Video Transcript

- Hello and welcome everybody. I'm Mary O'Brien, general manager for IBM Security and I'm delighted to have the opportunity to speak here at cybersecurity's premier event. It's amazing how much our lives and so many aspects of our lives have changed in the last 18 months. As an industry, cybersecurity has also seen its fair share of that change too. And cybersecurity has proven its mettle and value to business beyond simply identifying and addressing threats. We've witnessed how cybersecurity is essential to help businesses maintain continuity and build resilience against unprecedented circumstances and challenges. And as we move forward in 2021 and beyond, I wanted to share two observations that offer a blueprint for how we secure our businesses for the future and how we grow as a cybersecurity industry. Firstly, I want to talk about trust. Trust is so essential to how we connect with our partners, customers, and employees. It really is the most basic, the most fundamental form of currency that we trade with those around us. The second thought I want to address is about community, and more specifically about the powerful force that occurs when individuals come together for a common cause. As organizations, when we lean into the principles of trust and community, we can do remarkable things. In a few minutes, I'll be joined by Mauricio Guerra, the Chief Information Security Officer for Dow Chemical to share how he is using an approach called zero trust to do just that. But before we get there, I want to briefly discuss zero trust. Okay, as an attendee of a security conference, I've no doubt that you've heard of the term zero trust. It's a term we use quite a bit in this industry. Zero trust offers a better way to address the complexity in security that's challenging our businesses today. Traditionally, security focused on building a perimeter of protection around valuable assets, and that worked well for decades while the majority of our valued as assets were inside a firewall. But that's not the way we do business anymore. Today it's not even common to have all of your users, your data, and your applications operating in different environments, and they all need to connect to one another quickly, seamlessly, and securely. At its core, zero trust is a multi-dimensional approach to addressing risk and protecting data where nothing is inherently trusted. Now, there are numerous frameworks from industry experts that tell you what security elements you need to implement zero trust and where to invest your resources to achieve it. But how do you put these frameworks into action that deliver results for your business? To help me answer this question, Mauricio from Dow Chemical will join me to share his approach. Dow is one of the largest material science producers in the world and operates from 109 sites across 31 countries with more than 36,000 employees. Welcome Mauricio, thank you for joining us. Can you talk to us about what this means for your role as CISO? What are some of your key responsibilities?

- Thank you Mary, great to be here. The CISO role at Dow has three main responsibilities. The first one is in the area of compliance, compliance with IT control. So we need to ensure that the company as a whole is in compliance with key framework regulations like Sarbanes-Oxley, and most recently a very critical one nowadays is the data privacy being GDPR, the critical regulation that we need to be in compliance. The second one is managing cybersecurity risk from identification of the threats to mitigation. And the third one is to ensure that Dow's digital capabilities are delivered in a secure way that is consistent with our company, with our company's risk profile. So those are our three main responsibilities. Challenging ones, but that that's what they CISO role encompasses.

- For sure, just tackling one of these responsibilities, Mauricio, is a significant undertaking in today's environment. Managing all three simultaneously has got to be quite the challenge. And I started off the session by discussing how businesses can establish trust with their users. And I briefly mentioned using zero trust as an approach to achieving this goal. Now I know that you're a big proponent of zero trust. So I'd like to ask you to share what zero trust means to you and why you felt the time was right to implement this approach at Dow.

- Mary, zero trust for us is a concept. It's an architecture, it's a framework. So we look more at what can we get from zero trust. And what zero trust is helping us managing the new environment, the new ecosystem that we have to support now. So, and I'm referring to the new reality of in a digital age when we have more users, more mobile users, we have cloud applications. We have IOT devices when our data lives everywhere, when internet is our new network. So we had to transform our cyber security program and practices, and the answer we found was the adoption of a zero trust architecture.

- Wow, and Mauricio, just tell us, what does good zero trust look like to you? To take this a step further, can you talk a little bit about how you got started? And also it will be really good if you could pinpoint why you chose that starting point.

- So we start by understanding Dow's digital transformation, understanding the business outcomes, therefore the priorities. Then it is specifically on zero trust because there are many, many ways to go. There is not a one size fits all approach for zero trust. So we decided to start with the zero trust network architecture because that's what we needed in enabling our users to have full access to internet. So all forms of internet, cloud, services, email, and so forth. So one of the first deliverables of our zero trust model is what we call secure access to internet. So that's a key one. Second where we have delivered a secure access to our different locations, replacing data tools that we have before. We are replacing our telecommunications network and zero trust is helping us to deliver an SD-LAN and SD-WAN solution. And the last couple of examples, being a manufacturing company, IOT support is a big priority for us. So we are designing and implementing secure models to manage all the new devices, sensors that we are implementing in the manufacturing space. And then finally, the whole area of conditional access and authentication. So all I know is zero trust is giving us the flexibility to support all the business needs, but in a secure way.

- Gosh, Mauricio, I'm sure that everything hasn't been easy. I mean, that's a lot. Can you talk a little bit about any of the roadblocks or the challenges that you've encountered and what you did to overcome them?

- That's a very interesting one, Mary, because, well first of all, as we lead the security space, the leaders, we decided to embrace the zero trust concept. Said, okay, that's the answer for what we need to do. But then we need to be in, how can I say this, in selling mode, we need to convince, we need to engage our IT workforce that that was the way to go, because this is completely different from what we used to do before with firewalls and in a firewall, either you're on or off. Now it's different. So we need to engage our IT workforce and then train the workforce to do something different. That's one good challenge. The other one is still, even though the concept is not too new, but it had been in the last couple of years that zero trust is gaining a lot of momentum in the industry. So still maturing, it's a complex journey to integrate different layers, different technologies. So for that it's absolutely critical that you pick the right partners to be with you in this journey. So I may say retraining your workforce and selecting the right partners are two good challenges in this job, have been good challenges in this job.

- I wonder if you could offer some advice to some of the other security leaders in the audience, the ones who are considering or actively implementing zero trust in particular.

- The main one I would offer is making sure that the security is a partner to your business, that you work very, very integrated with other IT teams, but also with business partners, and in particular around the zero trust, have a good roadmap. I mean, don't start doing this or that and then try to ensure that the whole thing fits together. Start with a roadmap, probably I'll suggest a three years view, what do we want to do in the next three years? Understanding that every six months probably, you will need to fine tune the roadmap. It might change business priorities, business realities, technology also change, but it is fundamental to have a good roadmap. Ensure that you know where you're going, your of course are aligned to that direction and that you can measure if you're making progress or not. That that for me is critical.

- That's fantastic, Mauricio. So plan what you want to achieve and have a detailed roadmap maybe over three years and be prepared to go back and revisit it to make sure you meet your objectives. That's fantastic.

- Absolutely.

- Yeah yeah yeah. So your perspectives have been amazing and they offer a glimpse to what we can achieve when we put zero trust into action, Mauricio. So I want to thank you so much.

- Thank you, Mary.

- It's clear that a zero trust approach done successfully will reduce the barriers to innovation by incorporating security and privacy into the design and development of new services. It will facilitate migrating to a modern infrastructure that provides customers and your workforce with secure, frictionless access to the services they need. And it will enable of prioritization of continuity and resiliency by facilitating context-based monitoring of both internal and external threats that would jeopardize the availability of critical assets and operations. Now, earlier I mentioned the need to change the way we think about and the way we implement security. Zero trust is a step in the right direction. But to get there, to make zero trust more than a point of view, we need to be able to work together. The APIs and the standards that are needed for products to work together seamlessly either just haven't existed or didn't work well. There are of course competitive concerns always. But when I stopped to think about all of the modern processes and collaboration tools that we at IBM, and many of you as well, have put into place to make running your businesses smooth, it seems only natural that security should take this collaborative step forward too. I spoke of the importance of trust earlier. Moving towards a more open model of security is a critical piece of establishing trust. With open security, you're no longer putting your trust in a single vendor or even your own in-house development team. Instead you have an entire community of experts, of users and other vendors that can support your security efforts. All looking at the same problems, all sharing methodologies, all reviewing the same code and making improvements, and all looking at the same threats and sharing knowledge. The result is a better security for everyone. Clients and customers get a more comprehensive resolution to security problems. They get better, more reliable products. And as vendors we can learn faster, we can innovate more, and pass along those benefits to our customers. We're all connected now in ways we could never have imagined a year ago. We come to these events as leaders looking to grow and secure our business, to protect our assets, and to strengthen our teams. But we're also part of a value chain of suppliers, and we're all consumers too. This is why we must get comfortable with being uncomfortable. Building trust and embracing community practices shouldn't be afterthoughts. They must be the guiding principles for the way we secure our businesses. Our business goals and the operations we define to achieve them are unique and individualized. This is one of the reasons why zero trust has been such a challenge to implement for so many. But if we reset, if we just reimagine the way we implement security, if we focus on open practices and collaborative methods, we'll be able to generate the valuable context that makes zero trust actionable and effective. We will connect openly, we'll manage cybersecurity proactively, we'll empower business to grow fearlessly and with total confidence. Thank you.