The PKI Guy Discusses Top Issues Facing CISOs and Best Practices With David Mahdi

“2022 is not the year of PKI, this is the decade of PKI.”

– David Mahdi

Q&A with David Mahdi, Chief Strategy Officer & CISO Advisor, Sectigo

David Mahdi is the Chief Strategy Officer and CISO Advisor at Sectigo where he is responsible for guiding the future product strategy and roadmap for Sectigo as well as advising CISOs to help them navigate the cybersecurity landscape impacting business today. Previously, he spent more than six years at Gartner where he provided analysis and guidance to CIOs, CISOs, technology providers, and investors in the areas of identity and access management, PKI, blockchain, and cybersecurity in general. In addition, he co-founded the practice and market of machine identity management by introducing it to the Gartner Hype Cycle.

Transcript

TPG: David, what are the top challenges that you’re helping organizations with these days and what are the top pressing issues that you’re seeing?
DM: What I’m seeing right now is that the jobs of the CISO and security teams are not getting easier. And, the pace of business is only going to increase. They’re also dealing with a lot of regulations, they’re always concerned about audits, and they somehow have to look at actual risk. Then, you factor into that the fact that they’ve been going out and buying a lot of security products so the biggest thing that I see right now is consolidation strategies. When I was at Gartner, we ran some surveys and the data came out that 80% of CISOs surveyed said that they had a security product consolidation strategy.

TPG: Gartner has this philosophy that came out recently about cybersecurity mesh architecture, kind of along the same lines. What do you think about that?

DM: Gartner’s cybersecurity mesh architecture is the big thing, right? I mean, if you are a CISO and you’ve got your red and blue teams and purple teams and are out looking for threats … why would you want to traverse multiple consoles to look for these bread crumbs of potential indicators of compromise? How much dwell time are they going to give the bad guys? There are too many consoles. There’s too many things for them to have to manage.

Many years ago, I did a presentation with other cybersecurity experts and we basically said that people have got cloud security all wrong. It’s all about identity and data. We came up with these three layers of kind of applications and data accesses in the middle layer and at the foundational level was identity. Everything has to start with identity. And that was the precursor to the cybersecurity mesh architecture. CSMA is all about setting up this mesh and it’s all about interoperability. CSMA is very promising but since it’s a newer concept a lot of folks need to get their heads around it.
TPG: You and I have had conversations around the need for open standards – specifically for cloud and traditional infrastructure, PKI certificates, and more. Why do you think that’s such an important area to be bringing to light?

DM: No one is going to be an island anymore. With hyperconnectivity and with hybrid multicloud, we all have to work together as an ecosystem and as a community. But, let me just step away from our industry for a moment here. Think about Bluetooth and what our lives would be like without Bluetooth. Imagine if you had to install a new driver for every headphone, every speaker, every smartwatch or wearable … it would be a mess. It is kind of a little bit messy right now as it stands, but it’s not as bad as it could be if we didn’t have those standards. So again, that cybersecurity mesh architecture is telling the industry, ‘Hey, you know what, folks, you have to work together.’ Sometimes there might be two competing products in the environment, but that organization wants it for maybe defense in depth or maybe because they just always had it that way historically. You’ve got to work together. Hiding behind patents or proprietary standards is just not going to fly anymore.

TPG: If we expand off of standards and talk about best practices and security controls, why is that an important item for an IT administrator or the C-Suite?

DM: When I was a Gartner analyst doing thousands of engagements I got to see my fair share of scenarios. Everyone wants to know where they stand relative to others. Part of that, of course, is how they ask about best practices. You can’t necessarily just quit doing the bad habits and all of a sudden tomorrow, just start doing all the good things. That’s tough. People need a realistic road map.

We could go back to Target’s issue that they had 10 years ago with PCI DSS where they had that audit done and then a month later getting breached. Just because you go through those audits doesn’t mean that you’re cool on the risk side. So this is a big challenge now today. Yes, you do need to look at those compliance frameworks that you have to adhere to, but also do not take your eye off the ball when it comes to understanding your risk. For best practices, I recommend that security leaders leverage their networks. You can talk to your peers to see what they have done, what works, and what they would consider best practices.

TPG: You mentioned Target, do you have like other examples of what happens to organizations when they’re not thinking about that risk and they’re not following best practices?

DM: There are lots of examples but I’m not going to say the names of these organizations. Best practices are not perfect practices because there’s no such thing as perfect. Even if you do all of the best practices and you are buttoned up, incidents will still happen. The name of the game is making it as hard as you can for the attackers to get in and mitigating as much damage as possible. One of the things that you can do now is look at how you can consolidate down your security stack and optimize your security analysts in a way that they’ve got the best functional tools that they can use find those indicators of compromise.

TPG: David, some people might say that you’re kind of the C-Suite Whisperer. One of the challenges that a lot of our customers have is that while PKI is a foundational technology, it’s not really visible to the C-Suite. What messaging would you advise that engineers, architects, managers, and directors use about the importance of properly securing, operating, and applying best practices when communicating about their organization’s PKI to their C-Suite?

DM: It’s a big challenge and it has been for a long time. It’s always about attaching your message to the larger problem. PKI is attached to a lot of large problems but it’s so down into the weeds that most people don’t understand how important it is. Cryptography is critical infrastructure for the digital world and PKI, of course, is a big part of that. Everything is now digital and we have what’s called digital trust. Even this interview that I’m having with you today, we have our devices, the applications, and our connection between us as we’re having this conversation. All of these things need to be validated, authenticated, and then these trusted encrypted tunnels need to be established. That’s the same when you’re going into Amazon and you’re punching in your credit card information or you’re using your Samsung Gear watch to do a payment on a payment terminal in person. All of that requires cryptography.

However, we can’t ever expect a CEO or a CFO to truly understand the inner workings of cryptography. Our responsibility is to remind them that the concrete and steel foundation of your business today – every business is digital now – is cryptography and PKI. We have to make sure we invest in the people, the process and the technology to keep this stuff going. One of the things that we’re seeing now are bad actors using ransomware, stealing credentials, and doing all that stuff. We also know that nation states and others are saving encrypted information for the quantum computers of the future to track all this. Over this next decade, we’re going to see a huge sea change and quantum preparedness. The U.S. government just came out to say we need to get the agencies ready for quantum computers and the quantum-based attacks that we know other foreign nations are investing heavily in.

The outcome of good identity management, good crypto management, and good PKI management is digital trust. Why is that important? Because trust is the currency of everything. And if I don’t trust your business, I’m not going to go to your website and punch in my credit card number. If we do a good job with cybersecurity, the business can be trusted. And if the business is trusted, the brand is trusted, and you’re going to have a successful company.

TPG: We’ve been trying to shift the conversation around PKI to frame it as the foundational thing that impacts business and the assurance of the identities as well as the reputation of the organization. Do you think tools like PKI Spotlight are part of a new generation of tools where the focus is on helping organizations be more efficient and not have to keep their eyes on 50 different systems? Do you think that there’ll be more products coming to market where publishers are trying to find ways of enabling teams, not just by providing a tool, but by providing knowledge, best practices, visibility, and consolidation?
DM: Absolutely! Kudos to you, Mark, and your team for distilling down all of that experience that you have and delivering a solution that that does that. PKI is a technology, not a solution. You have to do work to connect it to applications to enable those applications to do secure signing and encryption and all the things that PKI can bring. What I really like about what you guys are doing at PKI Solutions is your focus of enabling business outcome. CISOs don’t necessarily want to know about all the plumbing of PKI, they just want to know that it will enable secure email or document signing, code signing, IoT authentication, etc.

Kudos to you and the team for using a CSMA mesh architecture to work with other products and services and bring it into a nice single pane of glass so that analysts can go in, see what they need, see what’s going on and they can go out. Or, they just get reports or alerts. We’ve been long overdue for that. I think this decade is going to force that on organizations.

TPG: What are we going to see in the identity and the machine space in the future? What’s your vision of where things are going in the next five years?
DM: We’re entering in a very exciting time right now in terms of what’s happening with the threat landscape and digital transformation. 85% of all entities in the cloud are nonhuman which means containers, workloads, and virtual machines. All of these things need identity and access management. They need entitlements. I think we’re going to see that blow up quite massively over the next few years. That’s going to involve PKI and it’s going to involve symmetric keys or key management. It’s going to involve HSMs.

When I talk with people to explain the importance of PKI, I say, ‘Did you know that blockchain, Web 3.0, and the Metaverse are all strung together with PKI? And, a big chunk of that involves nonhuman entities interacting with each other behind the scenes. They need to authenticate. They need security. They need identity. 2022 is not the year of PKI, this is the decade of PKI. Now we have the use cases, the need, and the threat landscape to justify PKI-enabled applications downstream because it’s what the market is going to need.

TPG: Alright, one final question for you. If you could have a magical IT security superpower and solve one problem in the identity and access management space for every organization in the world, but could only be one problem, what would you do with that power?
DM: The one problem that I’d want to solve would be openness and interoperability. If we can get vendors to play well with each other and leverage more open standards that could single handedly have a huge positive impact on CISOs and their teams today. Even IT generally will benefit from openness and interoperability because that means that IT teams can hold onto any investments that they’ve made a little bit longer and have a better, not forced, plan to kick things out, right? They can actually be more in control of their destiny.