EP 27 – How Identity Factors into DevSecOps

[00:00:00.270] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:24.200] – David Puner
The automotive industry is synonymous with innovation. In 1913, Henry Ford transformed manufacturing forever with the first moving assembly line, shrinking the time required to build a car from 12 hours to just one and a half. Today, automotive trailblazers are tackling new challenges. As electric vehicles take the world by storm, software innovation is the key to scaling EV infrastructure to meet growing demand, powering millions of EVs on the road, and optimizing manufacturing processes for the vehicles of the future. Yet in many ways, modern development and DevOps practices still follow Ford’s early manufacturing principles of speed and efficiency.

[00:01:07.730] – David Puner
But in a hyper-connected world where the risks are much higher, security by design is both an imperative and a shared responsibility. The good news is it’s achievable, according to today’s guest, Dusty Anderson, who’s the Managing Director in Protiviti’s Global Digital Identity Practice. That’s Protiviti, the global consulting firm, and a CyberArk partner.

[00:01:30.190] – David Puner
In our conversation, as you’ll hear, Dusty talks about identity’s crucial role in moving toward DevSecOps, that desired secure modernized state to effectively balance speed, risk, and usability. Dusty’s clients find themselves in various stages of cyber maturity, so she has a pretty strong finger on the pulse of where organizations and varying industries stand when it comes to identity security. We dive into DevSecOps challenges, opportunities, and cultural implications, along with proven shift left practices for strengthening security and enabling confident innovation.

[00:02:08.100] – David Puner
It was great to talk with her. Here’s my conversation with Dusty Anderson.

[00:02:15.630] – David Puner
Thank you for joining us. To start things off, as the Managing Director of the global consulting firm, Protiviti, you guide clients when it comes to cybersecurity and things related to cybersecurity. To get an idea for what that’s all about, how do you start with a new client?

[00:02:33.400] – Dusty Anderson
We try and meet them right where they are, wherever their journey is at that point. Clients are coming to us from a multitude of avenues here at Protiviti. I never know if it’s going to be a call coming in from an audit that they’ve struggled through, or if they’ve got a breach, and we’re on a rescue mission immediately, or if it’s one of those clients that are really having the foresight and trying to think about and strategize their journey and aren’t in a rush. We try and just understand where they are, what they’re calling in for, and then really assess, all right, what’s going to be the real mode of success for them?

[00:03:16.910] – Dusty Anderson
No client’s the same. When I’m picking up the phone or joining a web conference, what the problem is going to be or what the real problem is. I think that’s sometimes the real adventure, I would say, with working with clients is they are calling in thinking that they have identified the problem. I would say, nine times out of 10, it’s probably also or could be completely something else. It’s trying to help them peel back that onion and figure it out.

[00:03:45.020] – David Puner
That sounds a little bit like when you start Googling health concerns, and then you contact your doctor, and you say you know exactly what it is, and they say, « Well, actually, maybe tap the breaks because I’m the doctor, and I’ll figure that out. »

[00:03:55.620] – Dusty Anderson
Exactly, yeah.

[00:03:57.570] – David Puner
You and your team, how big a team is it? Aside from getting those calls and doing the strategy, what is the overall charge?

[00:04:07.930] – Dusty Anderson
I lead a few specific teams, and I’ll say… Part of my responsibility is leading our privileged access security teams. I also lead a talented team of customer identity strategists and implementers as well. I co-lead our digital identity practice. We also have a large team that really lives in this space of identity governance and administration and role-based and policy-based access controls and things like that.

[00:04:36.510] – Dusty Anderson
I say I’m one of many practitioners in the digital identity team, which is about 120 plus strong for us globally. But we don’t go that alone. We also share our approach with our colleagues in our cloud security teams and our architecture teams. We have a wide practice in technology consulting, and so I love to parachute in someone that might be a specific expert as we land on a problem.

[00:05:07.150] – Dusty Anderson
Just the other day, it was, « Well, we’ve got all these permissions in GCP, and we’re not really sure what we’re doing in GCP. » « Okay, great. I know the PAM side of that problem, but it’s a bigger problem. I’m going to pull in my GCP experts and just have that conversation with me. » The client doesn’t always need to know that we’re all a microfocus behind the scenes.

[00:05:30.730] – Dusty Anderson
We want to come to them and really just show a united front because that’s how they’re tackling the problem. They’re not necessarily always concerned, « Well, this person’s in this department over here. » We’re all coming to the table trying to solve a problem together. We, as consultants, I think, should definitely approach it that way as well.

[00:05:48.260] – David Puner
One of the things probably that comes up fairly frequently these days, and I guess to level set for the folks out there listening who may not know what DevSecOps is, or maybe need a refresher, what is it and how does it differ from DevOps?

[00:06:05.280] – Dusty Anderson
DevOps, all about speed, automation, quickness to deploy, little human interaction as possible. If you’re listening to that and thinking about that, speed and security do not go hand in hand in any world. That’s where DevSecOps was really born out of is the DevOps world really came up first. Everyone was building, building faster, building stronger.

[00:06:28.550] – Dusty Anderson
There was a need for security around that build process of quick deployment into production and getting things orchestrated in such a fashion with all these automated tools and code and really trying to reduce the amount of human interaction in that development work as possible. Thinking through all those things that lacks visibility, that lacks the pause for security, and testing and things.

[00:06:56.590] – Dusty Anderson
The DevSecOps framework really came alongside of that to try and complement that process but create a little bit of that balance of making sure that there are some checks along the way there in checking that code and checking that deployment so that you’re not immediately throwing things out there into production that could really collapse your environment or collapse your brand overnight and things like that.

[00:07:22.410] – Dusty Anderson
DevOps folks really think about, « I want to make minimal disruption to the user experience. I don’t want this to go down. I want the user to be able to just write through and make it seamless as possible. » For DevSecOps, « Yeah, that’s great, but we still need to make sure that it’s secure before we throw that out there, » and not throw it out there, really thoughtfully place it out in the environment or into production.

[00:07:47.420] – Dusty Anderson
I think that those worlds can collide a bit. We certainly, as we meet with our customers, sometimes feel that push pull tension of we’re trying to do things fast and the other team is trying to just, « Yeah, I hear you, but I want to do it secure. » There’s a little bit of that striking that balance. Really, that’s what identity and access management is all about. I think that’s an age-old clip we’ve probably all heard over and over of striking that balance between security and business enablement.

[00:08:21.080] – Dusty Anderson
DevSecOps is really, I think, at the cutting edge of how do you do that as fast as possible, but with those security measures still in place, where you’re enabling more just in time features so that the speed is there, and you’re trying to make it as frictionless as possible. But if there is friction, it’s with a purpose that it’s a quick sound bite, if you will, in their day of trying to get their job done and making sure that there is still rapid deployment, but that it has that boundary of security and visibility and governance that traditionally they just lacked.

[00:08:57.640] – David Puner
We’ve already touched upon the security aspect, obviously, but what are the benefits of DevSecOps, the security and the speed? What are the other benefits of it?

[00:09:06.330] – Dusty Anderson
That’s really it. Security and speed. Credentials are still the main problem. If we think back to—I was promising myself I was not going to use this analogy, but it just has to—SolarWinds. I know it’s buzz phrase, hashtag, everything out there. We’ve probably overheard it, but credentials in clear text that were compromised.

[00:09:28.830] – Dusty Anderson
It’s very simple. We’re still trying to protect these credentials. When you see SolarWinds 1, 2, 3, it’s like, « Okay, come on. That was quite obvious what was going to probably happen there, but no one really checked through that and thought through that before they deployed that code. »

[00:09:46.360] – Dusty Anderson
We’ve got to be careful about what we’re going to do and how we’re going to do it. The still when, what, where, why, and is it necessary is really still something that we need to be thinking through no matter how fast we’re going. There’s automated tools in place now to help you think through that process faster, do those validation steps, but those steps still need to be done.

[00:10:09.940] – Dusty Anderson
It’s not necessarily that you have to have still all the testers and the QA team being the 20 plus people in your organization. A lot of companies have gone and found ways to automate some of those testing scripts and testing procedures, but you still have to be able to run those and have to be able to have that validation there. Then to have that centralized solution in place is really critical to close that gap and making sure that there is constant visibility into what’s being done.

[00:10:44.940] – David Puner
I think it’s worth asking, how can DevSecOps practices help address vulnerabilities in organizations’ development workflows and environments?

[00:10:54.190] – Dusty Anderson
When they can find them, and I think that’s one of the biggest things is finding them, looking for them, hunting for those vulnerabilities and weaknesses, and addressing them as they’re being found, not being retroactive. That’s, I think, another big difference between DevOps and DevSecOps is DevOps tests at the very end and says, « Okay, it looks great. Let’s throw it out into the environment, » where DevSecOps is doing those micro touchpoints along the way to really identify where that vulnerability could be and stop it there before it gets even bigger and snowballs out.

[00:11:30.770] – Dusty Anderson
Someone gave me the example the other day of DevOps really came from the automotive industry if you think about the way that we build a car. It was just so simple. I’ve lived in this cybersecurity world for so long, you forget about the simplicity of where a lot of these practices started from. As you’re building that car, yes, it’s the wheel, it’s the axel, it’s the engine.

[00:11:52.670] – Dusty Anderson
But someone had to test that engine. That was third party, maybe that are supplying the engine, so you hope that they’ve gone through their rigorous testing to know that that engine is going to run and do everything that it was built to do, all the way down to all the spark plugs that are being put into that car.

[00:12:08.950] – Dusty Anderson
Then us as a consumer, just expecting that, hey, this has been certified from name your favorite car type, and you’re going to put your family in it, you’re going to drive off, assuming that it’s been securely tested and everything like that. Well, that’s the balance of DevOps and DevSecOps as well is DevOps, they want to build, and they want to build that car as fast and make it through the assembly line as fast as possible.

[00:12:33.410] – Dusty Anderson
DevSecOps is going to say, « Wait a second, would you put your family in there yet? Let’s go along the way and make sure that there’s incremental testing so that if this lug nut is not staying on the wheel, it doesn’t pass go. It doesn’t have to necessarily do with the engine, but the smallest detail could still cause you to go off the road. » And so really thinking through and measuring all those details in that build process are really important.

[00:12:58.840] – Dusty Anderson
But again, being able to do that quickly along the way is really still the mode, especially in DevSecOps. It’s not your traditional PAM. I think that’s where clients can go off the rails. If they have done traditional IAM and traditional PAM for long enough, you get in this mode of human interaction, and they forget about that non-human element, the speed element that is certainly out there now with the crawl and sprawl of cloud.

[00:13:30.370] – Dusty Anderson
It’s explosive. Things are moving at a much faster pace. If you go at these projects or engagements or implementations like you would a normal PAM project, you’ve already started off a little bit on the wrong foot because you’re expecting those conversations and the project mode to follow the same style as what your DevSecOps teams are going to be interacting with you like. You’ve really got to almost take your traditional identity hat off and put a really modernized identity hat on to be able to talk and think like these technologies and tools that are out there in that space.

[00:14:10.490] – David Puner
That’s really interesting. How much of this comes down to the need for simplicity, and then how much of a struggle is that?

[00:14:19.380] – Dusty Anderson
I think it’s a constant struggle because all of these tools out there when you’re talking about the DevSecOps space, there are so many tools and niche tools, and each one wants to inherently interact on an island. They aren’t built really to play well together is what we’re realizing. The solutions that we’re trying to deploy are built to integrate individually with each of these tools so that you have that hub, you have that visibility there.

[00:14:50.670] – Dusty Anderson
But that complexity is growing. It’s not going away. Being able to standardize some of these policies, standardize the way that we’re capturing these credentials, managing credentials on the back end, that’s helping to sort the complexity from getting out of control, and being able to find simplicity where there is that capability and also understanding and recognizing where it gets overly complex?

[00:15:17.690] – Dusty Anderson
How do you peel that back? How do we look at that and not let it become a snowball? What is causing that additional complexity? Is it because you have an entitlement sprawl in cloud, and you’ve just let it go for too long, and you need to do some cleanup there? Are your teams going out and grabbing tools and not giving you that visibility in?

[00:15:37.570] – Dusty Anderson
It’s amazing to me still that fundamentally, we lack sometimes just simple communication of, « Hey, not sure if anyone knew this or not, but we just acquired this tool, and we’ve deployed it into our environment. » Just sometimes that simple email out or announcement can make a huge difference with our clients, where they’re sometimes just literally running scans to just see what applications just got stood up in their environment that they didn’t know about.

[00:16:05.040] – Dusty Anderson
Rather than being able to have an open dialog and make sure that there’s a process in place for when new applications get onboarded into their environment, there’s a policy and a procedure for that. Sometimes still, it’s a simple business process that gets left behind because technology and tools are just growing, expanding so much in that environment.

[00:16:25.760] – Dusty Anderson
You’ve got to have that back and forth of that still conversation and steering committees that are really thinking about and talking about what’s the vision, and how do you get there, and how do we control the number of tools that we really are managing in our environment today and making sure that there’s justification. The Wild West is real.

[00:16:46.290] – David Puner
Your clients, is it typically the CISO and the CISO’s team, or does it vary per organization?

[00:16:54.820] – Dusty Anderson
It would vary, but I would say primarily, that’s usually our audience. Mostly CISO orgs who we’re typically working with, occasionally CIOs, and that’s usually just simply because they don’t maybe have a CISO role, or they have a deputy CISO stepping in. But I would say traditionally, we’re working very closely with the CISOs.

[00:17:20.380] – David Puner
How high is DevSecOps and DevOps as far as top of mind goes for the CISO and their team?

[00:17:27.080] – Dusty Anderson
I definitely think that it varies, because, like I said earlier, we have folks that are still really thinking about their world and traditional identity, and they’re not maybe even really doing that great of a job deploying traditional identity measures and tool sets. Again, going back to meeting clients wherever they are in their journey of maturity in this space, there’s still a wide variety out there.

[00:17:59.570] – Dusty Anderson
I really thought with the SolarWinds, that was such a hot topic that I really thought we’d see a rapid change. It felt like it got quieted a little bit faster than I would have imagined. It didn’t create the wave of change like I would have anticipated in our security posture across the board.

[00:18:24.020] – Dusty Anderson
We had some clients that were really reactive to that, but they were reactive to plugging the problem and not really thinking about how do we prevent this from happening again in our environment. Our incident response team here went through the roof of like, how did this happen? The forensic investigations were on.

[00:18:48.010] – Dusty Anderson
Maybe they changed a little bit of their DevSecOps posture, but they didn’t really think all the way back into how does this relate into PAM? How does this interrelate into some of our other identity best practices? Or do we even have good best practices in place here? Are we meeting the right criteria to prevent this truly from ever happening again? Do we have a better ability to monitor and be more proactive with that instead of waiting until the wheels fall off the car again?

[00:19:20.780] – Dusty Anderson
That was, I think, really surprising to me. I think that part of that is because, one, we all know that funding is the biggest key. For security programs, for tools technology, funds are limited. While we have a big problem and we want to tackle it, we have to do it with the funds available to us. I totally understand that.

[00:19:43.580] – Dusty Anderson
But I think not even doing a strategy and trying to understand and roadmap out where do you want to get to and how long is that going to take you to get there and what smaller investments can be made versus doing nothing. I think a lot of companies did something, but did they get the biggest bang for their buck out of that? That’s what I would probably challenge our industry to really think about is when we do these strategies and assessments and things, what’s the value add out of that? Do they know what action now they need to go take, have we empowered them to take that?

[00:20:21.900] – Dusty Anderson
As we think back to the variety of CISOs, some of them are go-getters that are really trying to think cutting edge, understand the DevSecOps world. They already have grown up in this space, and they understand maybe a little bit more of the world of DevSecOps based on maybe their own career advancement into that space versus some may not be as familiar. Maybe they had a different background and now have been hired in into a CISO role, and they’re trying to learn and grow their own skill sets around trying to understand enough to support their teams.

[00:20:59.220] – Dusty Anderson
It’s a lot to take in as a CISO, and I don’t expect any of them to be experts across the security stack. You’ve got to be able to also rely on your team and rely on their expertise and being able to really hear and capture what their pain points are and then work with other groups on how you solve those. That’s where I like to come in as a partner to my customers because, again, they don’t have to be the experts in my domain.

[00:21:26.760] – Dusty Anderson
We just need to have that trusted relationship where I take into account is also your reputation at stake when you say, « Okay, I’m going to work with Dusty and her team on this to help me move that needle and certainly try and accomplish what is needed there. » We come in, we try and surgically really look at, all right, pinpointing, these are all the different problems. This is how we would close these gaps and work with them.

[00:21:53.760] – Dusty Anderson
Some CISOs are going to stay really involved and really engaged in that process and want to be in those workshop sessions and hearing their discussions. Others are like, « Hey, I trust you. I’ve got other fires to put out. While you’re doing that, I’ll be over here. » We certainly appreciate that as well and can understand there’s a lot of hats to be worn. It’s just get the job done together at the end of the day.

[00:22:15.100] – David Puner
Software supply chain security. It’s been in the news a lot. You’ve mentioned the high-profile breach previously in this conversation. How does DevSecOps help companies bolster their software supply chain security? What are some best practices you recommend for clients to mitigate these types of attacks?

[00:22:32.190] – Dusty Anderson
I think the biggest issue is that this access usually goes through pipeline without anyone noticing. You have to have application security testing and vulnerability hunting, again, for those weak credentials and weak authorizations. There has to be that process in place, because by nature, supply chain is trying to bypass identity controls for the need for speed. That’s the name of the game.

[00:22:59.890] – Dusty Anderson
You’ve got all these third-party services out there that are going undetected with a ton of automation and code available, whether it be APIs, open-source libraries. Developers are looking for ways to access that and make their jobs faster by pulling in those third-party sources and using that code or what have you in the environment. You have to be able to just find that balance of enabling some identity controls there and being able to recognize weak credentials or weak authorizations and protect yourselves from that.

[00:23:41.320] – Dusty Anderson
SolarWinds, too many people trusted the code was good, period. It was used by… What was it? 33,000 customers? It took too long for someone to say, « Time out, it’s bad. Don’t keep using it. » For the ripple effect was enormous.

[00:23:57.130] – Dusty Anderson
The nature of what we do today, so much of it is unseen. I just did a webinar at the end of last year. That was a tagline that we used is for credentials seen and unseen, because I think that that’s really what the new name of the game is, is everything’s coming in undetected. It’s trying to remain as invisible as possible. This is where we’re at today.

[00:24:22.460] – Dusty Anderson
Being able to have some of those detections in place and scans in place to really look for those vulnerabilities at the beginning, again, not waiting until the end and then trying to hope for the best, but incrementally making sure that you’re looking for those weaknesses, that’s really what we have to do. It’s not a nice to have anymore. It’s a necessity in your security posture.

[00:24:47.960] – David Puner
I think for credentials seen and unseen, that’s actually a pretty good segue into the explosion of identities, both human and machine. How does that factor into the DevSecOps equation?

[00:25:01.790] – Dusty Anderson
I would say it is the DevSecOps equation, almost. Human interaction in a DevOps world is really what they’re trying to avoid. We slow things down when we’re hands on keyboard. The word manual process is really being replaced with the human process of any kind.

[00:25:21.540] – Dusty Anderson
We’ve got bots that are automating jobs and all sorts of automation tools out there being able to push code, do different things, AIs and explosion now. But all of those environments, even in cloud, they all have an identity and credential aspect to it. That part is not going away.

[00:25:45.450] – Dusty Anderson
As long as we continue to focus back on the identity of who, why, or what has access, and what will that access allow, if we can answer those questions and we give the thumbs up to those answers, then we’re thinking the right way. If we’re giving a thumbs down, but we’re giving it too late, then we’ve missed the opportunity there. It’s making sure, again, that we’ve got those checks and balances.

[00:26:10.330] – Dusty Anderson
But the ability to see and have that visibility to the who, what, and why, and how, and where can it go, that’s becoming increasingly challenging. We have to modernize our IAM’s posture to be able to get back into the space where we can see it all, we can govern it all because our world just got ever much larger. I think we all need to realize the perimeter is really just the identity and the credentials and how do you protect those best way possible because they’re prevalent everywhere and the sprawl is huge.

[00:26:47.860] – Dusty Anderson
Being able to cover your cloud assets is not just a single point in solution. I think that that’s where, again, we can get into a lot of complexity, if we overthink how many tools we think need to do the job. But then sometimes we underthink it and don’t do enough with being able to make sure that you have that full visibility and governance in those environments. That makes it really challenging.

[00:27:16.790] – Dusty Anderson
We still have a lot of customers that are focusing only on the human aspect. Every phase one starts with human, but then we stop. We need to make sure that phase two involves the non-human credentials and what are you doing next with that? Because we know that there are way more X number of non-human credentials and devices related to one identity.

[00:27:41.870] – Dusty Anderson
We’re solving just a small piece of the pie for only focusing on human identity as well. There’s just a lot to govern and you need to have the right tools in place to help you get there. If you’re only thinking about it from a very traditional lens, you’re missing that modernization and that journey, that digital transformation, if you will, that needs to happen.

[00:28:02.600] – David Puner
What’s the number one security challenge unique to non-human identities?

[00:28:07.780] – Dusty Anderson
The number one security challenge, oh, goodness. There’s multiple aspects of the non-human security equation that have to be looked at. If we take just service accounts, for example, I’m doing an engagement right now for a client that brought us in to help them identify and onboard or vault all of these security accounts out of 300 plus applications. It’s a huge project.

[00:28:36.460] – Dusty Anderson
But what they didn’t recognize was going to be that not every service account is made the same as the next service account. Even in one application, you can have a variety of service accounts and what types of access that they have. Maybe it’s more dynamic than the next service account and things.

[00:28:56.430] – Dusty Anderson
There has to be that element of discovery done, and it’s not always a one-size-fits-all. We have to be able to create those standards where there’s patterns that exist, but recognizing there’s going to be exceptions, but those exceptions also have to be managed as well. We can’t just put those to the side and say, « Okay, we’ll come back to those in 2024. »

[00:29:17.210] – Dusty Anderson
We have to certainly think about every application, every account type has its own unique path in our environment. We’ve got to make sure that we do the due diligence of understanding what point A to point B looks like, or is it point A, B, C, D, E, F, G, and all of a sudden, we’ve lost control of what this credential can do and how do we then bring it back to what is its function, is that least privileged, how can we make sure then that we keep it as such, and who can access it or what can access it in our environment and making sure that that’s always appropriate?

[00:29:55.820] – Dusty Anderson
I think we all are hoping for that quick answe, that silver bullet. It doesn’t exist, but a silver bullet approach and methodology can get you there to those standardizations and pull you back into simplicity for the sake of security as well.

[00:30:13.560] – David Puner
I’m glad you mentioned AI earlier. Automation like RPA and AI are getting more popular to the point where AI power tools can even write code for developers. What’s your take on the increase in automation in the DevOps space and how security can help enable these technologies without slowing down velocity?

[00:30:34.440] – Dusty Anderson
It goes back to code and automation still need credentials. Sometimes it’s privileged and sometimes it’s not, but it could be from supply chain libraries and services. Being able to still protect those credentials and understand what they’re going to do or what they give you access to, maybe not you, but maybe also someone else access to, is really still, I think, the main problem that we need to be looking at and making sure that we have a good solution for is recognizing these credentials are coming in from everywhere, and they’re being accessed by someone or something.

[00:31:11.660] – Dusty Anderson
We’ve got to make sure that we are creating a structure in place for that, standardizing how we manage those, creating the visibility there, the governance there to be able to thwart any attack or react much faster to something that seems off in our environment.

[00:31:30.490] – David Puner
More tools are getting added to the DevOps toolbox every day. How can security ensure that islands of security or vault sprawl isn’t occurring?

[00:31:39.150] – Dusty Anderson
Communication is one of the key things and making sure that they’re communicating what tools they’re introducing, and then also being able to have that centralized solution and creating those integrations to manage each of these tools off on their island. That’s really important. You can’t have a centralized solution that doesn’t offer those correct integrations that are going to get you the better controls and visibility into each of those tool sets.

[00:32:05.800] – Dusty Anderson
But being thoughtful about what tools you’re bringing into your environment, really important. Then being able to manage those and have that standardized strategy in place to centralize that, that is really important there. If you don’t have a traditional vaulting solution, that’s one thing, but you have to have ability to control and to monitor that access in place.

[00:32:29.600] – Dusty Anderson
Being able to do something is always much better than doing nothing. Allowing those islands to just continue to exist and everyone continue to manage things their own way, you’re leaving way too big a gaps on the table.

[00:32:43.510] – David Puner
You had mentioned analysis paralysis in the context of clients needing to make decisions. I was hoping maybe you could tell us how analysis paralysis figures into your day-to-day with clients.

[00:32:55.600] – Dusty Anderson
Analysis paralysis. It is my type of timeline killer of a good, well thought-out project plan. I can appreciate clients wanting to trust but verify any advice, any ideas, any designs. But at the end of the day, we’re bringing experts to the table. We’ve lived this world. We’re in this space day in and day out in the trenches with our customers. This is what works.

[00:33:24.130] – Dusty Anderson
Analysis paralysis sometimes can really break down that wow factor of time to value when we’ve got customers that are wanting to see, « Well, what else could be done? Well, what else is not what’s on the table right now? What was on the table was fixing this problem? » This is how we’re going to fix this problem. Then when we close that, we can move on to the next phase or next work stream to fix the next problem.

[00:33:49.620] – Dusty Anderson
You got to start small, though, and then grow, and adapt, and understand. We love to do more of the pilot phase so that they can see and start understanding it and then think bigger, broader, faster, stronger. They just get overwhelmed too quickly in this space. I understand why. It’s a big space, but we really try and help them to not get stuck in that hamster wheel of analysis paralysis too often.

[00:34:15.990] – David Puner
Dusty Anderson, Managing Director of Protiviti’s Digital Practice, thanks so much for your time.

[00:34:21.900] – Dusty Anderson
Thank you so much.

[00:34:34.270] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts.

[00:34:49.600] – David Puner
Let’s see. Oh, yeah. Drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are like comments. Our email address is trustissues all one word @cyberark.com. See you next time.