I Was Promised a Jetpack by Dave Lewis

thank you everyone for being here today um this is uh really a treat for me to be able to be here as part of eastside dublin although i wish very much that i could have been there in person you know having a pint of the black stuff with you but unfortunately you know things being what they are it has been an interesting year to say the very least so i am going to be talking today about trust and a lot of this really centers around the core of what we all do as security practitioners now we've talked a lot about uh things today that we're talking about you know clicking on emails or you know different types of

confidence scams and things like that and it's been amazing to see what we have seen over the course of the year where people have been you know taking advantage of folks because they are working remotely and things of that effect and we were promised you know a brighter future unfortunately we didn't get quite what we were looking for but i i think that we will definitely improve over time so see if i can get that going there so speaking of time um yeah i got that right finally uh this morning i tried to join in to do give my talk four hours early yeah so when you have big bold print across the top of webpage

even security practitioners do not necessarily read what is in bold i really do miss the blink tag from days of old so who am i um as you know anthony was saying at the beginning i do appreciate the intro typically now i don't do intros because it's more about talking about information that we can share with each other as opposed to who i am if you really are oh that's a little odd there we go that's better if you really want to talk more about uh things that i do uh there's my linkedin you can always contact me and that information will be available at the end of the talk as well so when we're looking back

uh this ugly little month was actually the star of the show for my keynote that i gave a besides dublin three years ago and what the whole idea there was we were talking about you know the dog the cat the bumper and the the point here was security practitioners are now getting to that point where we are seen as one of the adults at the table and i think it is really incumbent upon us to make sure that we don't mess it up and i think we're doing a good job i think we really have had a strange opportunity in in light of the pandemic where we could be there as a voice of reason for dealing with remote employees

and helping them understand how to better secure their environments as well as secure themselves and we have to make sure that we also look at things like the human element trust is not a permanent state and we have to make sure that we are building that trust with the end users because we've got to take a moment to realize that most of the people that are working remotely before the pandemic maybe they would work the occasional friday and work the occasional friday and we have to realize that this is not what most people are used to even a year in we have to make sure that as security practitioners we are further building on that trust

so let's move on from there now back in the 70s yes the gray is real back in the 70s one of the things that i was very very interested in in the back of the comic books was there was this ad for x-ray vision glasses i absolutely had to have these glasses i was like after my parents i said look i really really need these how can i get these i have the money i'll give you the money how do i send it they fought me at every turn at no point did it occur to my young brain that this was just a piece of cardboard and a pair of lenses but i needed to have this because i

trusted that it was an ad in the paper i trusted that this was real but it turned out not to be the case thankfully i never did get these x-ray specs but i do get to look back fondly at the silliness that was my point of view in the world a little later on i was into my early teens yeah i started reading comic books again and in the back well there was the switchblade comb this time i actually did send money um i think i was 11 at the time to be honest sent cash in an envelope and i would never dream of that these days but back then didn't even occur to me that

somebody would have swiped the money but they didn't they sent me the product it was switchblade comb as soon as you take it you would click the button it would swish open and i thought oh this is awesome the second time i did it the comb went flying across the room and i was like well that was three dollars well spent i had believed that this was going to be a solid product didn't occur to me that three dollars was not going to get me anything worth anything but that's just it we get this sense of trust that we build up whether it's real or not we have to make sure that we are understanding what is real from a trust

perspective when we were kids we were promises were made if you were reading popular science or popular mechanics or anything like that early on there was always talk about you know personal jet packs being able to fly everywhere um those were the days right but the thing is we really took that to heart in a lot of ways and we have to make sure that we are not getting lost in the perception of what we think it should be and look at the reality of what we have to contend with and as security practitioners we do have a rather bad habit of you know battling amongst ourselves and i think that this helps to erode the trust that we

are trying to build in the wider audience so anyone who's ever been on social media understands the dumpster fire of inhumanity that it can be at the best of times but there's also good to be pulled out of as well of the interconnections with each other we have to make sure that we avoid sliding down that slope into negativity which is unfortunately far too easy to do we got to go beyond where we have been to this point so when i was in a role many years ago i remember we found a security vulnerability in our organization that was going to stop a major product release i was like this is really really bad we

went in to talk to the cio we figured out a solution before we got to them and we said look you know everything's on fire this is why and this is what we have to do and he said okay i don't care if it's on fire i don't care if there's a zero day i want to know what the cost is the organization what's the risk for the organization what is the expectation of loss i had to go i hadn't really thought about it in those terms at that point i just knew that this was really bad and that things could go horribly horribly awry so i had to reframe the conversation and in order to do so i had to work at

imparting to the cio what it was that i was really worried about and why this was a concern and he gave me credit for coming in with a solution but he had to have that explained to him in a way that made sense because it was about reducing risk the organization that would have fundamentally been a catastrophic failure but coming in with my hair on fire saying ah it's all bad wasn't going to get the job done so we got to look at the tools of the trade that we have to contend with we have always been very keen about nmap and all the rest of it all these different types of tools writing powershell scripts whatever it

happens to be we all have our tool sets to get the job done one of the things that we tend to shy away from collectively is what is typically called soft skills and that's always sounds like it's you know detracting from the term it's not it's about understanding how to deal with each other how to deal with humans how to communicate because we need to build that trust and in order to build the trust we have to use the tools that may not be a script may not be an application maybe just learning how to communicate with each other we also have to look at this in terms of you know if there was a breach in your

organization how are you going to communicate with the wider audience who are you going to talk to who are your stakeholders how are you going to speak to those stakeholders in terms that they'll understand and they don't get lost in the fear uncertainty and doubt now when we look back and what i was talking about a few moments ago about you know buying things out of the back of a comic book that could have gone horribly wrong for me insofar as i would have lost my money and i would have been a rather dejected 11 year old but today we see attackers that are playing on this very much on purpose we look at for example dark

patterns in user interfaces when you have a user that is using a tool you want to make sure that they are able to use it even if they're not technically a droid if you're giving them a tool written by engineers for engineers you're not necessarily going to get the results you're looking for and when you're looking at dark patterns and user interface design you're also looking at you know the spec of dirt on the lens or on the glass which it looks like but it's actually you know a flaw in the image that somebody may inadvertently touch and then suddenly they've clicked on something they never had any intent to do so a great example of this was uh corey

doctorow posted a couple a few years back now if you'll notice in the circle on the uh slide there's a little speck of dirt there or what appears to be so when people would click it it would actually click the ad and go to another resource that the user never intended to do this is why users have over time built an innate distrust for many things online because attackers do play on this they do find ways to make it as difficult as possible for people to trust so we need to build that framework so that they can better understand how they can do things safely and securely so there's different types of excuse me different types of dark patterns we look

at the bait and switch uh conference shaming and things like that trick questions i've had exams with questions that were innately wrong but they were trick questions in order to get a response and they wanted to see how we responded didn't care for that much or the bait and switch you go to buy something on ebay and it's like oh product a and then the seller comes back oh product a's actually sold out right now but we'll give you product b for the same price it's like these are the reasons that people lose their ability to trust another techniques are you know in intuitive ui abuse like the you know hidden image file that is on there or the x that

isn't an x if you go to click it it actually activates an application as opposed to closing the window as security people we hope that we're going to not make these mistakes but we do make these mistakes look at me i missed uh showed up four hours too early for my talk um i blame my pto but as we're going through it we're looking at this this sort of ui abuse like different types of colors and things like that that are used in applications or web pages is pervasive and i've had screenshots that my 75 year old mother has sent me where i i would have got it wrong and she's looking at and she's like there's

something just wrong here which is speaks volumes to the fact that she now listens to me and it only took you know quite a long time um but it's really great that she is now suspicious enough that she's like questioning what is this and how can i trust this particular website the goal here is we want to make sure that security decisions are in their best interest and them being the end users and ourselves as well we don't want people to make security decisions based on the fact that oh wait i'll get a 200 gift 200 or 200 euro gift card from amazon yet nobody's going to give you that that's not going to happen you fill out a

survey they're not sending you that they say oh you have a chance to win that's different but if they say we'll send it to you that's where the red flag should be going up now malicious design is definitely a key piece here um you know and this is one of those things where users are going to not see it like what the screenshots that my mother was telling me where i would look at it and i'm like this is entirely intuitively wrong but only a designer could see that you want to make sure that this isn't something that is a pervasive issue we have to find ways to better communicate to the end users and provide them tools to keep them safe

and secure as well we need to make it harder for the attackers to do their job because fundamentally we can't trust ourselves how does that might sound we have to find out a way to structure this so that we are saving ourselves from ourselves because we do make bad choices let's think let that sink in for a second because we have our bias whatever that might be we'll say oh no i'm not biased everybody's biased it it's just that is their view of the world that is their particular bias that may skew data in in a survey that may skew data in a focus group that's not necessarily a bad thing but you have to be aware that it exists

and the same thing can be had when you're talking about artificial intelligence's example you'll have biases that are built into it using algorithms because the algorithms are written by humans so we've seen examples where bad things can happen amit elizari excuse me elizari she came up with a proposal of a bug bounty for bad algorithms and you know what i absolutely agree with this this is an absolutely fantastic idea because we have seen applications that would mischaracterize people based on facial scans or whatever it happened to be of their images and they would get them categorically wrong was this malicious to be determined but in a lot of cases is mainly just people didn't do it right they didn't

write the algorithms correctly and these are the kind of things that really really resonate with me those things that we have to address to help improve the trust factor with the end users because otherwise we end up with instead of capabilities and incapability of the inability to get things done in a safe and secure manner and to further improve things on a global scale and when i say that look at the pandemic we are dealing with right now we're a year in and by and large we're still muttering along can you imagine if this had taken place in 2003 would we have been able to get things done sure but nothing to the scale and

efficiency that we have now um and that's one of those things that we have to be sure that we realize that how far we have come in a short period of time because sarge back in 2003 i had to contend with it when i was dealing with the power company not that i got it that we had to prepare the company for it and when we were going through and looking at all the documentation looking at everything we realized that how flat-footed we had been caught out and how horrible things had gone if in fact it was something akin to what we're dealing with today with covet you look at the business continuity and the dr documents and things like that

and the vast majority of them say oh you know just pop around to the shop and get x number of laptops in the event that our building is hit by a meteor that doesn't scale and security geek experts we make mistakes we all do um everybody makes mistakes and this is a great example here this is an article written by david spark where a former security person became a developer and started his own company and made a lot of basic security mistakes i won't name who this is is not the point of this but that's just to show that we're human and we have to be aware of this and we have to build frameworks that are

going to further improve things overall now another example of how things can be messed with is corrupting data we always talk about websites being breached and dead and mainly stolen but what if a website was breached and somebody just altered a little bit a financial institution here in canada quite a few years ago now they promoted new code into production everything worked and test but when they promoted it to production it failed and it catastrophically failed and they were out for six days because there was one semicolon in the wrong place took down the whole website these are the kind of things that we don't often take into account we have to make sure we have a good way to address these sort

of things an example here with david sutter this was an example where there was a data leak of emails and it was made to look like he was actually working with the cia and again this wasn't actually the case this was somebody had changed the data and this is this subtle you know changes in data in order to change the narrative is another problem that we have to contend with as well

and here's another example here with a changes to a document as well that changed these texts well the the look you ever have that moment where you trip on your tongue yeah this is it um that changed the meaning of the information that was released and this is really about denial of trust and we have to figure out ways to defend against denial of trust because if the users don't believe what they're seeing and if they don't believe how can we get them to do things in a safe and secure manner if they are just of a mind that everything is wrong and everything is horribly broken if we're able to trust ourselves and then we earn that trust from

others that is a way to build things going forward but as we've seen with you know ordering out of comic books of dark patterns things like that we fundamentally can't trust ourselves so we have to find ways to help ourselves to trust ourselves and that sounds a little bit odd but bear with me so how do we earn that trust well we do it with honesty transparency predictability capability willingness to correct mistakes like showing up four hours early and falling on your sword for it and accountability these are things that we can fundamentally take into our everyday lives to improve things when you have something like a community like besides dublin you have the ability to come together as

a group as a family and share how we can improve things going forward remember when microsoft came out with the trustworthy computing that really did change things for them it was a you know stake in the ground they said this is what we have to do to improve things going forward and it worked microsoft has done a very good job on security in the intervening years and this is just an example of many where we can show how we can improve things overall for the wider audience so people like to say horrible things about zero trust i've heard them all but the core fundamentals behind zero trust are ones that actually make sense it's built on actual

actionable info you know network zone segmentation users device management all of these different types of things to help layer security controls into your organization and zero trust while it was a buzzword that came out in 2010 ish it really has served his purpose it got people to pay attention so how do we move on from that well we have to say yes that was a good starting point but we got to build on that so i gave a talk in singapore a couple years ago where i got up on stage and i talked about zero trust and half the audience had no idea what i was talking about and that really surprised me because i

naively thought because i had my bias that everybody was talking about zero trust in some form of another i was wrong and when i had that conversation after i got off the stage with a few people they actually found it very negative to call a zero trust i took their point it does have a bit of a negative connotation so if you can take the same thing and then call it something like continuous trusted access then it actually seems a little bit more fluid a little bit more sensible for people going forward in the long term now when we are born we default to trust this is what we have to do in order to

survive as an infant we're looking for food we're looking for shelter we need to do this we need to trust folks but in the world of the internet we really have to take our time to make sure that is trust but verified and verified again there's a great book by malcolm gladwell called talking to strangers he really delves into the communication breakdowns that happen between individual groups individual people and how you can better bridge that gap so we as security practitioners while we were having the rallying cry a couple years ago of being the adult in the room now we have to be the great communicators we have to find the way to have the

conversation with the wider audience we got to get away from naval gazing because when we're talking amongst ourselves that's all well and good but if we're not communicating to the wider audience one we're losing that ability to build the trust with the wider audience and and you know establish ourselves and our bona fides i always have to work in my coffee bricks

thank you for smiling anthony i saw that [Music] so we want to make sure that we're not trusting something simply because it's inside the firewall this actually happened to me at a company i worked at quite a few years ago quite a few years ago actually we had a vulnerability test that was done for the external um and the attacker said you know here's all the the official attackers said here's all the things that we have to contend with all the things that we have to fix and the inside of the network was a flat network and you could basically go anywhere the cio said that didn't really matter he said fundamentally we trust everyone

who works here in hindsight i know there was at least two people there that we shouldn't have been trusting out right but i won't go any further down that road but this is one of those things that just because you are you know part of the same organization you have to make sure that you're taking steps to secure that organization sure you may trust them you may go out for a pint with them afterwards after work but whoops has happened and it might not ever be any sense of malice that something goes awry but we have to make sure that we are putting a framework in place to avoid those sort of issues you know passwords i love to beat up on

passwords it's the same thing as if you put your house key under your door map when you go to work knowing that your kids are going to get home early so they can get in the house but the attackers know this too so just because you know that your child is going to use that key doesn't mean the attacker isn't the one coming through the front door to you know rob your robbie and take yourself these are the kind of things we have to make sure that we're doing a better way to improve authentications trust is about granting access without verifying we're born we're looking for food we're crying we just accept that our parents are our

parents but trust about granting access because you're verified is an improvement beyond that so as we grow older we learn more we become hopefully wiser i'm still working on that but these are the kind of things we need to address because the erosion of trust is all around us we have psychological operations units that are going online all the time there was one that absolutely floored me just 48 hours ago i was reading about it where this person was saying that their relative had gotten the vaccine had gone blind but the date that they said they had received the vaccine was at least a month before any vaccine was even available also as one of those twitter accounts

with all the numbers at the end so it's like high probability of being a fake one to start with then we have to look at data misuse you know there are so many organizations out there that are always constantly harvesting information how are they protecting that information and we've seen talks today where people are talking about homomorphic encryption and different types of ways to breach different web applications and we have to make sure that we are constantly iterating through to improve the security of the organization because this amount of data that we're collecting is of value not only to the organization but to the criminal element as well if they're able to get their hands on this

virtually um this information could be a huge boon for them financially and then there's the ever-present data breach data breaches we've been dealing with them forever i mean back in 2012 i started tracking them on myself on the back of the napkin because i found it really odd how many they were ticking upwards and now if you go to sites like i've talked about this in the past information is beautiful.net if you look at their site it's absolutely stunning they have a visual representation of data breaches there which is really something to see we can do better than this so how has trust become an attack system we look at integrity attacks you know subtle avert corruptions of data

so you're changing that one character in the data to take down an entire website and then accusing somebody of a data breach how often have we seen certain people in the industry say oh does anybody know somebody at this particular company i have a question usually everybody goes nuts it's a data breach it has to be they wouldn't ask otherwise meanwhile it's just like no i got my card stuck in an atm and i just want to know how to get it out we have to make sure that we take a step back any time we see any sort of issue and say okay what is occam's razor as applied to this and what is making the most sense i've

seen entire websites go down where people are like it's a breach and they're screaming at their top of their lungs i'm like having worked in organizations where i had to maintain uh websites for large corporations for better part of 20 years i know more often than not it's like something just went wrong a system failed whatever it happens to be it didn't fail over cleanly we got to make sure that we're not just running around with our hair on fire if we want to look at how to improve things we got to look at some of the core tenants we have to look at you know yet another triad we always heard you know confidentiality

integrity and availability sure that was a great back of the napkin last minute addition to a deck that we're still dealing with today but a simple way to look at when you're protecting an organization is about you know how do you protect the users how do you protect the devices that are attached to your network and how do you protect the applications that you need to protect your organization zero trust or continuous trusted access is a really good way to look at this when we look at our ecosystem everything we have to deal with it's actually stunning how many holes there are in the perimeter that we once knew so the perimeter as we knew it in the

past is gone let's be completely honest with ourselves um being an archaeology student believe it or not uh before i ever got into computers you know there was a story that i always loved to tell where the visigoth sacked the city of rome and they did it by surrounding the city and waiting until they ran out of supplies they didn't fire a shot not a single arrow not a single rock they just waited it worked the romans ran out of food they opened the doors the visigoths took the city nowadays we've you know bearing in mind that was two thousand years ago give or take um we have shown that that traditional perimeter approach is a broken methodology we have to look

at things about you know where is an access decision being made as the perimeter now zero trust love it or love it or hate it that term has some merit um more so the meat behind it as opposed to the name we have to make sure we're getting back to the core fundamentals all of the things that we should have been doing for the last 30 years network zone segmentation and what have you look at this we're here we go through the steps here establishing trust in your users are the users in your environment the ones that are supposed to be there or are you running based on passwords and somebody left a sticky note in an

airport lounge which i found more than a few times and then gaining access to resources if i was someone of a negative ben there are many different companies i could have had access to there there was a company in the past where i was able to get access to all of their software repository because they had a username of admin and a password of license one two three that just breaks my heart so once you have the trust in the user identity you wanna make sure that you're looking at the devices that are attaching to your network is there some canadian coming in with an xbox first generation using that for ssl or is it a corporate

owned asset that's supposed to be attaching to the network i may or may not have done that you want to ensure the trustworthiness of the devices you want to make sure they're patched to current or n minus one and then have policies that you can apply if you have somebody in finance that is suddenly showing up in toronto canada and all of your operations are in ireland you may want to have a question you may want to say okay wait why is this happening as you go through this as you iterate through you get closer and closer to continuous trusted access type of mindset framework whatever you want to call it it's all about reducing risk it's not

about some sort of flashy logo or sticker or nice t-shirt you want to make sure you're reducing the risk in your organization because we all have a fiduciary responsibility to protect our organizations to protect our assets to protect the people that we are there to champion you want to go through and verify the users verify their devices and verify the applications because the applications are really key especially now that we have pivoted to basically a remote workforce for the better part of the last year around the world so they're getting their email from sas based implementations there are things like salesforce whatever you have all web delivered if you are not marshalling controlled of access for that

you are really opening yourselves up to potential problems so if you have you know dave sitting at a tim hortons in toronto canada accessing your servers in dublin because i could get direct access to it and i found the username password this is a problem so we have to look at reducing that risk and doing a better job of that because the attackers will love to well that slide blew up so the attackers are going to try in any way they can to get in because they're it's about financial gain at this point um back in the days of zone h and all those other aldos and all the rest of those uh web boards would said

um you know greets to my friends i hack your website hahaha and you have all the screenshots of that that has evolved into big business and we're talking millions of dollars so why make it easier for them if you have the ability to if they have the ability rather to get a username and password that's part of their job done if you can do something like multi-factor authentication biometrics anything like that anything that makes it more difficult for the end user that's great there's an open standard i'll say that again an open standard by the w3c called web authent or about web authent rather if you take nothing else away from today that's actually an excellent piece of

documentation to read because it's an open standard and it is a way to move forward to what is extensively called a passwordless feature a way to do authentications that will obviate the need for passwords so there's your homework assignment i'll just keep going from there and you want to make sure that the devices that are attaching your network have good hygiene because you don't want to introduce problems that don't have to be there and with this remote workforce that we have to contend with on a continuous basis we want to make sure they're not inadvertently introducing problems that because they were not connecting their laptop for long periods of time that they suddenly had a you know

library that didn't get updated attacker was able to breach them with an email you want to make sure that you are not making that easier for the attacker because if you take every portion of the business and drop them into buckets you have the workplace the workforce and the workload three core components of your organization fundamentally you can put everything in the people the devices the applications and we want to make sure that we are approaching this in a way that we're going to put our arms around it to better secure our environments we have to make sure that we're dealing with user trust you don't like i i tell this over and over again

but this one organization i worked at we did a quick assessment of well not quick assessment an assessment of all the user accounts in our organization and the reason i tell this every time is because this is just absolutely gobsmacking to me we had 10 users with super user status one was deceased had been deceased for five years but their account had been used in the last two none of those 10 people were still with the organization i apologize to people who have seen me talk about that over and over again but this is just one of those things i used to hit the point home then you want to do discovery you want to go through your network go through

your organization and look at what you have connected to the wire because i guarantee you it's not what you think it is i know because when i had to do a roll out of a particular antivirus client i found there was at least double the number of nodes on the network than our inventory thought there was you want to have the ability to trust the nodes that are in your organization it be the remote or in a building one day hopefully you want to be able to be assured what it is that's attached to your organization and if you have an untrusted device that suddenly shows up on the network you want to be able to be aware of it

and be able to address it as well how trustworthy are those devices that are attached to your network have you gone through and looked you know is dave coming in on that xbox again yes i did do that in one organization and yes they did try to get me fired for that but i was showed them i was doing security testing because i was a security guy anyway suffice to say nobody knew until i told them and i guarantee that sort of behavior happens all over the place and this wasn't a case of me trying to be malicious it was a case of i was like oh wait there's a web browser in here will this

work and by and large a lot of the whoops factors happen because of stuff like that and then there's security debt everybody and every organization who's ever worked has at least seen one of these the beige desktop on or under a desk that is running a mission critical application written by a summer student that nobody knows how to port it off of there but they can't let it go down this is a problem and i use this as an example because this happens in organizations over and over again we have to make sure we're building trust in the users but we also have to give them the tools in order to establish that trust so if you're running on deprecated

hardware deprecated software you are really setting yourself up for a possible cascade failure as we've seen with multiple types of supply chain issues over the last few months you want to be able to enforce adaptive policies in your organizations so that you know somebody in finance is not suddenly doing maintenance work on a back-end system or doing changes on a router i actually have been an organization where we did have a cfo making router changes because he got tired of waiting for a change request yeah that went well and the types of policies that you want to look at you want to like what makes sense for your organization don't let any vendor come in say you

have to have this with the blinky lights no what's your list of requirements what are you trying to save in your environment what are you trying to protect so if you have the ability to spec spell that out before you talk to any vendor that's a huge win i've had vendors in the past that came in to see me when i was on the other side of the phone and they said oh yeah our particular software will protect your applications and i was working for a power company and i said okay well we're running systems that are 264 the you know unix variant and this is will it work on there i was like oh yeah it'll work on true 64 232

no problem no such thing so this is one of the things that's why you have to have a clear defined list of requirements because sometimes people will sell you anything just to get into the door so we have to make sure that we are pushing back and having a larger conversation with folks because it's incumbent upon us to raise all boats and if somebody out there is doing something silly we need to call them on it and i mean that gently because we can improve and we have to make sure that we're protecting every application out there that we need to access because we need to keep the lights on now back in you know february march time

frame when all of this started going sideways we realized very quickly that you know there were times where we had to make judgment calls we had to make sure that we were looking at how we're going to improve things for the organization by accepting risks that we would not have otherwise accepted because we had to keep the business going sorry a little thing blink on my screen there so we want to oops we want to make sure that we are protecting all of those applications keep the lights on but when we make those risk-based decisions and we accept those risks that we go back and revisit them because otherwise they too will help add in to the security debt that we can

accumulate over time we need to make our own jet packs that might sound trite but we were promised so rather than waiting around for somebody to deliver it to us we need to do a better job collectively and i see that security practitioners we have become you know the voice of reason in many organizations and i think that this is only going to continue as long as we realize that we need to be the adults we need to have the conversation about risk we need to conf you know conv have the conversation in the lingua franca that the people we're talking to understand trust is neither binary or permanent we have to make sure that we are constantly

working to maintain that what happens in a community without trust what happens in a society without trust everything falls apart we can't afford that we need to be staying sticking together seems like double the slide we have to go through and reinforce that trust with prevention detection and correction these are the things that we need to make sure that we're constantly iterating through because when you're looking at a continuous trusted access or zero trust or however it makes most sense to you we have to be constantly iterating through there's no end state that you're going to get to where you're going to be zero trust certified that flat out doesn't exist but it is a way to reduce risk in the

organization and improve things over the long term continuous trust access data validation transparency accountability these are all good things pineapple on a pizza not so much yes we invented that in canada yes we're still sorry trustworthy data and systems can't be separated from you know trustworthy people we have to make sure that we are working on how we can best validate all of this because let's be honest mistakes are going to happen i know cheap shot couldn't take couldn't resist but it is kind of an evergreen statement we can all look towards a brighter future as we're going forward and i would like to thank everyone here um at our besides dublin and hope that i

can be there in front of you again sometime in the future to you know raise a pint of the black stuff at the very least but thank you all today for your time and i really do appreciate the chance to be here thank you thanks very much dave it was uh nice seeing you twice today the talk was great and and you know you've opened up a pandora's box now because once these videos go up on youtube for for the general public there's going to be a brand new type of business going on where they're going to be offering zero trust certification the company so thanks if they do that i will have a serious nasty conversation with them

that's brilliant i'll give people a minute just to see if there's any questions there's nothing in so far no worries they can always drop me a line but lots of people saying thanks they love the talk so the feedback is very good people were delighted to see your your slide with the unicorn coffee so we got that going awesome that's brilliant eh thank you again and hopefully next time in physical proximity i would like nothing less