Corien Vermaak: 0:00
It’s not amateur hour out there. You know what they are defending against are increasingly sophisticated. There truly has been a development in how sophisticated threats are and the attackers.
Michael van Rooyen: 0:12
In a world where every device is communicating, we’re no longer concerned only with connection, but protection. Welcome to Securely Connected Everything, your gateway to understanding the intertwined worlds of connectivity and security. We have a great conversation today, so stick around and we’ll jump right in. Today we’re talking all things Cisco security with Corien Vermaak, the director of cybersecurity for ANZ. Corien, welcome. Thank you very much For the listeners. Maybe you could give a quick introduction to your role as director of cybersecurity at Cisco and your journey that led you to that position at Cisco.
Corien Vermaak: 0:58
Thank you. So yes, as the director for cyber, I sometimes say to people that are not in the know from technology, I’m really fortunate to lead a team of specialists that hope to help our clients better understand how our technology can protect them. That’s really a short summary. Obviously on the ground a lot more complex than that. Sure, you know, clients, and Cisco clients more specifically, have come a long way in understanding that in this resource poor world they’ve got to do more with their technology, and Cisco has been a long time technology partner to most large organizations. So now to have been given the opportunity to also secure the networks that we’ve built for three decades four decades now is a great opportunity For me and my extended team. My team stretches across two countries, Australia and New Zealand, and they are supported by a team of highly skilled engineers, and we are very fortunate to engage our clients on a day-to-day basis to understand what their challenges are, what their business challenges are, and ultimately help them understand how our technology can buckle those challenges.
Michael van Rooyen: 2:24
If I can, say that Sure, sure, sure. And how long have you been at Cisco and how long you’ve been in the director role?
Corien Vermaak: 2:31
So I’ve been in the director role since January and I’ve been with Cisco for five years. Five years the first of September was five years. And coming back to your question of you know how did the journey go for me yes, I’m a unique individual as I don’t have a long-standing career with vendors. I really started my cybersecurity journey I sometimes message it as boots on the ground. You know, having done some forensic work, having done a lot of cyber-operational work, I got given an opportunity to translate that knowledge on behalf of a vendor and in the initial days I remember it quite fondly I wanted to understand really where Cisco is going as a security organization.
Corien Vermaak: 3:24
First, and I was really excited when I saw the initial strategy and that was five years ago and we’ve come a far way in the last five years on that strategy. And now, where we are now excites me the most, I think. But I’ve used my many years in cybersecurity to really understand and also build my team and understanding empathetically, because it’s my true belief that the days where we consult and or sell into an industry like security, where we don’t really contribute and have an empathetic understanding of the challenges, is no longer there. You know, at least when I speak to our customers, and earlier today I met with one of our customers, chief Information Security Officer. They’re looking for partnership, yes, and I think the days have dawned on us where we are expected to be partners to our clients in assisting them on the technology journey.
Michael van Rooyen: 4:30
It’s good to know that you’ve been boots on the ground, which is important right from a strategy leadership point of view, that you’ve actually got the skills in your back to understand the challenges and off the back of that you know your time in Cisco and prior to that, being boots on the ground. Have you seen the cyber landscape shift? You know age of your time in Cisco in the five years, but also over your time in cyber as a whole.
Corien Vermaak: 4:54
So that’s a great question, I think. I think the industry has shifted dramatically, over the last five years at least. But if we take a longer view on that, you know, initially cybersecurity became this discipline that almost was a I want to say a side show yes, a side show to what we did within a technology realm, yes. However, it has gone through this transformation where this side show ultimately became very much perceived as a blocker Because it was heavily entrenched by regulations and audits and compliance and the cyber team, I would say around five to eight years ago, really, really challenged their own technology teams and almost became. I remember the days very fondly when one of my mentors messaged and said you know, it’s the cyber team, is just the business inhibitors. That’s right, that’s right. And I maybe remembered not so fondly because it really dawned on me that there’s a mind shift that needs to happen. And what I find quite interesting is, over the last three years, I would say I’ve seen a bit of that mind shift happening.
Corien Vermaak: 6:25
Cyber teams, security teams, are becoming influences within their business.
Corien Vermaak: 6:33
Not only do they have to influence users why do I have to use multi-fax authentication and why do I have to change my password all the time and it’s dawned on them that they really have to bring their users along on this journey.
Corien Vermaak: 6:49
But they’ve also played a critical role in the infrastructure and technology conversations. We’ve moved away from them only consuming the logs that all of the technology that we implement generate to really defending actively defending our organizations, and that has put a different emphasis on it. So I’ve seen a great shift in the industry and I think when I deal with clients and as of late in 2023 in Australia, it’s no longer a conversation of if but when, and the one thing that all of the information security officers share with me on a day to day basis and with my team is that it’s not amateur hour out there. You know what they are defending against are increasingly sophisticated. Now there’s a play on the word sophistication when we look at how the media reports it, but there truly has been a development in how sophisticated the threats are and the attackers.
Michael van Rooyen: 7:59
From a Cisco point of view. Two areas I’d like to talk on is what is Cisco saying holistically as the most significant security trends impacting the industry and I know you guys cover all industries so I know it’s pretty broad and happy to drill into any particular one but what are you saying the impact there are really the most significant security trend?
Corien Vermaak: 8:23
So I don’t think there’s only one that comes to mind.
Michael van Rooyen: 8:26
Sure, sure, that’s OK.
Corien Vermaak: 8:27
I would want to say that these three what we call macro trends in the security industry at the moment. The one is we’ve arrived at a point where we acknowledge that we will never have enough people.
Michael van Rooyen: 8:42
Yep, OK, fair enough, good point.
Corien Vermaak: 8:44
Nobody that I speak to in the industry say that I have ample staff and I’ve got some CVS to spare. If you needed some, that’d be nice. We are all chasing in a highly competitive skills war resourcing Now. What that means as a mega trend for us as technologists is that we effectively need to do more with less.
Michael van Rooyen: 9:06
Yes.
Corien Vermaak: 9:07
So there’s a massive ask on us as technologists to simplify what we’re doing, but so do the clients. Our clients, the organizations that we try and defend needs to simplify what they’re doing, and out of that there’s obviously a few trends that we may dive into a little bit deeper that. How do we use artificial intelligence to really only raise high fidelity incidents? Yes, yes, critical vulnerabilities, those kind of things where we can use the eyes that we have on screen to really be smart resourcing. So that would be the one mega trend that I identify.
Corien Vermaak: 9:58
The second one would be this multi-cloud reality. If you look at what the gardeners and the analysts of the world are reporting, most large organizations use in access of five different public cloud providers. Now, that effectively means that this software world that we’re endeavoring is posing us with quite a challenge, because we are now not securing any single data center. We’ve got workloads moving around public cloud infrastructure pieces, and that really comes back to how do we protect against that? Yes, and that is a mega trend that’s not going away. Yes, some more mature organizations are consolidating the amount of cloud instances that they utilize.
Michael van Rooyen: 10:49
Yes, yes.
Corien Vermaak: 10:50
But there are unfortunately instances and there’s a few that we can mention SAP, oracle and all of those longstanding technology vendors to organizations that is not rendered in a single instance. So whatever your move to cloud is, there will always be a few outliers. So the second trend is then we’ve arrived at this point of multi-cloud.
Michael van Rooyen: 11:17
Yes, yes.
Corien Vermaak: 11:19
And then the last point is we are challenged by hybrid work and the post-pandemic world has really put the power in the hand of the employee to say I want to work from home and I want to work flexible, and I want to work remotely and I want to be able to have the same access rights from a hotel room, or whether I choose to work on an extended holiday out of Bali, or whether I want to do it from home. And that poses our technology operators with a big challenge. So during COVID we had to respond. In a near knee-jerk reaction, everybody was sent home and we had to re-engineer the way we terminated connections into the then known.
Corien Vermaak: 12:08
But this is now the status quo and HR research is showing that somebody will settle for a job with a lesser income bracket but more flexibility. So that’s quite unique, which means the employee is really really putting a value on the work-life balance, earning their commute, really having the ability to be a little bit more flexible. Now that means, as technologists in organizations, we need to now go and solidify the way we knew things to be working for millennia. I want to almost say so that securing the user is the third mega trend, and I just want to, as an exit, thought on that, so that the user is also the biggest cohort of opinionated technology users.
Corien Vermaak: 13:09
So not only do we have to bring them along on this journey, but we need to remove friction for them, and that’s one of our big challenges is how do we remove friction? Does the user need to always have a VPN on, or do they have to multi-factor authenticate for everything that they do? How do we reduce the friction but ultimately ensure that they are working safely from wherever? Yes, and they are quite opinionated about that.
Michael van Rooyen: 13:36
You know as soon as they have to.
Corien Vermaak: 13:39
if they have multiple hoops to jump to be able to get access to their work, they make sure to voice that and as internal participants to our technology, they are ultimately our clients. So you know we stand at their orders almost.
Michael van Rooyen: 13:58
That’s right. That’s right. It’s interesting how it’s going to continue to learn and talking on the AI and all that and the generative AI component, the chat you piece of the world, et cetera. What is Cisco doing or looking at in relation to not just the AI engines to help improve security and we know that that’s really helping in SOC analysis and all that but is there a vision around asking security context questions of the system and getting user-usable responses back? Is that on the roadmap of vision or not considered yet?
Corien Vermaak: 14:31
So AI is a massive focus for us in security at the moment. There’s two parts to it. The first part to it is that we are at a place where the market is really demanding this concept called dynamic policy decision and again I want to tease that out into a use case a little bit to say that quote that I used to say if everything is normal, step out the way, if your policy is dynamic enough to pick up that all of a sudden this domain or this user is accessing sensitive information or for never seen before access point, the policy can actually inflict a verification process to say you know what we’ve never seen.
Corien Vermaak: 15:23
You use this access point at Starbucks. I like to use the example of a coffee shop.
Michael van Rooyen: 15:28
Sure, sure, sure, we’ve never seen this access point before.
Corien Vermaak: 15:33
We would like for you to re-authenticate. Fair enough, fair enough.
Corien Vermaak: 15:37
But when things are normal, you don’t have to verify necessarily so that dynamic nature of policies puts a high reliance on how the system makes decisions on our behalf, and that we do tremendously well Because, to your earlier point, we have really plumbed the networks for so long. We probably have the vastest amount of visibility In that we have the ability to look at those policy decisions dynamically and we empower security teams to set the parameters of those policy decision-making points. So, for instance, if you’re a financial administrator and you change location or you log off or the session is more than four hours, we ask you to re-verify. That means the user can operate within that dynamic policy realm and they will only be frustrated with the second verification if their environment changes. Now that’s a massive shift for a user in general, you know. So that’s the one part where we see AI already embedded and on the floor.
Corien Vermaak: 16:58
We have a tremendously ambitious roadmap when it comes to the not only the acquisition, but the build out and the absorption of some of our acquisitions and their AI models into what we’re already doing.
Corien Vermaak: 17:17
Now that becomes part of our security cloud strategy and again it ties back into those principles of simplifying, doing more with the less, really having the system do the heavy lifting, and a great example of that as well is what we do from an extended detection and response point of view. You know we’ve arrived at the point where we realize we you know most organizations have got technical debts and we may not be the only security vendor in that organization. So how they secure their network and their networks and their users may be made up of seven, eight, ten, twelve different vendors. Now what we’ve done from our extended detection and response is we’ve built out that artificial intelligence layer where we ingest all of these vendors and we sketch the picture of a certain vulnerability, because your endpoint protection may observe a vulnerability different to how your firewall or your IPS observes the same vulnerability because it’s only got one view on it.
Corien Vermaak: 18:35
Now what we’re doing from that higher layer of extended detection and response is you can think of it as a paparazzi. I always like to use this example. You know, when somebody walks down or an incident happens and you have a crime, for instance, and you have five different camera angles, you get a much clearer view of exactly what happened in that instance. Then, when you only have one angle, yes, yes, absolutely, now that’s exactly how you can see this.
Corien Vermaak: 19:07
Now, what we do from an artificial intelligence point of view in that is that we also layer in external intelligence and we layer in tactics, in techniques, and raise to the top the high fidelity so that our users can ultimately respond quicker. Now, yes, to go back to your question in future. I think there’s absolutely a ask, and not just by the industry and our users, but it is the way how technology is progressing. You want to ask the system where do you see this vulnerability elsewhere?
Corien Vermaak: 19:45
Yes, can you know I’ve become aware of this vulnerability. Can you look at where you see this? So I do expect our systems in future to have a similar capability.
Michael van Rooyen: 19:59
Right. Right, we obviously work very closely with Cisco in a number of areas, but we have our architecture internally securing clients to cloud and it’s exactly that. It’s fundamentally that how do we secure the client to talk to the cloud and make sure the cloud is secure as well? The network is becoming more of a transport. We know more and more stuff is being encrypted, so the network is very important, but slowly becoming less the point to control and secure that data.
Corien Vermaak: 20:23
Well, I think you said very well. But the network has always been important and will always be, but we don’t control all the networks.
Michael van Rooyen: 20:32
That’s right.
Corien Vermaak: 20:33
We don’t control the Starbucks network. That’s right, and therefore we need to shift that control point to the end point. Yes and yes. Sitting with a end point estate that’s got 95% of the end points, that’s got a critical vulnerability, is an absolute nightmare for any senior security leader, whether it’s a chief information security officer or the head of security at a smaller organization. That’s the kind of thing that keeps you up at night.
Michael van Rooyen: 21:06
Yes. So to wrap up the conversation today and I know we could talk for many more hours around all things cyber and hopefully we get another chance to in the near future but what advice would you give businesses looking for a way to enhance their cybersecurity posture?
Corien Vermaak: 21:25
you know, especially in today’s digital age and digital experience and everything being connected, and it comes very on point as we are recording this in October, the Global Cyber Awareness Month. I think my advice for organizations will be that we have to start thinking differently about our critical vulnerabilities, and most recently I said at an event that don’t patch, and there was this very, very awkward silence in the room Because people didn’t want to look at each other to realize that or double check whether that is what they heard. But understanding vulnerabilities, how easy they are to exploit and ultimately, whether they are actively being used in the wild, is a total conversation changer. Now, again, we have an opportunity through artificial intelligence, to really look at what we know about a vulnerability in the wild, whether we see it being exploited, whether there’s a known exploit kit against it, and change the way how we address vulnerability. This means organizations can patch what is critically necessary.
Michael van Rooyen: 22:59
Perfect. Really appreciate it, corinne. For people who wanting to know more about Cisco’s vision and strategy and all the information around cybersecurity, obviously Ciscocom there’s lots of webinars available. Obviously, oro is a partner we can help customers navigate that. We obviously provide SOCSEEM and other cyber services in conjunction with Cisco. There’s obviously Cisco Live coming up and many other ways to engage in the Cisco story. But really appreciate today by a donkey and thank you for your time and look forward to catching up again.
Corien Vermaak: 23:37
Thank you.
Michael van Rooyen: 23:37
All right, see you.