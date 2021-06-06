Organizations need to embrace zero trust, a security model based on the principle of maintaining strict access controls. By default, no one is automatically trusted — not even those already inside the network perimeter. It places identity at the center because all the verification is about the “who” aspect of security.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewingRod Simmons.

As vice president of product strategy at Omada, Rod Simmons provides vision for where the IGA market is going and how Omada retains a leadership position. Rod works closely with the product teams and chief technology officer to define Omada’s vision and objectives to achieve the goals

As a 20-year industry veteran, he has a passion for innovation and software design, He has extensive experience in leading and designing cutting edge products and technologies. Prior to Omada, Rod spent time at Stealthbits, BeyondTrust, and Quest Software. During his tenures, he held the roles of vice president of product strategy, director of product management and director of solution architects, respectively.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I would like to say I grew up like any American kid. I played football, basketball and ran on my school’s track and field team. I got my first computer Apple II at a young age. I started reading computer magazines and tried to write so many programs with GoTo statements that I had to spend hours debugging.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I had two opportunities when I left university: take a job at a big 6 accounting firm in auditing or take a job at a small computer shop. The job in accounting paid 68% more than the job in technology, which is crazy to consider today. I made the most logical choice for me — I took the job in computers and have never looked back. In retrospect it was the best decision I ever made, as that company several years later collapsed in a massive audit scandal that drove many of the regulations we see today.

Can you share the most interesting story that happened to you since you began this fascinating career?

A story that sticks in my head was doing a Windows NT to Windows 2000 migration once at a large mobile phone company. All was going well until we had a power outage in the middle of the migration. Not a typical power outage, but one caused by a tornado. It was, without a doubt, an event I won’t forget.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

During my career, I’ve met two people that helped me in ways I cannot imagine. One was my roommate at a company event, Brad Hibbert, and the other, Kevin Hickey, became the CEO of a struggling software company that Brad and I joined. Kevin and Brad gave me opportunities in leading a pre-sales team, designing products, running a product management team and driving me to achieve more. I have been fortunate enough to work with them on two ventures and I keep in contact with them today. Honestly, two amazing individuals.

Are you working on any exciting new projects now? How do you think that will help people?

Yes, Kevin introduced me to Michael Garrett, the CEO of Omada. Michael is an amazing person and has all the qualities of a great CEO that I learned from Kevin. I work in product strategy at Omada under our CTO Erik Dibbern and the goal is to chart the future direction of the company.

One key area that identity governance and other markets are trying to balance is AI and its role in decision making. Are customers ready to turn over governance or access decision to AI? The easy answer is not yet, but we have to balance how we allow AI to start with decision support and recommendations, then transition to making low risk decisions …medium risk decisions… then finally high risk decisions. We are focused on building that trust transition while using AI.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

The best advice I ever got was never take a vacation less than two weeks long, ideally three weeks. The logic is week 1, all you think about is what you did not get done, what you need to get done, and all the work you have. We have all seen it in our personal lives — it takes five or more days to come off the mental work mode. Week 2 and 3 of vacation you transition into relax mode. COVID has not made vacation easy, but I always plan a 2–3 week trip a year ahead. In fact, my 2022 vacation will be fully planned and partially booked before we start our 2021 vacation. We are planning a family trip to Europe as my oldest child is graduating high school.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Attackers only need to be right once. Defenders need to be right all the time. This dynamic alone makes for an exciting competition, but the playing field is a bit unbalanced in favor of attackers. Clever attacks — necessity is the mother of invention. I don’t think any attack method has shocked me, but I always learn clever techniques that attackers are leveraging. Some allow you to become better at defense, essentially avoiding the mistakes of others. Other methods are alarming as they strike at the heart of how things are designed to behave, thus making a fix incredibly difficult. There is never a dull moment and just when you think you knew it all, you find out you don’t. Today TLS 1.3 or public key crypto is strong, but it is crazy to think some kid could discover a zero day in an encryption method or implementation that the experts never saw and forces a massive industry shift.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Organizations need to rethink the perimeter in the context of identity and the cloud for a modern approach to identity governance. If not, there can be serious consequences.

It used to be that organizations focused on the perimeter when it came to security — it was the “castle and moat” idea. The problem is that once inside, attackers move with ease like any insider, and the castle is only secured from the outside. When employees worked mainly within an office accessing mostly on-premise corporate resources, this wasn’t as big an issue -identity was not the key to security. But that’s changed.

It has been over two decades since we first saw the cracks in the traditional perimeter approach we could no longer ignore. The frequency, size, and scope of data breaches have put information security front and center. It’s rare that you speak to someone who has not lost at least some information in a data breach.

Now added to that, organizations have adopted cloud services, and there’s been a massive increase in remote work, which means the traditional perimeters have broken down. As the landscape has evolved, we are faced with new operational and governance challenges. In fact, in a new survey conducted by the analysts at Enterprise Strategy Group, respondents reported that 52% of business-critical apps are now cloud-based rather than on-premises.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I have mostly been on the vendor side but I was involved in deploying resources to a customer that suspected a compromise of their Linux systems. Incident response was not in our DNA but as a vendor you know your products better than any customer, so we provided our experts at a moment’s notice to discover the entry point, execute commands, and determine if anything was exfiltrated or backdoors were left in the system. It was a thrilling and educational experience for me.

Fortunately for them, they planted several honeypot accounts and flagged common commands not performed in a specific sequence as a tripwire which tipped off the team. I do think luck is on our side at times, and controls provided full isolation. The entire session was recorded and audited, so we had everything we needed.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Attackers only need to be right once; we (the defenders) need to be perfect every time. With the majority of employees now accessing corporate assets from different locations and devices, the governance of identities and their associated permissions has become one of the top five biggest cybersecurity priorities for most organizations.

Identity management allows you to protect resources and ensure only the right people can access these resources. We have different types of users — from employees to contractors, vendors, partners, and more. Access to any tier of user can be restricted based on time of day, location, device, authentication method or a host of other criteria. No matter how you approach it, resources and identities are the two key elements

What an identity governance and administration (IGA) solution like ours is supposed to do, essentially, is know what access these various individuals should have inside our (or your) organization. A modern IGA automates security access in a fast, efficient, consistent and accurate way — and at scale. And using a cloud-based IGA solution brings faster time-to-value to organizations and makes IGA more readily available to smaller organizations that would not otherwise be able to afford it.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

The key for a cybersecurity team of any size needs to be automation. Automation allows companies to perform better without the need to constantly add manpower. Automation enables efficiency, speed, accuracy and consistent output at scale. Reviewing security logs requires automation for gathering and analyzing massive volume of data quickly. Identity governance requires automation to ensure consistent output for compliance without human error

Adopting best practices frameworks is one of the best ways to get started, as opposed to trying to start completely from scratch. Today, there are best practice frameworks that give even a small company the knowledge to run a security program like a fortune 500 organization. Before you go crazy, level-set and get an understanding of the risks for your organization, and remember that everything you are doing is to mitigate or reduce the impact.

There are security best practices you can use to automate identity lifecycle management, secure privileged account, improve password-based authentication and secure cloud workloads. Don’t overlook the basics: you get the highest ROI when you master the fundamentals and then begin to mature your program.

Applying and actively using best practices is a huge accelerator that helps you to create value early and deliver strong ROI — it helps avoid having to reinvent the wheel when it comes to implementing optimized business processes.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

I hate to just say logs, but as we have seen time and time again, the logging most organizations do catches the attack and compromise. Sadly, it often just gets lost in the noise of legitimate traffic.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Prior to a breach, build an incident response plan Define a communication plan for both internal and external parties Identify who is part of the response team and points of contact for any critical systems that are impacted

The largest flaw I see is poor communication or no communication. The organizations that have lost my business due to a breach had nothing to do with them being breached, rather it was failure to communicate or the lack of timely communication. Most customers feel the same. You lost my trust because you tried to hide information that directly impacted me. Tell people what you know, how it happened, what you have done to prevent it from happening in the future, and what I need to do now.

The funny thing is, we tell our kids to own up to their mistakes but as adults, so many companies act like children trying to avoid their responsibilities.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Omada is conscious of the responsibility of handling customer personal data and we continuously improve our controls. We believe the new regulations will have a positive impact to the business. They are creating defined guidelines on how to handle PII data and establish a more trustworthy environment. Legal commitments might not be good enough in the near future. We are seeing so many infringements of data handling these days; data leakage incidents are always in the news. Certifications will help customers understand how trustworthy an organization is when it comes to personal data.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Organizations that don’t rethink their perimeter in the context of identity and the cloud lack a modern approach to identity governance. This sets them up for breaches and compliance risk. Gartner wrote recently that “many organizations waste time on legacy security technologies that have lost efficacy.” They don’t want to go to the trouble and expense of upgrading, but with the adoption of hybrid IT environments, legacy solution cannot manage identities and access across multiple applications, clouds, networks and servers.

And there are still organizations that don’t understand the importance of the zero trust model, a crucial concept that I’ll discuss more in a minute.

Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

The massive shift to remote work that came because of the pandemic accelerated the need for a new approach to security because employees needed access to cloud-based applications. This sudden, large-scale change revealed chinks in many organizations’ armor. In fact, 31% of respondents to a recent ESG survey reported that their organization lost data due to an identity-related cybersecurity incident in the past 12 months. And a recent report from VMware Carbon Black found that the shift to working from home has seen a 148% increase in ransomware attacks. The report also found that 91% of global respondents had seen an increase in overall cyberattacks as a result of employees working from home.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?

The traditional perimeter has broken down. When employees worked mainly within an office accessing mostly on-premises corporate resources, identity was not the key to security. Now, it is. Organizations must take identity governance and administration (IGA) seriously or run the risk of data breaches, compromised information and fines. Organizations need to embrace zero trust, a security model based on the principle of maintaining strict access controls. By default, no one is automatically trusted — not even those already inside the network perimeter. It places identity at the center because all the verification is about the “who” aspect of security. IGA helps leaders meet compliance requirements, such as data privacy, by delivering needed reporting, processes and controls to satisfy internal and external auditors. For example, being able to document how access is governed is a GDPR compliance requirement. Using a cloud-based IGA solution brings faster time-to-value to organizations and makes IGA more readily available to smaller organizations that would not otherwise be able to afford it.

How can our readers further follow your work online?

I can be reached on twitter at @RodSimmons, on LinkedIn at https://www.linkedin.com/in/rodlsimmons/ and at our company website http://www.omada.net

This was very inspiring and informative. Thank you so much for the time you spent with this interview!