, in depth and what have you sure, but it's a lot more directed. It's a lot more clear for you, and you've got more guidance potentially than you've had before. I mean, obviously we've got missed out there, but, but it's more of that end to end strategy that we talked about, but we do get customers now like, Okay, well, Red River, you've now mapped out all of these capabilities and all these technologies. I'm here, and I've got, you know, orange, red, red, red, red, red, red, green, green, orange, red, you know, across different pillars. What would I need to buy to get to the green, right? So this sort of green field conversation of like, you know, if I created a parallel universe, what would I buy end to end in my tech stack, right? Because there is redundancy. And, you know, a lot of individual teams and missions have bought tools for a specific thing, and then they buy another tool for another specific thing. I get back to this use case set of ideas, like, I need you for this, and I need you for this, and and and once we get in there with them and say, Hey, you a combination of this technology and this technology that you already have, if you increase the licensing or if you implement it correctly, you're done, right? Let's move on. Yeah, right. But
Tom Tittermary
one of the things I get into as well, right? We talk about, you know, how do I get farther, faster, right? And that you don't want to like out of nowhere, recommend an individual piece of tech swap, right? But what I run into with a lot of these individual product selections is, I think every individual technology run into has a baseline level of capability that you then get to determine its mission impact by dividing it by its complexity, right? So if I have this amazingly powerful product and it takes 50 people to run, okay, well, then that is but by the way, if I can get that same capability and it takes three people to run, well, that's a net benefit. And right? So what I see in it, in the industry right now is a lot of the cloud services that are out there, selfish, lazy scaling that fits in the mix tend to kind of raise the roof on that inherent capability relative to it. The way, the way I talk about it too, is I talk to people about, like, you've got a number of budgets in your in your group, right? You have your capital, your capex budget, you have your OP ex budget. But I bring up the term human intellectual capital, right? Like you have a human intellectual capital budget. About you've got X number of super, super smart people in your organization. How do you want to spend them, right? Like, do you want to spend them running down hallways with thumb drives on Patch Tuesday and doing upstream and downstream effects? Or do you want them doing real time? Like, cyber effectiveness, by the way, they don't like doing the patch management. They like doing the cyber stuff. Yeah, right. So when you get into these scenarios, what are some of the ups and downs that you run into in these conversations about I'm going to make a recommendation to make a change relative to this, this pivotal platform, like, how often does that human intellectual capital piece come into the conversation to be able to have real effect on a customer?
James Carnall
It's a it's a great question. I think looking in a perfect Well, we all want to level up, right? We, you know, this is one of the beautiful things about AI, is everybody sort of, Oh, please, right? I mean, if I could get my people out of the trenches every day, patching, looking, you know, threat hunting, looking for, you know, just plaguing, whack a mole with alerts and and different items that have been identified in my in my network, and even putting together the reports around incidents, right? I have to go to this system and then that system, and then that system, and I have to collate that together, and then, I mean some of the power we're seeing with embedded AI within some of these tools to help the threat analyst get to a conclusion quickly, right? Is extremely important. So, you know, I think that, I think what we have is we have a legacy world that we live in where most people are so used to being in those trenches that that's just they've surrendered to it, right? And then there's the hope of, like, you know, there'll be this miracle, you know, either, either a single platform, end to end, right? You know, let's buy me some Zero Trust, right? Yeah, or, or this concept that AI. Will take care of everybody, and I'll only need one person seat for my whole security team, right? So I think that, you know, again, the wish is there, the will is there. You know, people want to get there. But I I think there's a bit of, we're still in a bit of a gap there, of the reality of where we are and the understanding and look, we have more tools than we have people that are fully trained to fully utilize them, implement them. And look, squeeze every bit of juice out of it, right? I mean, that's part of the issue we're seeing in the seat, is most of the people are there that sort of have an idea or an understanding of all of these tools, but don't, they can't optimize any of them, right? And that's, again, part of the level up conversation we're having when we go through and say, Hey, did you know this, that this technology could do this for you, which meant that you didn't have to do this, and you could move into it. They don't have enough time in the day to do all the training, to have the relationships with all the OEMs they have in their tech stack to get to that point. Yeah.
Tom Tittermary
I mean, it's a powerful conversation. Is like, hey, what if I could give you time? And, by the way, for you super smart people, what if I could give them time? Yeah, to re pivot against this, we don't have time to look at No, no, it's so it's a short investment in time up front. But the return on this investment, from a time perspective, is, is massive. And the other thing that we run into, especially with with DOD, it's interesting, right? Because that you talk about cloud, the immediate word that comes after it is scale, right? So I can scale and agility and reduce management relative to, like I do SAS, where I can. I never thought people would give up their exchange servers, but when was the last time I saw one? Right? Everybody's kind of mentally made that hop from from one side over to the other, right? But in the DOD, right? There's, there's this notion of, well, I want to have the same solution for all of my individual components, right? And there's some places where cloud is not necessarily a viable solution, right? I'm not going to get into, like, classifications and areas and network structures and stuff like that. Are there scenarios where you're talking about, hey, to get the most done the fastest, I'll recommend a cloud solution for this huge bank of users that have the ability to use the cloud at this compliance level. And then there's a pocket of conversation I might have for tactical or I might have for classified work. Could you break that down, like, what that conversation looks like a little
James Carnall
bit Well, again, where we're meeting the customer where they are, right? So whether it's a nip SIP or, you know, whatever systems or environments they have, but yeah, I mean part of our role. I mean part of points, teams. Role, particularly, is to to understand what the challenges are of the customer. How? You know, quite often, when you walk in the room, they'll tell you what the solution that they need is, and then we're like, what's the problem? Let's start with a problem, right? And then we basically work through, okay, so you know that I call it five whys, and why do you do that, and why do you do that, and why do you do that? And that conversation that Quentin team have allows us, you know, again, because we were a very engineering focused business, to sort of say, Okay, I think we can come back to you with some architectures that will accelerate your ability to solve this problem, to remove and then, of course, we, you know, we have people on our staff to get into these more sensitive conversations and and recognizing, okay, the 8020 rule. Okay, so, so you've basically applied the 20% problem to to the 100% of what you need to do. Let's break this down. It sounds like we can really implement something successfully and quickly that can give you the efficiency and and we can break off that part, and we can stove pipe it, you know? We can control it, ring fence it is a better word, right? And support it in this very unique way, or this creative way. And that's, again, where we work with with our OEMs and like, Hey, we've got this very specific thing. We think we can bolt these three things together and really create something that is scalable, repeatable, you know, for the customer, and still get to roll out a sort of a cloud solution, or a solution that can quickly address that problem. And again, that's one of these things, of having the confidence in the conversation to say, I know you've been thinking about this a lot, but you've been thinking about it through a lens of having to deal with that pain we're coming in. We don't have to carry that pain with us. And we have the perspective of of over 200 different cyber security vendors and and and implementations in commercial and civilian and sled and DOD. So we have a slightly different way of looking at the world when we come in the room, yeah, then potentially the customer. I guess,
Tom Tittermary
no, absolutely. So, I mean, so it's, it's funny, it's, I leverage that the conversation about the five whys all the time, and it's, it gets really interesting, because when I'm talking to a customer, it's, I'm just there to help at the end of the day, like I want to help. And the weird cultural part of the conversation is, again, go back to thoughts and beliefs. A lot of people have a lot of beliefs, where. Maybe they should have some some thoughts, right? And it gets it gets tricky to break that part of the conversation down, and I find myself kind of teeing up the why question a lot like I'll say, hey, the next question I'm about to ask, I'm not asking it flippantly. It's going to sound flippant. It's I mean it honestly, because there's I have a lack of understanding, and I think I can help but I want to understand. And my question is, why? And then they go, Oh, wait. Like, because just sometimes why seems like one challenging you. I think what you did might have been wrong. And it's like, no, no, I can't help if I don't understand, right? I can't. And by the way, I'm not going to be understood until I understand. Let me. Let me take 90% just the way you guys are doing the four hour interviews. If I don't understand this environment, understand this environment, you shouldn't trust faith, then I'm going to be able to give you actionable intelligence on how we think we can make progress in a granular way, right? But I run into that quite a bit, one of the things, and I'll come back around to this one, you know, I'm going to I really interesting spot. So I manage all the DOD and I see pre sales engineers at Z scaler, right? So we're a cloud company, right? And I talk, and I have a lot of interactions people might not know this with, like all of the other major cloud companies that are trying to service DOD, right? And the notion is, well, if I'm in a tactical scenario, and I am in the detail scenario, or I'm in a you know, classified type scenario. Well, I have to look at software and hardware, right? And I could, I could use Cloud for some of that other stuff we're all kind of working around. I'll bring up identity vendors and not mention them by name too, right? But how do we, as as cloud companies, solve for detail specifically, right? Because detail mean, cloud went away. So Z scaler, we've we've solved for it. And if anybody has any you know, questions or you want to debrief on that around the whole Zero Trust piece, like we went and figured out the detail piece, we're working other people so that their integrations work around the detail piece. But is that a component relative to where you guys are working around this? Because I know that there's a lot of value in these cloud solutions. Do you hit that stumbling block sometimes? Of like, Yeah, but that wouldn't work for for D deal, because I know in the industry side, like we're trying to fill that gap so we can, but there's always new
Quent Strandburg
data. Yeah. I mean, James said before, I think it just comes down to, you know, each each person's mission and what they're looking to do and where they're starting from, and then we go out and see what meets their needs. But that's definitely something some people say, you know, we don't want cloud or that's not going to meet it for security reasons and stuff like that. So that is something we definitely come across. Yeah,
James Carnall
look, I think our position is, again, we always go back to the OEM and our partners to ask them, What is the art of the possible, right? Because, again, in my seat, I can assume, I mean every conversation you're having and solving every problem, and you are also, I mean, part of what I love about the lab experience for us, right for road River, is we're working with the OEMs, and they've given us pre release access to certain capabilities. You know, we know that's not in the market yet, but customers may be influenced about making some decisions around holding off or moving forward, because really, we all want to future proof our buying decisions or what we're rolling out. So if we can make a decision that we're like, hey, this will serve me for the next 1015, years, and it will grow and develop and be able to meet my needs. We're excited about that. We do that with hardware all the time, right? We want to do that with our software as well, and now with that cloud solutions, right? So, you know, from from our perspective, you know, we consult with the OEMs and sort of say, hey, you know, what could you do in this situation? What's the out of the possible? You know, surprise me.
Tom Tittermary
Yeah, right. So question for you, right? So you and me are in the same role where, you know, we're not the man in the arena, we're the guy making sure that guy's got the right flavor of Gatorade. Our job is to basically help out these folks who are out having those individual conversations. How does it usually land at your level? Or maybe the best way to ask this is, what's the best way to engage with with Red River? Like people have listened to the episode, they're like, Wow, I need some of that. Like, should they go through just find their Red River SE and know, it's a service available to all or
Quent Strandburg
so we actually offer this, this No Cost Assessment, to all of our customers. We've actually been brought into one, and it's grown to multiple people within that, you know, military organization and stuff like that. So, yeah, reach out to us. We'll get you aligned with the sales engineer and James's team. Who does the do the assessment? The first one and I let James kind of go more, more in depth in this is usually on site. We come on site, meet everybody, kind of go over what Zero Trust is, you know, the timelines and stuff that James said. Following that, we do a questionnaire, which is usually a virtual one, where we get all the stakeholders of the technology and ask them questions and find out how they're doing, what they're doing, and then we just come back with the deliverables, which kind of say the you know, where they are, the green, orange and red, and. Stuff like that. So, yeah, that'd be a good, good starting point to reach out to me. Very cool.
Tom Tittermary
Do you guys make house calls? Like, if we have customers? And, yeah, I know, yeah, Red River, but I want Quentin, like, can I get out? We
James Carnall
do? We do try and support old requests. Not
Quent Strandburg
a lot of them.
Tom Tittermary
Yeah. Well, very good. So guys, Tom, do you have anything else to tie in? Add in so guys, thank you very much for listening. Today, this has been Zero Trust given. By the way, our hosts that we have in the show will have their contact info and ways to contact them throughout the text of the post. You can or the podcast release. You can go see them there. Also, please remember, we have zero trusts given@gmail.com if you have any comments you want to interact with the show, if you want to send me another email about Hey Tom top stop sniffling into the microphone. Feedback is always welcome. I apologize. We're still kind of tearing up the last of the winter season. You might not be listening to it winter, but that's a release schedule thing. But if you have any ideas or thoughts for the show, we very much appreciate it. Also. If you have any questions that you think are like, really interesting Zero Trust questions, if we read them on the show, if we discuss them on the show, Tom and I are working with our marketing department try to put together some Zero Trust given care packages, right? So we'd love to interact and have more interaction with the staff, but I want to thank you guys any parting words before we wrap
Quent Strandburg
up the show today, not for me. I appreciate the time, and thanks for having us on. It's been a great Yeah, thanks. Thank you guys. Very much.
Tom Tittermary
Appreciate guys. Thank you very much. And this is Tom titter Mary, and with my with my wonderful co host, Tom gianella. And that's it for Zero Trust given this week. Thank you guys. Bye.