Dan Pitman DTX 2019 Interview
NATALIE TURNER [00:00:13] Welcome back to day one of the Digital Transformation Expo. You’re with me, Natalie Turner from Disruptive Live. And my wonderful co-host David Savage. How are you?
DAVID SAVAGE [00:00:26] I was slightly nervous there because of what you keep coming out with.
NATALIE TURNER [00:00:30] I think I could pet names personally, but whatever. So today we are joined by Dan Pitman. Dan, how are you feeling?
DAN PITMAN [00:00:36] Yeah, good. Good day so far.
NATALIE TURNER [00:00:37] Fantastic. So Dan is the principal security architect at Alert Logic Limited. So you’re here today. Tell us a little bit about what you do and why you’re here.
DAN PITMAN [00:00:48] So we’re here to talk to various types of people. Customers here, which is great prospects and people who want to learn about security generally. So we’ve run some presentations and started to do that, educate people, hopefully. And that’s kind of my job, really, to educate people about what goes on in security, the risks they’re facing. But what’s positive and what’s cool about security as well.
NATALIE TURNER [00:01:07] You’ve been doing this quite a long time, haven’t you?
DAN PITMAN [00:01:08] Yeah. Several years, I guess. I suppose I’ve got a quite diverse background, but security, I think is my passion.
NATALIE TURNER [00:01:15] Well, this is our second interview together. So there are a few things I’d love to talk about that we spoke about last time, a new audience watching. So let’s go over a bit about Alert Logic and delve into a bit more about what they do. Your talk you’re having later. Could you tell us a little bit more about what you can to speak about? And let’s start with that. Before I throw any more questions at you.
DAN PITMAN [00:01:39] I mean, obviously, those two things are connected right so my talks really about the challenges people face from doing DIY security. So building their tool sets out and trying to run them. And the challenge then specifically the costs and challenges that, you know, it’s difficult. Security is expensive, but it doesn’t necessarily need to be difficult and expensive. You know, you can kind of blend those things. And that’s Alert Logics about really delivering good security to people to enable them to focus on their business. Right. So we talk about delivering peace of mind and letting people sleep at night, which is kind of our vision in a sense. I suppose. You know, everyone who works in I.T. and in digital transformation teams and delivery teams, they should be focussed on what they’re having to deliver as far as to their business and not necessarily worrying about the undifferentiated heavy lifting of security, you know, worrying about what new threats there are and things like that. So that’s what we help them with and spotting them in time to stop them. That’s the point, really.
NATALIE TURNER [00:02:35] What do you think the main threats are at the moment? People need to be aware of.
DAN PITMAN [00:02:39] It’s a twofold, really. You know, security is a human challenge, whether you’re talking about the attackers themselves or the people that are being attacked. So even if there are systems in place, you’ve still got someone there needs to be the defender. You can’t fully automate security. It’s not practical. So I think the the the main thing with security or the main challenge people face is keeping on top of it because it’s so fast paced. So we think about the new vulnerabilities that are released. I think it’s something like 30 a day that are discovered, something around that mark. On average this year. So it’s significant. And so picking out which ones are important, which ones you need to worry about and then making sure, obviously, that you’ve got an eye on it and you’re monitoring for them is the key. I think most people face. So as far as people go in, obviously human beings are under attack from fishing and those kind of things, social engineering. And I think realising that protecting your own data set, but also, you know, keeping an eye on whether or not those people’s details have been leaked as parts of other people’s data is one of the important things that we’re focussed on at the moment.
NATALIE TURNER [00:03:46] I mean, these threats are happening every day. What advice would you give to the average person to help protect themselves against, you know, cat fishes and security threats online?
DAN PITMAN [00:03:58] I think I mean, I’m an advocate of trust. I think, you know, you’ve got to have trust in the world. But the main thing is, is that if you don’t know the person, the entity, the organisation that’s trying to engage with you, if you don’t know for sure who you’re talking to on the phone, for example, is making sure that you validate and make sure that if an email comes in or someone asked you to do something, you make sure that you understand who that is, what they’re asking you to do. What that means, of course. And then when it comes to putting your own information out there, I think there was a book in the early part of the last century that talks about security or privacy being dead. And I think that’s a fact. So I think you’ve got to sort of manage things appropriately as far as. Okay, I’m gonna go and join this website register on this Web site. But use your personal email for personal stuff, work email for work stuff and make sure you differentiate between those things for the average person.
NATALIE TURNER [00:04:54] Yes, I agree. That’s pretty good advice.
DAVID SAVAGE [00:04:56] We all come to these conferences with a particular message to get out there to the market. You mentioned before that it’s nice to come and meet people. Typically, who do you expect to meet? And also what kind of questions are they asking? Because it’s all very well with you, with your pretty prepared kind of thought. This is what we’re going to look around. But what questions surprise you that people are genuinely interested to find out about with stuff like this?
DAN PITMAN [00:05:16] I think that the general question, however it’s framed, is how do I stop myself being hacked? Someone came to me last show, actually, and said, how much do I have to pay you to not be hacked? And I said, Well, look, the question is how much do you need to pay us so that when you are hacked, you know about it quickly enough and you’re not going to get a big fine at the end of the day, you know, you’re able to make sure that you have targeted conversations with your customers if their data has been leaked and things like that, rather than having to tell the whole world, which is always the challenge I think so visability is key. I think the key theme and I’m always surprised at this is continuous theme because there was a stat recently in a report that said cloud adoptions at 91 percent. So everyone’s in the cloud, but people are still asking how do I secure my cloud? And I think that’s because there’s a misunderstanding between the gap between, OK, what do the cloud provider give me as far as security goes and what’s my responsibility? And the cloud provider is like this. What do they wholly control for the rest of it’s still in people’s ball court courts. And so people see the cloud as some kind of panacea for security and for their digital transformation and those things. But it does make things easier. But it’s the same old challenge around IT. You have to bring you end up with this huge amount of effort on one end after delivery. If you don’t bring it forward, you can do 25 percent effort on one side versus 200 percent on the other side. So building things security as code, building transformation and infrastructure as code is the current theme I would say as far as peoples questions asked.
DAVID SAVAGE [00:06:50] Thats an interesting point you make by someone coming up to you say stop me being hacked because the reality is that most organisations will be, but are most people still in the mindset that they can avoid it. Or is that beginning to kind of go? You know what? We are going to get hacked, its how we deal with it. That’s more important.
DAN PITMAN [00:07:05] Yeah. Security through obscurity was a phrase before I got into security, I’m guilty of using myself. You know, people don’t know about us. Was something that people would talk about. It’s not a reality. Once upon a time, attacks or targeted attackers would be looking for a company they wanted to breach. And the attack surface was fragmented. You’d have all these different versions of firewalls and things and perimeters and the sorts of stuff and the attack services had to modernise thanks to the cloud, which is good because it means that the perimeter is secure. In a sense, you know, people aren’t necessarily worrying about these different. But what it’s meant if the attackers have shifted and they’re now automating everything and that’s why security through obscurity has gone away. They’re not targeting their attacks. They’re literally scanning the Internet, looking for vulnerabilities. And when their script finds that it will go forward and attack the system for them and then they’ll get some feedback and they can go and carry on their attack. I think I talked about last time. I liken it to where’s where’s Wally a where’s Waldo if you’re in the US, but it’s not like you’re not Wally. Everyone on the picture is Wally although it’s it’s a matter of making sure that you have visibility and the hard part of it is an old boss of mine used to talk about the needle in a needle stack. Because they all like needles, right? They’re scanning continually on the Internet, things that looked like simple injections, things that looked like attacks. But whether they’re successful and whether or not they’re actually in power. The attack itself is empowered to do something at the back end and take data is the important thing. And that’s why that paradigm is just monitoring what’s hitting you has become much less important, but monitoring what’s happening behind the scenes is critical now.
NATALIE TURNER [00:08:46] So what does digital transformation mean to you?
DAN PITMAN [00:08:46] I was thinking about writing on their board earlier and so my backgrounds sort of development operations and security so both with kind of broad set. And I was thinking about words like, well, fun for a site like digital transformation could be really fun in an organisation. And then chaos. So these two sides of digital transformation I’ve seen anyway, but definitely risk comes into it. I think that in a business, the expectation for digital transformation is going to increase revenue quickly and it’s fast. Transformation is always perceived as being fast in a lot of organisations. And that’s when I talk about, introducing security. You know, if you take one thing away from digital transformation, it’s making sure you play a sec dev ops model to it. And I put sec first some people talk about def sec ops. But sec dev ops is the import the baking security first and then you can get more time to transform later and you can get a better return on your investment. I think because you’re not then trying to scramble around to make sure things are secure. One step bill, which is much harder.
NATALIE TURNER [00:09:41] Would you say that’s the key message you’re trying to get out today?
DAN PITMAN [00:09:43] Yes. Sec Security first Sec dev then ops.
DAVID SAVAGE [00:09:46] I never considered that. that’s interesting.
NATALIE TURNER [00:09:51] Neither have I. But, that is fantastic. Thank you so much Dan for joining us. It’s really lovely to see you again. I’m sure in the future we’ll probably have another one of these. But thank you so much for joining us. Absolute pleasure. As I said, that is all from us for now. However, you can join in on the conversation on LinkedIn and Twitter by following Disruptive Live. And you can also hashtag DTX Europe. We’ll see you in a bit.