0:00

Music.

0:11

The following is a conversation with Ray Heffer, field CISO for the Americas at Veeam Software.

0:16

Before joining Veeam, Ray built a career over two decades specializing in cybersecurity,

0:21

infrastructure, and cloud services.

0:24

His journey includes pivotal roles at VMware where he honed his expertise in

0:28

virtualization and cloud computing. This background equipped him with a unique blend of technical skills and strategic

0:35

insights, making him a respective voice in the cybersecurity community. community.

0:40

This is the Sound of Tech to Come, a Veeam podcast.

0:44

Well, Ray, you've been at Veeam for just over a month now, I think.

0:48

So firstly, give us a little bit of a background about your journey to becoming

0:53

the field CISO for the Americas at Veeam.

0:56

Yeah, I'll try and keep it short. It's funny, security for me really started in the mid-90s.

1:03

We didn't even call it cyber cybersecurity back then you know this was this

1:07

was the heyday of the matrix coming out in 1999 and

1:10

all that cool stuff but you know i remember as a

1:14

unix admin security wasn't even top of

1:17

mind and then i moved into a public sector organization where i

1:20

got hit by the i love you virus and i was an it manager

1:23

at the time and this was a small organization we didn't

1:26

have a cso or security manager you know i wore all

1:29

those hats but these were the days where i had a

1:32

firewall and antivirus on all the workstations and

1:35

some web and email filtering and it was

1:39

interesting that that that cyber security incident that

1:42

virus i dealt with by adding an email

1:44

filter but you know this is where it all started for me and it

1:49

was even in those early days i learned the importance of things

1:52

like user education you know again throughout

1:55

the heyday we you might remember this there

1:58

was a video that went viral and viral in those days meant.

2:00

Email right it wasn't social social media and there's this video

2:03

of this guy sat in a cubicle on his keyboard he gets angry

2:06

and he smashes his keyboard across his monitor i still

2:09

see it today i still see it today you still see it

2:12

in the very 90s thing but people used to just click stuff

2:15

and he said something else then they used to just click on whatever they received

2:18

in the email and but look where we are today

2:21

it's crazy but it's funny because it was

2:24

after that i moved to an internet service provider and

2:27

i started getting involved in pen testing okay and talking

2:31

about the matrix you know i was using tools like nmap and those tools

2:34

you know the 90s early 2000s are still used today and yeah you know pen testing

2:40

i had a mentor and he introduced me to that and i really really got the bug

2:45

ironically i joined the government regulator so doing a lot around iso 27001

2:50

and itil which is a big part of what i focus on now.

2:54

And ironically, it was that role that took me away and ultimately led to me

2:59

joining VMware and took me away from security for a little bit.

3:01

I joined VMware in 2011, moved to the US in 2016, and here I am,

3:06

just to speed through that. Speed it up. I had flashbacks, actually, when you were talking about those early

3:12

days of security and around that timing. I think my first security product as such was ISA Server 2000.

3:19

Oh, yeah. And I was in control of that server, right? And it was so raw back

3:24

in the day, like the stuff that, you know, you could see and get away with.

3:28

And it was crazy, man. We were, I remember we were messaging,

3:31

we were looking at desktops, we were looking at email, we were looking at when

3:35

MSN Messenger first came out, you could basically see people's conversation.

3:39

Oh, yeah. Things about memories. Yeah, you could see people's messages in clear text.

3:43

Sometimes I didn't want to see what people were talking about,

3:45

but that's another story. But it's just crazy to think in those early days the level of security was was was was so.

3:52

So raw people knew that you still had

3:54

security was a thing but it's it's so different today where now

3:58

the industry is is is so established it's it's

4:01

the thing that everyone talks about in the last three to four

4:04

to five years specifically around ransomware and cyber security

4:06

and and being ready zero trust which is which is

4:09

in your sort of wheelhouse but maybe i do want to

4:12

go back to vmware because i think it's important to understand obviously

4:15

we're here you're new at vm people probably don't know much

4:18

about the role we'll talk about the role at vm

4:22

shortly but maybe take us through that journey in vmware from being a virtualization

4:27

admin and then getting back into the security focus part of the role and your

4:31

last title at vmware was was field cso as well right yeah it's the same same

4:36

role as it well that's actually yeah it's a good point because Because, you know,

4:40

I joined VMware in 2011 as professional services and, you know,

4:43

I was involved in a very interesting project.

4:46

Security was still a big part of that. You know, you couldn't deliver an architectural

4:50

design without having security baked into that.

4:54

But I'll tell you something, actually, it was around 2016, soon after moving

4:57

to the US from the UK, that I was working with, I was in the cloud provider program.

5:03

So cloud providers, not, I'm not talking about the big public cloud providers,

5:07

but there's the smaller ones are using VMware technology to deliver their services.

5:12

And in our team, we had cloud strategists.

5:16

There was Marwan, JP, who else in Patrick, if they're listening,

5:20

I know these people, I mean, that was my world, right?

5:22

I mean, that's how you and I kind of know each other as well, to a certain extent through the, the, that platform, the cloud provider program

5:29

and what I was doing in there. But, uh, that's what I knew about you anyway. So, yeah, there you go.

5:33

It's a small world at the end of the day. It is. And be honest, you know, I was an architect, you know,

5:39

I was, I think I was on the path to becoming a principal.

5:41

I got that in 2018, but working with these guys, this was, oh,

5:46

six, seven, eight years ago now.

5:49

I was looking at them and thinking, wow, you know, I love what they're doing

5:52

because the VCDX, actually I should mention that I got the VCDX at VMware,

5:56

which is the VMware certified design expert, but that approach is applied to an architect.

6:01

And it really is looking at the business. What are the business outcomes?

6:05

Let's gather the requirements for the business and then ultimately deliver an

6:09

architectural design based on those requirements.

6:12

But looking at the strategists, I was thinking they were so business outcome focused.

6:16

This is where I want to go, but I didn't put that together with

6:19

the security piece until you know a few years later so

6:22

they were like my my catalyst that spark in the

6:25

early days but i wanted to get back to security i ended up

6:28

i did go to aws i came back to vmware i

6:31

was in a dev sec ops role for a few years on the tanzu team but ultimately it

6:37

accumulated to the role i'm in today and and you know very thankful to be part

6:41

of that journey with vim now yeah because as we've talked about before and and

6:45

people listening would know that this is a new frontier for Veeam.

6:49

And the messaging obviously shifted a little bit towards the end of last year

6:52

when we looked at radical resilience. And really, you know, releasing our first 12.1 release that we released was

7:00

the first one that had very specific security-focused features and functionalities,

7:05

right? And that was the top-line messaging. So, you know, this role obviously has been born out of that.

7:10

And there's no doubt that in our space, you know, Within the broader ecosystem,

7:15

security plays a massive part. Data protection is one component of that. And I think you're pretty much in that.

7:22

So what do you see the field CISO role being within Veeam in the context of

7:28

a data protection company? Yeah.

7:31

Yeah, that's an open question there, because within Veeam and outside of Veeam,

7:36

I think people see it as different roles. Outside of Veeam, I'm getting so many messages on LinkedIn thinking I'm the

7:41

CISO for Veeam, and I'm not. You know, CISO is focusing on security for the company.

7:46

A field CISO, I would actually label this as a cybersecurity strategist.

7:51

You know, going back to the cloud strategist I said I worked with back in the

7:54

day, this is a cybersecurity strategist role.

7:57

Role so unlike filled cto i'm

8:01

not focused on going deep into a product but

8:04

more focused on the executive audience within

8:08

our customers and ultimately you know that that is the cso and

8:11

if you look at what they need to do to be successful you

8:15

know many cso's will have to present to a board of directors and you

8:18

can't you just can't go to a board and start talking

8:21

about you know these are the features of 12.1 we've

8:24

got inline malware detection and yara rules and

8:26

all this great stuff but i've got to translate that

8:29

so i think that's a key essence of my role is translating that

8:33

into metrics and kpis things

8:36

they're measured on help them be successful so they can take that to the.

8:38

Board and also communicate that to the team yeah

8:42

you mentioned you know that the fact that you're not the

8:44

cso as such right and we had gil vega on the

8:47

show um in october for cyber security month and yeah

8:50

what he does is crazy is it was an intriguing actually

8:53

one of my most favorite podcast that i've ever done across the

8:56

board right and talking with him and getting all and getting all the insights

8:59

from him about his his journey towards being the

9:02

cso of him what he does in the company right and you

9:05

probably don't want that sort of pressure just at this point you know like there's

9:08

tons of pressure on in that particular role but i think to that point what i'm

9:13

gonna say is that you made a really good point about going in and talking to

9:17

these cso's in companies to basically help them strategize about what they can

9:21

do best to help their company survive survive an attack or be resilient.

9:26

Before an attack happens and how you then recover from an attack after that.

9:29

Because my working theory, and I think I told Gil this back in October,

9:34

was that it seems to me like unless you're a seasoned CISO who's gone through

9:39

the ranks like Gil has over the years and kind of earned his stripes.

9:45

A lot of the CISOs that we're seeing being elevated into this role are not traditionally

9:50

strong in that area or their level of experience isn't that strong because it

9:55

is a fairly new position as such in terms of what it gets.

9:59

So is that the challenge that you have actually going into these companies at

10:04

VMware? And obviously you've been doing this for a month now at Vane.

10:07

Do you think that's a challenge, is educating these people who might not be ready for this?

10:12

It's interesting. I would have said yes, even just a few months ago.

10:15

And the recent experience I had, which was I went in very daunted, a bit nervous.

10:20

I'd just come back from Canada. Canada huge event by CyberX as

10:23

a field CISO forum there's around 600 CISOs in

10:27

the room that I'm doing a presentation to as a fireside chat

10:30

and you know that that's you know scary stuff

10:33

right and I went in with this idea in my head that you know these are all going

10:37

to be way more experienced than me and you know why would they listen to me

10:41

after that session and talking with a number of them I was actually quite surprised

10:45

how many CISOs were new into the role and I actually saw some of of this at VMware and the,

10:51

do you know the number one question I got, and I've had this before was,

10:55

you know, I mentioned NIST cybersecurity framework, and I can talk more about

10:58

that in a moment, zero trust, you know, you pick it, there's hundreds of frameworks

11:01

out there, but the question was, how do we get started, where do we get started?

11:05

They find that quite overwhelming. So we can go in, we can always assume that there's all these CISOs out there

11:11

like Gil, who've got tremendous amount of experience, but actually out there

11:15

with our customers, that's not always the case. Yeah, and I think that was my point. So I think you're confirming my theory

11:21

in that, yeah, it's such a new position and a new role and something that's

11:25

kind of coveted from the outside.

11:28

And then a board or a business or an executive team will say,

11:32

hey, we need a CISO, let's get one without really understanding what that means.

11:36

And then they'll pull someone in without understanding what it actually needs

11:40

and how they need to facilitate that role. So I think, or go for it. yeah oh i was going to say what i also see is they

11:46

all promote the security engineer you know that's been with the company a long

11:50

time the problem there is they technically they're great.

11:53

But they don't have the business focus business side of it yeah yeah i was going

11:58

to actually earlier i'm going to say a joke about a cto and a cso walk in a

12:01

room which also is tied into a englishman and australian as well but i'll leave it i'll leave

12:06

i'll leave that alone but it's an interesting it's an it's an

12:09

interesting sort of demarcation and

12:12

we've had some good conversations i know you've been working with the other field

12:15

ctos and the ct and the regional ctos in veem

12:18

to work out you know the engagement that we do

12:21

have and it's very complementary in a way in fact

12:24

it is it is complementary right so i'm really kind of interested in how you

12:30

know we've we've got these roles we've got one in amea we've got you in in america's

12:34

and then we've got one i don't think it's been filled yet it might have been

12:37

filled last week i'm not sure but i don't I still think it's not been filled

12:40

in APJ and how effectively,

12:42

you know, we can work together to actually tag team to tell the whole story

12:47

at that business outcome level. Because I think that's the biggest thing that, you know, we can do now is go into these events.

12:55

We can go have these fast side chats. We can go talk to the companies at these

12:58

levels and have the different level of conversation and still be successful holistically.

13:03

And I think that's part of this strategy of getting these roles in place.

13:07

Is that kind of the way that you see it as well?

13:10

Yeah, absolutely. And the reason I think we need those regional-filled CISO

13:14

roles, you know, I cover the Americas. And, you know, if I was to make my own job title up, I'd say I'm an America's

13:19

cybersecurity strategist. You know, let's put it there. I like that.

13:22

We've got there we'll have one for apj we have one for europe and the reason for that is,

13:26

frameworks and and regulations vary so much you know when i speak to my my counterpart

13:31

in emir andre he's talking about what's happening in europe and i should know

13:36

i i'm i come from the uk but i've been in the us long enough that i he's teaching

13:40

me stuff about all the nis not nist but nis you know there's different frameworks

13:45

there's different regulations. So we've got that focus but on the other side of.

13:49

It one there's three things i typically talk talk about with

13:52

a CISO you know the first one I'll actually focus

13:55

on here is the strategic integration of data protection

13:58

and instant response and you're asking about what we

14:01

help with with that one what we

14:05

are seeing when I say we we've got the Veeam data protection trends

14:08

report out 2024 you want and other

14:11

trends analysis reports to highlight this as well

14:14

that there's this gap between IT operations and

14:17

the security teams and you know instant response and going

14:21

going back to the security teams you know well established

14:24

and well run well oiled whatever you want to call

14:27

it sock team they're going to have instant response playbooks

14:30

they're going to be doing tabletop exercises where they

14:33

run through a ransomware event and if they've really got it nailed they

14:36

won't be doing that in isolation they'll be bringing in hr and

14:39

finance and other parts of the organization but that's

14:42

the problem you don't always see that so it operations are like

14:45

the afterthought yeah when it happens i

14:48

mean again you gotta it's when not if if they

14:52

haven't run through those scenarios and you know you

14:54

might see behind me i'm a bit of a nerd i like fantasy fiction so i always

14:57

liken this to dungeons and dragons and us yeah

15:00

those scenarios but it is just that if you have fun

15:03

with it use it as a collaborative effort in your organization

15:06

relationship building internally in your organization and also

15:09

bring in third-party vendors as well i think that

15:12

really strengthens your whole overall security posture

15:15

so that was number one yeah number two i mentioned is grc.

15:19

Governance risk management compliance mastering that and and the security frameworks

15:25

it goes back to that question i often get asked is where do we get started my

15:29

answer is always just just pick a framework yeah nist csf it's it's only 700

15:34

pages No, I'm joking. It's 52 pages.

15:36

And if you cut off the table of contents and the title page and everything,

15:41

you're down to like 40-something pages of stuff to read.

15:43

It really isn't heavy. You can get through that in an evening.

15:47

And I'd say just pick a framework and stick with it. And then the third one,

15:50

which is the third part of the role I have here, is this proactive ransomware

15:55

defense recovery readiness.

15:58

And that's probably where I will then start crossing over and handing off into

16:02

a field CTO, because that's where I talk about.

16:05

All the capabilities we have with early threat detection, inline malware detection.

16:09

We have four eyes security. That always makes me smile because if you remember

16:13

the movie War Games. I do love it.

16:16

80s. I love this stuff. Right at the beginning, there was the nuclear missile launch. Two keys.

16:21

Yeah. Every time I think of that, I think of that. You know what?

16:24

That's exactly what I think about when I think of four eyes.

16:27

We should have actually called it 2K. It would have fit a lot better, I reckon. Or call it War Games.

16:31

Yeah. Yeah. The War Games thing. Yeah. but it's that's that was a cool little feature and actually to be

16:36

fair we've been adding little bits and features and functionalities like

16:39

that even before 12.1 i mean there was little

16:42

things like mfa which which seems like table stakes type of features but we

16:47

just didn't have them before you know basically auto log off for the console

16:52

other bits and pieces like that so these little security features and functionalities

16:56

that we've added along the way i've just continued to to strengthen the product,

17:00

which is a very strong, you know, backup and recovery product and got all the

17:04

other bells and whistles. And so now we're just tagging on all these little important checkboxes,

17:08

which in this day and age, especially we need if we're going to be successful

17:12

out there doing business and protecting people's livelihoods through data protection.

17:17

Yeah, absolutely. It's funny, you know, obviously ransomware is going to be

17:21

the number one topic, you know, whether you like it or not, it is what's driving

17:27

all of this is happening. And in fact, where I was originally from in the UK, you know,

17:31

coastal town near Brighton, there was, uh, I don't wanna mention names,

17:35

but there was a ransomware attack on a local, uh, utilities company just last week. Right.

17:41

And it's interesting to look at that because you can look at this sort of the

17:46

typical template for our ransomware attack.

17:49

You pay the ransom. There's things like double extortion, by the way,

17:51

where this actually happened with them.

17:54

They paid the ransom. I believe they got a decryption key to decrypt the data.

17:59

And one is your data going to be in a good state afterwards is the question.

18:03

But even then, they leak your intellectual property.

18:06

And this is why I'm actually so passionate about this. they're leaking personally

18:10

identifiable information PII so it's the IP and the PII.

18:14

Which is why I do this in the first place I'm a huge privacy guy but

18:17

let me talk about that another time but oh well actually just

18:20

just to put some some flavor on that uh Ray's got a

18:23

brilliant podcast which is it's kind of fresh isn't it it's it's

18:26

the lockdown podcast I'll link to it in the notes but it's great

18:29

oh thank you I I really like the way that you structured it and

18:32

yeah I mean if I was coming into it without knowing you I'd

18:35

go a very tinfoil hat type of a guy right like he's he's

18:38

really big on his security right and identity protection

18:41

but i do some crazy stuff but it is

18:44

it is but i think it's great i think it's well worth a listen as well because

18:48

i think more of us if we're even like 10 as much as as what you talk about i

18:53

think we'd all be better off right yeah and even that's hard you know in the

18:56

u.s why for example why is there not a default credit freeze on everybody because

19:01

with the credit agencies i don't know what it's like like in Australia,

19:03

but we've got the main credit reporting agencies.

19:07

You can go to that and get all sorts of information on people,

19:09

and typically it ends up with junk mail and things in the post.

19:13

If you do a credit freeze, it blocks a lot of that. But it's also used by identity thieves.

19:18

Which is a big way where people get in.

19:22

I know that on Facebook alone, I've been hit about four times in the last couple

19:27

of months by an account that appears to be my auntie in Malta.

19:30

And every time, I know it's not her because I know now that somehow her account

19:37

and her profile has been targeted multiple times.

19:40

But my mum nearly got done by that because it was like, oh, it's her sister.

19:44

You know, it was basically one of those ones where you go, hey, sis, I've met this guy.

19:49

He's saying that if we put €1,000 into this account, we're going to get €10,000 back.

19:54

And my mom goes, well, this is awesome. I'm going to do it.

19:57

And it's a good thing that she was at home when she was talking about that because

20:01

I just looked at the conversation.

20:03

I looked at the tone and the style of the writing. I said, that's not your sister.

20:07

And then I said to her, ask her a question about something that only you would know when you grew up.

20:13

Like, tell her about, ask her about what street you grew up in and that sort of stuff.

20:16

And, you know, straight away it was like, oh, sis, you know,

20:19

why are you asking me that? And it's like, get rid of that right away.

20:22

You know what I mean? It's scary. Very. So, Clancy, you're an AI guy.

20:25

I do like to dabble lightly. Yes, I am dabbling lightly.

20:28

So, I've got a question for you then. There was an incident here in the US where

20:33

the congressman had a call, supposedly from his son, and it was a deepfake voice clone of his son.

20:40

And long story short, he had to pay some money to get his son out of jail.

20:45

Wasn't really there. He went very public with this. What are your thoughts there?

20:48

Because this is scary stuff. What you're describing there, the next evolution of that. it's scary like i

20:53

think there was an incident that happened even a few weeks ago,

20:56

where a financial controller of a

20:59

company he was he was actually actually no what it

21:01

was was the financial control of a certain company was

21:04

on a zoom meeting but it wasn't him it was a deep fake of him and he

21:07

was telling all of his accountants to basically pay these these

21:10

debitors or these creditors now and just do it now and even

21:13

though they were asking like should we really do this it was like yep get

21:16

it done get it done it was all deep faked and they ended

21:18

up losing some multiple of millions of dollars

21:21

worth of company funds through it right and

21:24

they had no idea that it was a deepfake so you're right it's

21:27

super scary and i mean open ai only in the last week have released a new technology

21:33

or haven't released it but announced a new technology where you can generate

21:36

up to a minute of video based on a prompt and oh yeah i've seen that it's crazy

21:41

right where we're at but just think about that in the wrong hands i mean.

21:47

Just having what we had last year with the generative AI capability to code

21:51

and to make your code better and even for someone who wasn't a good coder to

21:54

create something that could encrypt something like an S3 bucket with these.

22:00

Now, if we've got the capability to deepfake with a sentence, that's even more scary.

22:05

So, we're entering some really scary times when it comes to that.

22:09

But I think to that point, it's just part of the natural evolution of technology and where we're at.

22:15

We have to embrace it but we have to embrace it

22:18

from all sides and that means businesses need to

22:21

also embrace it from all sides which also means embracing a

22:24

data protection strategy a cyber security strategy to

22:28

make sure that when you are hit you can recover from it right so i think people

22:33

like you and i and and companies like vim all this technology is coming out

22:37

it's even more important to leverage us basically absolutely i'm a huge believer

22:42

in that you know this but what Take what's used on the offensive and use it for defense.

22:47

I do this in my privacy world. There's something called open source intelligence

22:50

or OSINT, which is more of an investigative thing.

22:54

But I use defensive OSINT. What information can be found there on me,

22:58

then I'll use those techniques to block it.

23:02

But going back to the AI thing, it's funny.

23:04

Is it called SORA, Open AI SORA? Yeah, I think it's something like that.

23:08

I was trying to remember what it was, yeah. It's funny. When I looked at that the other day, it says they they're opening

23:12

up just for red teamers so security folks and movie

23:16

directors i think well my hobby is cinematography and

23:19

i'm in security so maybe i've got a chance of getting access

23:22

but it's ai does concern me just want to touch on ransomware again because i

23:27

i took on a challenge the other night to write some ransomware using chat gpt

23:34

and it took me one evening and i have an encryptor and a decryptor and an https

23:39

listener i've actually got. It's not on my GitHub, so please don't go looking for it, but it's on my GitHub.

23:47

But I just want to highlight that that would work. You have to manually execute

23:50

it. It would encrypt everything on your machine. It sends the key over HTTPS to a listener.

23:55

So it's very difficult to extract the key because it's not on disk or it's never written to disk.

24:02

And there's a decryptor. But when we're looking at what's actually going on

24:05

out there, there's Lockbit, there's Conti, Blackbasta.

24:09

There's all these different groups. But what's actually happening is these are ransomware as a service providers.

24:14

Providers lock bit 3.0 i had

24:17

a look into this to get access you know

24:20

we often just dust this off oh you know script kiddies

24:23

now can go to this ransomware as a service and and off

24:26

they go they don't have to have any knowledge you've got to deposit one bitcoin

24:30

which is like fifty thousand dollars at the moment it is just to get access

24:34

you've also got to prove that you know again reminds me of the matrix prove

24:38

who you are you're a hacker you know show us what you've done show us your forum posts, your breaches.

24:45

There's a level of entry and entry requirements to even get access to LockBit.

24:50

When you do, it's vastly different to what I created with ChatGPT.

24:54

This is a SaaS service, there's a commander control, there's support.

24:59

It's crazy. It's a real organization. When I talk about people like that,

25:04

well, it is illegal, but they're a business, they're an enterprise,

25:08

and they're doing great business. Right that they're thriving i talked about this last year

25:13

a little bit when i was doing some security roundtables in anz

25:16

talking you know around this topic and people

25:19

were amazed that these groups had you know

25:22

help desks that would ring up and oh yeah and help you right and i

25:25

think a lot of people probably people are more educated now maybe

25:28

in the last six months about that happening especially at certain levels but

25:31

the majority of people if you go and tell that story like you just did they'll

25:34

go get out of here man that's that's crazy stuff like ransomware is

25:37

a a service that's what it is but to your

25:40

point the people that are getting access to that need to be some pretty malicious guys

25:43

to start with right so you already know they're pretty bad bad

25:46

guys if they're getting access to that for sure

25:49

yeah for sure and you know they've got criminal backgrounds you

25:52

know that you know the the ransomware as

25:55

a service operators they're getting like a 20 cut you know

25:58

they're making a fortune from this but this is i think where we start crossing

26:01

over the level of sophistication you know it's far beyond what i can knock up

26:06

with chat gpt even though i've got a functional ransomware ethical simulation

26:10

yeah i'm not going to obviously use it but there's just far beyond that and i think it opens up this.

26:18

And I'm just thinking openly here, nation states have that level of sophistication.

26:22

And this is what concerns me. Things like LockBit, Conti, they come from adversaries, you know,

26:27

Russia, Iran, North Korea.

26:30

And I just think we're going to see more of that. And the other thing that concerns

26:35

me is AI is very interactive at the moment. You know, we ask it to do something, we get it back.

26:40

When it starts to perform actions and we can say.

26:43

Hack this website or perform a ransomware and it does it for you,

26:47

that that's then really scary yeah i you know

26:50

what it's funny without giving away what i'm

26:52

working on for vmon it there's a little bit of that as

26:56

well like turning just a two-way conversation into

26:59

something that's actionable and saying hey like you know

27:02

in in a good way though in in for good you.

27:05

Know get me the get me the version of a server um

27:09

okay it's server x go online and check

27:11

if there's a recent update for it okay there is

27:14

now i want you to stop all backup jobs take a backup

27:17

of the config and then patch it patch the server

27:20

and in theory that could work

27:23

right so if you take that which is

27:26

really using ai for efficiency and and kind

27:29

of natural language way of interacting with platforms that

27:33

in a negative sense in bad people's hands holy moly

27:37

that's that's that's it's it's scary to the next level i

27:39

mean yeah i mean we could we could talk for hours on on this particular

27:42

subject in terms of the threat landscape that is out there

27:45

today day that's evolving more and more and but

27:48

i think the good thing that you that you mentioned is that as one

27:52

side evolves so does the other and i think

27:55

that's where we come into play as as a company it's where veem works with our

27:59

ecosystem partners with our great security partners to be able to offer a end-to-end

28:04

solution to you know mitigate protect and then recover i think that's that's

28:08

what we're going to get to hey i just want to finish with a couple of questions around.

28:14

Which is related to that actually, you know, Veeam and a lot of backup companies

28:18

have tried to or have pivoted to security as a messaging, you know, first.

28:24

And I think Veeam's still, you know, pretty much at its core a backup and recovery

28:28

company that talks about that, you know, first and foremost.

28:32

And obviously, we're releasing more and more features to, you know,

28:36

help in that cybersecurity space, which is what you have to do.

28:38

How have you found that coming into, you know,

28:41

from VMware in that world to the backup world as a security professional and

28:48

trying to look at the interlock that's happening and the sort of blurring of

28:52

the lines between data protection and security?

28:55

Yeah, it's interesting as an outsider in a way, you know, I look at vendors

29:00

and they're touting zero trust in these frameworks and I look at it with skepticism

29:05

and, you know, I'm going to critique it.

29:08

What I really love, what we are doing at Veeam is not just taking that as this

29:13

marketing ploy and, you know, all of our products are zero trust certified or

29:18

whatever you want to put on there. What we're actually doing is you know it's actual capabilities but it's almost

29:24

like a an extension of zero trust so that there's i mentioned cisa you know

29:29

this is cyber security infrastructure, security agency in in the us i might have

29:33

butchered that acronym but cisa they have a zero trust maturity model and there's

29:37

five pillars here so you it starts with the the user the device they're using

29:42

the application on that device the network and then data at the end and And

29:46

often what we see with customers is they're on a zero-trust journey.

29:51

And this could apply to any other framework, but let's just take zero-trust as an example.

29:55

And they will get so far and stall, hit a brick wall, because if they work with

30:00

a vendor, that early momentum stops.

30:03

So by the time they get to data, it stalls. But even the framework itself,

30:06

it refers to NIST and other frameworks.

30:08

Works but i think for us we've got this amazing opportunity to

30:12

really educate not just customers but i'm talking

30:14

about the cyber security industry of the

30:18

zero trust you know that extension into recovery because you know at the end

30:22

of the day it's going to happen and if paying the ransom isn't going to get

30:27

you the decryption key and even if it does get you the key if it gets you a

30:30

clean restore that's unlikely too because typically you get this janky script

30:35

and it It doesn't work properly. You've got to bring in other instant response companies to work with you.

30:40

If you've got an immutable backup that can't be touched, it goes back,

30:44

you know, the CISO will know about this, the CIA triad, confidentiality,

30:48

integrity, availability, if you've got a backup that's integral,

30:51

it hasn't been touched. It's not being messed with.

30:54

Then you've just cut through all that other nonsense because you can then restore.

30:58

And ransomware groups, they are going to target backups. You know,

31:01

that's, and that's another thing that this ransomware as a service does automatically.

31:05

It's looking for backup targets. It's crazy.

31:09

Yeah. And who's, and who's the number one data protection company in the world? That's us.

31:13

That's Veeam. And that's why we're getting targeted more and more.

31:15

I think it's, it's, it's, it's not a surprise that, you know,

31:18

when, when competitors go, well, Veeam's getting targeted quite well.

31:20

No, of course, because we have the biggest numbers out there,

31:23

right? So that's kind of the way that it works. I think that's actually interesting as well because in the data protection report

31:29

last year, I don't know the specific number, but I remember that you really

31:32

want to get down to not paying the ransom and being able to recover your data in its entirety.

31:39

I think that's the whole trail, right? So not paying the ransom and getting all of your data back.

31:44

And from memory, the percentage of that that people were able to have a combination

31:50

of that was only about 10 to 20%. So, Veeam's mission really in life is to make that 0%.

31:56

Like everyone is basically getting their data back through a validated recovery

32:02

without paying the actual ransom as well. So, that's where we have to be.

32:07

Hey, quickly, zero trust as a sort of word, as a vibe, as a marketing thing.

32:13

How are you looking to take that zero trust message and apply it to yourself

32:19

when you talk to customers and partners and other CISOs in your role?

32:24

Yeah. So I think a number of things is education around it.

32:27

You know, so often, and I hear this from other CISOs, I hear,

32:30

oh, zero trust, it's just another form of least privilege. It's just another

32:34

name for least privilege. That's what I would have thought, actually, if I was talking about it as an

32:39

uneducated individual, that's how I would basically describe it.

32:42

Yeah, and don't get me wrong. Least privilege is a core component of zero trust, but it's not the only thing.

32:48

And if you look at the core premise, it's never trust, always verify.

32:52

So you can apply it to, I mentioned DevSecOps earlier, you can apply it to that.

32:56

Imagine a developer, they're at their keyboard. Are you going to trust the code

33:01

they're committing to the Git repository is secure?

33:04

No, you're going to do checks at that point. So then it's committed.

33:07

Are you going to trust the images they're using for containers are secure?

33:11

No, you're going to have a secure container repository. So that can fall into it as well.

33:16

It's not just about, you know, privileges and having, you know,

33:19

the least amount of minimum leave required permissions.

33:23

You've got to expect every single step, which is why CISA have those five pillars,

33:29

by the way, you know, from the user all the way to the data,

33:31

every step and everything in between is verified every time.

33:35

You know, a great example of this, multi-factor authentication.

33:38

Authentication it might be seen okay checkbox we've got

33:41

that but look at how that functions we've seen cyber security incidents where

33:45

this thing this thing called mfa fatigue where developers i won't mention names

33:50

that they were spammed constantly until one of them it just takes one hits approved

33:56

by mistake and it depends on the implementation of multi-factor authentication,

34:01

but it just takes that one to get into the organization yeah so zero trust allows

34:06

you to look at your technology as well and go, okay, could that happen?

34:10

So I'm a big fan of it, but some vendors, not us, but some vendors do,

34:15

I think, overmarket it and make out you just, you know, it's almost a joke in

34:20

the cybersecurity industry is, oh, zero trust. We just need to put this appliance in and turn it on. Hey, we've got zero trust.

34:25

Well, it doesn't work like that. It's also people and processes.

34:29

And I think it's going to have to continually evolve, you know,

34:32

all the stuff we talked about with AI and deep cloning of voices and video now.

34:37

Yeah it's it's it's certainly not ready for that

34:40

yet but it's i'd be interested to see how it evolves uh yeah

34:43

well hey thanks for being on i think it's been a really we could

34:46

have probably chatted and maybe you know we'll look at having

34:49

some sort of side series of of this particular over the next 12 months or even

34:54

as as you continue your journey here at veen because i think it's just fascinating

34:58

talking about the stuff i think other people want to hear it as well because

35:00

you've got tons of stories tons of experience and i think it's a really good

35:04

introduction to the world of the field, CISO at Veeam Software.

35:08

So looking forward to working with you and your team.

35:11

And I think it's going to be a real advantage for Veeam in general to have people

35:17

like yourself with your level of experience now working for the good guys.

35:21

So hey, thanks. Thank you for having me on. That's okay.

35:24

No worries. Until next time, we will catch you on the Sound of Tech to Come,

35:29

a Veeam podcast. Thanks for being on the show, Ray.

35:33

Music.