Podcasts
Threat Vector
Ep 88
Threat Vector 10.9.25
Ep 88 | 10.9.25

Securing Modern Workforce

Show Notes
Transcript

David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for Unit 42.

Harish Singh: So we believe the real opportunity is in making security invisible yet powerful. So it has a very deep meaning, okay? The security is invisible yet powerful, so that people can work freely. This consists of user satisfaction, user experience, so this is something what I will tell, and this is what we practice. [ Music ]

David Moulton: Today I'm with Harish Singh, vice president and global head of infrastructure and application management at Wipro. Harish brings decades of leadership experience across financial services, tech consulting, and infrastructure strategy, most recently helping Wipro clients modernize and secure their environments for a hybrid-first, app-centric world. Today we're going to talk about security complexities that emerge as organizations adopt SaaS at scale, re-architect infrastructure, and try to support dynamic workforces, all while balancing user experience, automation, and emerging risks like GenAI data leakage. [ Music ] Harish Singh, welcome to Threat Vector. I'm really excited to have you here today.

Harish Singh: Thank you, David. I'm also very excited to be part of this.

David Moulton: Talk to me a little bit about your journey through banking, tech services, and infrastructure leadership, and how that's changed your approach to cybersecurity.

Harish Singh: So that's a very good question, and do be very frank, David, I've been in banking for the last 20 years, that's two decades, and I've seen a bank from greenfield to becoming a brownfield bank. So that was a journey, what I have done with the bank, and so I know how unique that experience was, how I managed all the risk, the compliances, the regulations, and the resilience for the organization, being always part of the infrastructure side of the domain. Having led large-scale digital transformation along regulatory environment of banking, I have firsthand experience how secure, compliant foundation enabled both growth and innovation. Today, in my experience, my approach to cybersecurity is balancing protection, agility, user experience, and regulatory adherence, at the enterprise scale.

David Moulton: Oh, I really like that, that idea of finding that balance between what you need to deliver for the business, what you need to do to protect the business and your customers, but also thinking about, you know, what's the engineering challenge and what's the end-user experience. And if you don't get those mixed in just the right way, any one of them could be the thing that stops you from success, stops you from growth. So that's a big range of things to think about. You've said 20 years, and you went from greenfield to brownfield. In that time, have you noticed a shift where one of those ingredients, one of those things that you're considering in your strategy, has really gone from sort of the back burner to the forefront, or have things changed around, or has it always been balanced?

Harish Singh: And David, to be honest to you, back at my banking journey, there was something which Indian banking sector actually believed in, something called fail first. So we were very enthusiast of looking at latest technologies and the greatest technologies, trying them, and not living with them, and we could fail first. Because we know, because of the technology, it carried a direct link to customer trust. One mistake would ripple into compliance issue, reputational issue, or even financial stability of the bank, correct? That environment taught me to see risk and security not as a control gate but as an enabler of confidence. Even today in Wipro, our global infrastructure, I carry that mindset, and that helps me build resiliency and try more new products.

David Moulton: Not too long ago, I interviewed our CIO here, and she talked about how she trusts our security team to act as a strong break so that she can go fast. And she wants to drive innovation as fast as possible, but she needs to be able to rely on that strong break. And it sounds like you have some of the similar mindset of, how do you go fast? Well, I have great security around me. We've thought about this. You know, and I think that's a great way of looking at security and its relationship to innovation. I'm curious if that's the number one lesson you've learned over the years, or if there's something else that you've learned, working in the financial sector, that influences your approach to risk and security today.

Harish Singh: So if you talk about financial institute is always user experience, the compliance, the regulatory compliance, basically, these two play a major role when you talk about banking and the belief in your customer is maintained by delivering both security and user experience. So those are in the forefront, and that's the same thing, the same philosophy helps me in Wipro, where we serve more than 1400 offshore development centers.

David Moulton: So let's shift to talking about your work with Wipro, and how you're helping your customers re-architect their infrastructure. As those organizations are accelerating to SaaS adoption, how do you support a more dynamic and app-centric workforce?

Harish Singh: So if you talk about purely from the Wipro perspective, we are helping outline to modernize. So the first principle, what we apply is we decouple security from the network. That's the most common mistake, what other organizations are doing. And what we are making, important thing is identity-driven, so policies follow the user wherever they work. It's not the other way around. I don't know if you have seen a Vodafone ad, it's very common in India, where a pug, a dog, is always following a user, a Vodafone user. So it shows, wherever you go, that pug will be with you, that means the Vodafone connectivity will be with you. In the similar way, in today's identity-driven zero-trust framework, that's the same case. Wherever you go, it's like your corporate ID badge. Your access remains the same whether you go to HQ branch or any other place in your organization, or to a hotel, or to your home. So it has become very, embedding SASE at the edge has become a core.

David Moulton: You know, from the infrastructure perspective, what are some of the big security blind spots that you see a lot of organizations tending to overlook?

Harish Singh: There are three main blindfolds, what I could talk about right now. The one we talk about is the unmanaged device in our organization, or in any organization, for that matter, where we have contractors coming in, they're getting access to the sensitive data. We have customer-related data, we have customer-related unmanaged devices, we have VPNs running through it, we have VDAs running through it, and so on and so forth. So it becomes very paramount on the unmanaged devices, that's the most important, I believe, for any organization. The second one is always about identity governance, the inconsistency in ID governance is a killer, is a no-no kind of a thing. The final thing, what I believe is, what you spoke about on the SaaS usage, the application SaaS usage. If you look at the old and good times where it was more of a build rather than a buy. Today, SaaS environment is more about buying applications, so lack of visibility on those applications becomes a major hindrance. It's like you say you lock the front door but you forget to close the side windows.

David Moulton: So you're talking about SASE gaining real traction, and in the state of workforce security, there was a stat in there. 34% increase in widespread production, developments year over year. What are you seeing as the biggest gains in SASE, and you know, maybe what are some of the early pitfalls to avoid?

Harish Singh: So David, SASE is a very big word. When I say SASE, it consists of multiple products, multiple vendors, multiple OEMs, which makes a SASE, technically. So the early pitfalls come when SASE is treated as a network upgrade instead of identity-led transformation. So giving a very lame analogy is like building a skyscraper without a foundation, kind of a thing, correct? So we are seeing strong gains in our hybrid work and enablement where SaaS protection and simplifying cloud security operations is paramount.

David Moulton: Harish, how do you see secure browsers completing SASE strategies, particularly in extending zero trust to unmanaged endpoints in SaaS applications?

Harish Singh: So if you look at secure browser closing a very critical gap, and we recently have deployed PAB Browser, which is Palo Alto Access Browser, so I'll take a step back. I'll tell you, David, the primary reason for getting a secure browser, if you look at our application stack, any application stack in a brownfield kind of environment, in a brownfield kind of an organization, you'll see N number of legacy applications being there, the new SaaS-built application coming in. So there's a mix and match, there's a confusion, and then security becomes very important because these applications, they contained user data, they have client data, they have PIA information, GDPR information, et cetera, et cetera, so on and so forth. To fix this problem in core will take at least five years. If you look at the number of applications our organization has, it runs into hundreds.

David Moulton: Yeah, it's too long.

Harish Singh: And into hundreds. So to fix it, you can't fix it at the source, because that will take five years. So the secure browser helps you to create that extended zero trust directly to the endpoint, which helps in managing all the security-related at the core of the endpoints. So after deploying endpoint-secure browser, all CXOs will embrace that. They will get a good night's sleep, because their worry of people accessing applications from anywhere, anytime, will no more be there. That's my take on the secure browser.

David Moulton: Only 13% of organizations report full visibility into data shared with GenAI tools. What's at stake if this visibility gap isn't addressed?

Harish Singh: So, we all know GenAI is no longer about future. It is happening here and it is now, so it becomes really important that we all know that GenAI is the new frontier of productivity, visibility, and if you look at, without visibility, organization risk, data leakage, compliance breach, and erosion of trust with customers. With GenAI adoption surging, the stakes are high, as losing intellectual property without even realizing it. So there's plenty of thing, if we talk about GenAI.

David Moulton: Do you think that the browser's going to play a key role in -

Harish Singh: Yes, definitely.

David Moulton: Stopping those risks?

Harish Singh: Definitely. Yes, definitely. If you look at from a browser perspective, there is something called browser-level controls, which we can enforce, so that the smart browser's level of control can be key to providing real-time visibility into AI tools, capturing images, text core to generation. The dynamic DLP in the secure browser enforce blocking sensitive content to be taken out. Keyword blocking is there. And from a business view perspective, this is about trust with regulator, customer, and partner. So yes, definitely.

David Moulton: You know, what strikes me is that the browser is such a common and useful tool that we all have, and we don't necessarily think about it, but it can provide that leakage, it can provide that risks on one side, or you can flip it 100%, and it can provide that security, and it's also the interface that so much work is getting done. So when you're able to make that shift, it feels like in a space where GenAI is moving so quickly that the browser gives you the opportunity to not only catch up but to actually wrap that security around, going back to your analogy before with the TV commercial, right? As you use that browser, that's what travels with you. That's the first thing you pop open, you know. I'm sitting here talking to a browser. I've got a couple of tabs open. I'm sure you've got a couple of tabs open. Our listeners do too. And you think about wrapping security around all of those things that we're trying to do through the browser. It's just wild that you wouldn't want a secure browser, especially when you're interfacing with these spaces that leak your data, leak your code, without necessarily intent. You're not malicious, you're just trying to get your job done with these better tools, and they are better, right? But they come with that incredible risk right now, so it's interesting to see where the browser has an opportunity play in this space --

Harish Singh: Absolutely.

David Moulton: As we race forward. [ Music ] I want to get back to the report for a second, where I saw that it emphasizes SASE as a way of unifying networking and security. What benefits are you seeing or expecting from implementing SASE architectures?

Harish Singh: So Wipro's a very large organization. We have 96% of our servers and server workload running on cloud, so we have big clouds like Microsoft, Google, AWS. Now we have Oracle also. So if you look from that perspective, SASE plays a very important role where they become the gatekeeper. So anything coming inside, from a hub and spoke perspective, the SASE architecture helps in the hub and spoke environment. So that is from a cloud perspective. But when we come to the end-user and endpoint, it is about defining unified policies and enforcing them across the environment. Reducing complexity, managing multiple tools, and improve user experience, that is almost always a key thing, if you ask me. User experience is one of the key thing what I always believe SASE should deliver, and SASE should improvise on.

David Moulton: So Harish, I don't know if you know this about me, but I spent the first 20 - we'll just call it 20 years of my career building software, building websites, focused on UX. Can you give me an example, can you delight me, with one of those user experience that you've delivered that you think it hits or exceeds your expectation for that end-user to be delighted, to have something that they didn't expect, and they're able to pick up quickly, and get out of the way, let them do the work that they're looking to, or have the experience that they deserve to have.

Harish Singh: So David, if I'm right, if I understand your question correctly, if you look at core partners, and if you look at users, were pretty happy that they could work from anywhere. Before COVID, it was always a dream which I believed in. I used to talk to the CXOs, they always used to say, how can Starbucks work? Why can't we have a Starbucks kind of an environment, where internet is available, people are using it, there's no east to west traffic, nobody's bothered about what the other person is doing. Well, if you take a cut, you come to your organization, when you're sitting inside, you know anybody can hack into your machine, because the next person sitting may have a malicious intent, whether it is employee or whatever. So we talk about internal risk as the most critical kind of a risk. So with SASE, that is my - the SASE helped us to change our mindset from a network-driven to a policy-driven state, correct? So wherever you take your machine, or wherever your mobile phones, wherever you want to access your applications, it's available, just click of a button. So you go anywhere. That's the beauty of SASE.

David Moulton: No, I love that example. As you're talking about that moment of inspiration or that moment when you need to get something done, isn't a drop everything, get back to headquarters, get to a machine that's locked down and secure, and do your job. You're talking about the ability to basically flip open whatever device, make sure that that browser security is wrapped around you, make sure that that identity that you're talking about, that individual security is there, and you're able to knock out your work. So that is a better user experience. As somebody who's been remote for quite a well, I can tell you, it delights me that we have architectures and leaders like yourself working on making this just a seamless way that we go about our lives. As I was looking through the report, I saw that 76% of leaders say that user experience is a top priority, and I think that you would agree with that, alongside security. How do you measure or evaluate solutions that aim to balance those two specific goals?

Harish Singh: So I'll give you a use case, David. When we deployed PAB Browser, it was not about how much incident that the PAB Browser is reducing, but what is the adoption rate? Today, adoption has become our most important factor. And along with adoption came the satisfaction score, how people are leveraging this particular browser to safeguard them, to ensure their work is happening, was very paramount. And I'll tell you, if security is invisible and employee can work without friction, we know we have struck the right balance.

David Moulton: I like that. So you're able to see adoption, and therefore you know that the security is there, and it implies that if they're adopting the tool, right, like we all move towards a thing that's going to get us the best experience, and that's actually very elegant. I love that answer.

Harish Singh: David, if you look at it, if you look at it, if there is no adoption, see? We have seen, as I told you in banking, used to fail first, because when we see the adoption is not happening, we used to understand why it is not happening. There used to be a satisfaction survey which calls out why it is not happening and whether this is suited to our organization or not, because their answer, it's not about the product, it's about the policies which your organization carries. Sometimes some product are the best product, so from a product perspective, that plays a greater role.

David Moulton: Do you ever face pushback from teams when security controls affect their workflows?

Harish Singh: Absolutely, David. That's a pain area, when you have the infrastructure. That is something which is very common, but yes, security can feel like a hurdle, correct? People can feel suffocated and choked, but the key is to - what we do is we involve end-user at the early stage. Ensure there is an ordered change management. We have our teams who run change management always, and we frame controls as enablers, and those are not something which will block our people from doing work or being more productivity. It's like you can always say that, much like seatbelts, what we wear in cars, correct? Initially, everybody used to resist it, but now, for safety, there's no question. There's no question asked. As soon as a person sits in the car, he looks out for a safety seatbelt, correct? So it's something very similar.

David Moulton: Yeah.

Harish Singh: It's about habit, it's about how much time you can give them and how we improve, do a continuous improvement.

David Moulton: Yeah, I think you're absolutely right on that seatbelt, and the strong break. You know, Meera talked about that on an episode before. You want those things, and once you don't have them, I think that's when you start to feel exposed. So you've got to get used to it, but then it seems awkward not to have it. I'm curious if you could talk about the role of automation, and what it does in securing infrastructure at scale.

Harish Singh: So automation is no longer about options. So obviously automation came before machine learning or AI, so it's no longer option, it's become a DNA, and it is a foundation for scaling, correct? You talk about patch management, you talk about threat response, you talk about SAW. Whether we use your product, then you stood for automating. All our SOC alerts, correct? So automation allows security team to move at machine speed rather than humans. So with all the automation going in, a SOC team is much more agile and nimble, and the rest of the thing is done by your tool.

David Moulton: Yeah, I know I've talked to our team here about the wide deployment out of EXOR, and our own SOC, and the number of things that it takes care of so that they can keep up. It's a relatively small team, and the comment that really comes back to me was, the team doesn't think about it until something doesn't work, and they have to go back to doing it manual, and they're moved off of those highly strategic tasks, those threat hunting exercises that they're in, some of these things that they do to protect the business, to move back towards something that had been automated away, and it is wild to me to look at what you can do with an automation tool to move to that next level of speed. So Harish, I want to look ahead. Let's move into the future, and I'm curious what role you see the enterprise browser playing in say the next three to five years, in reshaping how organizations deliver secure work experiences.

Harish Singh: So David, maybe I will repeat what I said for GenAI, correct? So it's no longer about future. The enterprise browser is happening now and here. So there's no second thought. It's a new security edge. So enabling policy, enforcing DLP, identity control, everything is very critical and core to every organization. In many ways, it's like a control tower for the modern workplace. So you can't - there's no five years or three years, it's happening here, and it's now. That's why Wipro embarked on it in such an early stage.

David Moulton: So if I hand the mic over to you to talk to all of your counterparts, those that lead infrastructure, security leaders, is there one mind shift that you recommend as they prepare for the next wave of digital transformation, and while I think I know what it is, what would it be?

Harish Singh: David, I will suggest that move away from castle and moat mindset to one where identity and data are the new perimeter. Most of the people are still of this old mindset where they feel firewalls are the perimeter, but it's a left shift which has already happened, correct? The shift is simple but powerful. [ Music ]

David Moulton: Harish, thank you for this awesome conversation today, and for sharing your insights on UX, on hybrid work, on SaaS security, and the evolution of the enterprise, which isn't coming in three to five years, it's already here. I really enjoyed this conversation.

Harish Singh: Thank you so much, David, and the entire Palo Alto Network team. It's been a great discussion, and I look forward to continuing our journey of making security simple, trusted, and user-first. [ Music ]

David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen, and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help me understand what you want to hear about. And if you want to reach out to me directly about the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Original music and mix by Elliott Peltzman, and a special shoutout to Monique Lance for all of her work on this episode. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector