“Adaptive security enables organizations to accelerate at the speed of business while providing better protection for assets and responding more quickly and effectively to potential security breaches.”
Hi, Jim. Welcome to our Interview Series. Please tell us a little bit about your journey in the IT security industry and what inspired you to start Oleria in such a competitive space?
Thank you for this opportunity. I was fortunate to get my start in security early in my career working on internet payments technology at Microsoft in the late 1990s. Following that, I served as the architect for Microsoft’s PlayReady Digital Rights Management technology; the Chief Security Officer for Xbox and Xbox Live; and Corporate Vice President for Windows Enterprise and Security for Windows 10. These experiences collectively enabled my work to impact the security of over a billion users worldwide. In 2016, I switched from product leader to operator as the Chief Trust Officer for Salesforce.
Over the course of my career, I have witnessed a large number of organizations face security challenges as they struggle to manage their ever-growing security risks with tools that remain largely static and manual. Despite the enormous resources being spent on tools and people, I have seen several failed attempts at effectively managing access, and all of this ultimately drove me to start Oleria.
The last two years have accelerated digital transformation for businesses of all sizes and stature. Security risks have multiplied at an equally ruthless pace. What has been the biggest lesson for you when you look at the cybersecurity and threat detection domains today? Would you like to share your pandemic experience on how you managed to continue your business development work during these uncertain times?
The biggest takeaway for me from serving as the Chief Trust Officer at Salesforce during the pandemic is that we all need to focus more on cyber resilience by building systems that are adaptive to change. We had to enable our entire workforce to work remotely overnight when the pandemic first hit. This required us as security and IT leaders to work together to ensure that our systems had the capacity to support our entire workforce working remotely at the same time, and do so in a secure way. Even for a company that had resilience and business continuity plans in place and tested, this was a stressful time, but our teams were able to make it happen. Organizations without such plans were less fortunate. It is key for CIOs/CISOs to consider their whole vendor ecosystem when building a cyber resilience strategy. Some of the biggest challenges I faced during the pandemic were helping 3rd party vendors, small and large, continue their operations which were critical to my success.
Read More: CIO Influence Interview with Logan Welley, Vice President of Alliances at Fivetran
Identity and access management is a broad and complex problem for corporations with expansive networks to tackle. Can you describe in more depth the risk factors and access needs CIOs/CISOs need to consider when designing and implementing access policies?
With the transition to cloud and SaaS, our IT fabrics have grown more complex and decentralized. There is no longer an “edge” for teams to rely on to enforce security controls. We need to transition to an approach with central management but decentralized enforcement. Identity and access management are key to this kind of approach. A properly implemented solution will allow organizations to apply policy to the user, software, and device involved in any operation, enabling the service performing the operation to verify each is permitted to perform the operation subject to just the right access at the right time for the right duration.
What approach should CIOs and CISOs take to prevent data breaches and ransomware events in their organization?
For managing ransomware threats, like other areas of security, it is important to both implement preventative measures and ensure that you are prepared to respond should your preventative controls fail to prevent an attack.
For prevention, I would recommend starting with the basics, including (1) ensuring that you are regularly patching your systems with the latest security fixes, (2) implementing strong multi-factor authentication on all of your accounts and (3) deploying an endpoint security solution. Next, it is key to remove unneeded or unused permissions from accounts. Doing this will reduce the impact of any account compromise that does occur as a result of ransomware. We founded Oleria to enable companies to achieve this with our adaptive and autonomous approach to access. Finally, train your users on how to spot phishing attacks and implement an email security solution.
For response, start by building a response plan. Ensure that you have all of the right stakeholders involved and that you are clear on how you are going to make decisions and who the ultimate decision maker is. Test your plan regularly with your team, senior executives, and board of directors. Ensure that you have offline backups and regularly test the processes for restoring from backup. Finally, the ransomware threat continues to evolve, so it is important to monitor the latest information to ensure you are adapting your prevention and response approaches to keep pace with the threat.
How does a company like Oleria fit into a modern CIO’s risk management/ disaster prevention technology stack?
Oleria works in concert with a company’s Identity Provider, HR Information System, and enterprise applications to help CIOs/CISOs discover access risk and ensure that accounts have just the right access for the right time for only as long as needed. Even if you have an existing identity governance tool, Oleria can help you use it more effectively.
How would you define “adaptive security” management from a modern context? What do CIOs get when they include adaptive security measures in their policies?
For us, adaptive security refers to solutions that utilize contextual information such as user behavior, location, data classification, and risk to make security decisions consistently and continuously – all while ensuring that business users and teams have just the right access when they need it, for only as long as they need it. CIOs who include adaptive security measures in their policies can benefit from improved security outcomes and greater flexibility in responding to emerging threats. These measures include things like removing permissions from users or groups, disallowing certain operations, alerting security teams, and flagging operations for future audit review. Overall, adaptive security enables organizations to accelerate at the speed of business while providing better protection for assets and responding more quickly and effectively to potential security breaches. But restricting inappropriate access only solves part of the problem. Oleria is focused on providing more efficient and effective access to business teams, allowing the CISO/CIO to become an even better partner in enabling business outcomes.
Please tell us a little bit about your core offerings from Oleria? Which set of customers / business titles are you targeting to expand the reach of your products?
Oleria is a SaaS-based access solution that enables CISOs/CIOs to ensure that organizations allow just the right access at the right time for only as long as needed. Our platform integrates with Identity Providers, HR Information Systems, and Enterprise Applications to comprehensively view an organization’s access. Our ideal customers are commercial and enterprise organizations across all industries prioritizing data security and compliance and looking for a modern, efficient, and effective approach to managing access.
Our solution helps organizations identify and remediate access risks, provides insights into the current state and utilization of access, and offers recommendations and workflow automation to adapt access to the organization’s needs while maximizing data protection. Oleria’s solution unburdens teams from access operations tasks and improves the accuracy of decisions related to access control by providing insights and context.
Your take on the new buzzwords in AI-driven application development and coding workflows for security management: how do you see these trends impacting enterprise security governance and data protection:
I believe that AI will have an incredible impact on how we develop applications from accelerating the work of developers to helping discover hard to find security flaws in code to monitoring operations for indications that services may fail before that impact is felt by customers. It will take time for these impacts to be fully realized and there will likely be bumps in the road along the way. Leaders responsible for security need to consider both the positive impacts of AI like improved vulnerability discovery and operational resilience and the negative impacts such as enabling attackers to create more context rich targeted phishing campaigns or automating the development of software to orchestrate attacks for actors who would otherwise lack the technical sophistication to carry out such attacks. Unfortunately and inevitably, bad actors will increasingly leverage AI to create new and evolving threats, which amplifies the need for an adaptive approach to security like we are creating.
Read More: CIO Influence Interview with Andrew Hollister, Chief Information Security Officer at LogRhythm
What is the future of IT risk monitoring with automation solutions? How CIO’s decision would help in upgrading the next generation of digitized intelligent automation tools?
As we all know, organizations spend millions in direct costs remediating constantly evolving breaches. And that doesn’t even account for the intangible impacts to the organization’s brand and the loss of customer trust. At the same time, we are witnessing a proliferation of digitalization, SaaS, AI, and other technologies that provide a new attack surface for bad actors. So, this has become and will continue to be a boardroom issue. Strategic CIO/CISOs should constantly evaluate ways to improve the automation level across their portfolios. Adaptive automation approaches are more effective, reliable and efficient than traditional approaches, especially those requiring manual intervention. Identity and access management tend to be the most manual areas remaining in security programs today. At Oleria, our team is building a solution to help CIOs/CISOs transition to a more adaptive and autonomous approach to access that not only provides dramatically improved protection but also liberates business outcomes, ultimately enabling organizations to prosper while providing the peace of mind that data is protected.
Thank you, Jim! That was fun and we hope to see you back on cioinfluence.com soon.
[To participate in our interview series, please write to us at sghosh@martechseries.com]
Jim is co-founder and Chief Executive Officer of Oleria, where he drives company strategy, vision and growth. Alkove is a tech industry luminary, with nearly 30 years’ experience leading security for some of the world’s largest companies. Most recently, he served as Salesforce’s Chief Trust Officer, and spent over 16 years at Microsoft, serving as Chief Security Officer for Xbox and Corporate Vice President for Enterprise and Security in Microsoft’s Windows and Devices Group. He also held security, privacy and product engineering leadership roles at Google Nest. A formidable force in the security space, Alkove currently serves as strategic advisor to numerous startups including Aembit, SafeBase and Snyk. Jim is an inventor on 50 U.S. patents. He earned a degree in electrical engineering at Purdue University. .
For liberators of business outcomes, Oleria is the only adaptive and autonomous security solution that helps organizations accelerate at the pace of change, trusting that data is protected. Founded by cybersecurity industry veterans with several decades of experience building some of the world’s largest security solutions, Oleria allows organizations to pursue their best ideas, removing the barriers that keep team members from collaborating. Oleria sets business free.
