Enterprise-Grade Everywhere

2024 was a big year for enterprise cybersecurity incidents but SMBs are not immune from these attacks. Shira Rubinoff is joined by Jason Rolleston, VP & GM at Broadcom’s Enterprise Security Group on this episode of Six Five Podcast. They discuss Symantec by Broadcom and Carbon Black by Broadcom and the shifting dynamics of cybersecurity in the current digital age, particularly for small and mid-sized businesses.

Highlights include:

  • The sophisticated cyber threats that target large enterprises, resulting in substantial financial losses as well as disruption to organizations and critical services
  • The changing landscape of cybersecurity threats targeting small and mid-sized businesses
  • The critical importance of robust, foundational security measures in protecting against sophisticated cyber-attacks

Learn more at Symantec by Broadcom and Carbon Black by Broadcom.

Watch the video below at Six Five Media and be sure to subscribe to our YouTube channel, so you never miss an episode.

Transcript

Shira Rubinoff: Hi, this is Shira Rubinoff. I’m here with Jason Rolleston, Vice President and General Manager of the Enterprise Security Group at Broadcom (ESG). Jason, what a pleasure to be with you here today.

Jason Rolleston: Thanks for having me. Super excited.

Shira Rubinoff: Thank you. So Jason, trust, reliability, and the importance of fundamentals in cybersecurity are key themes that organizations continue to struggle with as they address the market trends around hybrid infrastructures, cloud, and juggling on-premise solutions with their organizations. Today we’re going to talk about enterprise grade everywhere. So Jason, attacks seem to be getting more sophisticated, but are mid-sized and small businesses really in the crosshairs of these threats? And certainly we talk about it becoming more prominent and more prevalent across all sizes of companies, but let’s focus here on the mid-sized.

Jason Rolleston: Yeah, they absolutely are. I think there are two big factors driving it. One is capability, and the second is really the return on doing it, right? If you went back sometime a number of years back, there were very few groups who could conduct these really sophisticated attacks. They tend to be espionage-driven, more state actors, or they were driven at the highest end, the biggest companies because that was where the return was. It was who could fund it and how it would work. People have gotten a lot better, the skill set and the development is much broader. The tools are much better, more people can conduct these attacks. And then with the advent of cryptocurrency and the way things have flowed out, there are now a lot of ways for monetization, ransomware across the board. It’s not just the biggest company, so 100%, people have started coming down.

They’re also coming down because the security in most small organizations is not as sophisticated. They’re not as hard of a target as some of the big banks and the big companies that are out there. 100%, we’re seeing really sophisticated attacks coming at shops that just aren’t really prepared for it. What we’re finding is that while that’s happening, a lot of small companies have relied on security through obscurity like, who am I? Why come at me? I’m nobody. They’re now starting to find they’re absolutely in the crosshairs so the market’s changed.

And so the fundamentals of security, we just need to take the same things we’ve been doing. We know how to attack these threats, but we ought to bring it from the enterprise down, this enterprise-grade protection that people have not had to step into. We’ve got to bring it down to these smaller organizations, make it accessible to them. I think that the strength and reliability of our technologies being very relevant and centered around those capabilities is such a huge asset and something we think is going to be tremendous for the market as we see this shift continue.

Shira Rubinoff: Oh, that’s super important. And as you mentioned, they’re wondering, why me? There’s bigger fish out there to fry. And it’s not a question of if, it’s really when, and everybody’s a target. Certainly important to focus on some of those midsize companies that might not have the budgets that are large enough to really protect themselves the way the larger enterprises do. Let’s move over to the next question that really addresses this. In a crowded market where many companies chase the latest innovations, how are Symantec and Carbon Black approaching cybersecurity differently? And I’d love to hear this. I know both these companies very well, and the merger of them is quite amazing.

Jason Rolleston: Yeah, and look, I think it’s a simple answer for us. We tend to just try to stay focused on the customers and the needs. What we see in the market today is a lot of, as the market has matured for cybersecurity, we see a lot of people really chasing marketing the next shiny object, talking about why you need to think about this, or what’s really important about that. And then you can name it. If you went back over RSA, the last three, four years, you’ll find in that conference, what was the big buzzword? It was UEBA one, so user dynamic or user behavior analytics, and then it was XDR, or maybe it’s a generative AI. Look, these are all good technologies, nothing wrong with them, but I think the focus for us is not what’s the new tech and why we’re better because we’re using the new tech.

It’s like, “What is the customer needs? What are the challenges they’re really facing?” We stay focused on those fundamentals and the proven technology that’s worked for some of the biggest companies on the planet. That does that in a reliable way that’s consistent, that doesn’t cause challenges and problems. We’ll joke and say, “Look, you don’t necessarily need a Ferrari for security. You need a Toyota.” You need a simple thing that gets the job done, that’s reliable, that’s dependable, that does exactly what you expected it to do. And that’s what we’ve been doing. We’ve been doing it for decades.

I mean, Symantec, Carbon Black, Bit9, Blue Coat, the technology stack we have has been in defending people for a really, really long time and it’s such a proven reliable technology stack. That’s maybe a bit different for us. Maybe we aren’t as flashy, we aren’t as loud, and we’re not putting Formula 1 cars in our booth, but we’re staying really grounded in what it is that customers need, technology that works to deliver on that and not focus on the outcomes, helping our customers really achieve what they need and to stay safe.

Shira Rubinoff: Well, that’s important. As you said, trust, reliability, dependability, those are things that organizations need. Having had many conversations with Broadcom and all that subsidiary companies over the years, wearing an analyst hat, a thought leader hat, the understanding of how you approach your customers is the way to go. You’re listening to what the customers need, what their needs are. Not being a company out there saying, “This is what you want and let me tell you why, and let me tell you how to fit into the square peg.” It just doesn’t work, and organizations really need to have a partner that they can trust, that’s reliable, that listens, and really then understands what the fit is and that’s what you do. That’s very impressive and it’s a need to have. Jason, how do you balance the need for speed with the risks of relying too heavily on endpoint security in today’s complex environment? So now we talk a lot about mitigating risk, and that’s always something organizations struggle with. How do we balance it? What is the secret sauce there?

Jason Rolleston: Yeah, and this has been, I think a really interesting evolution over time. Again, if you track back in history for a long time, the way you protected your employees is you put them in a campus and you put up firewalls and you said, “This is my castle, and everything inside my castle is safe, and that’s how I’m going to really do it.” We saw through pandemic, and it was already happening with mobile workers and different dynamics is it wasn’t really sufficient. We’re starting to see people were getting inside, and then all of a sudden you have workers who aren’t even protected by that network. And so the endpoint really rose in prominence because correctly, I think vendors started saying, “Look, the only thing you might have for defense in some cases is the endpoint, so man, the endpoint should do everything.”

And it’s very tempting because it’s a great place to do everything. You have a lot of data, you have a lot of insight. Who the user is, what they’re doing, the processes that are running, different network connections that are happening. It’s a really great place to do security, it really is. It’s tempting to do everything there. But the risk of that is look, it’s difficult. I’ve worked in endpoint from a security and an IT perspective, endpoint technologies for a long time. Very easy to get it wrong, very easy to have bugs that take systems down. And in some cases, those are bugs in the operating system itself. It’s not even something you’ve done wrong, it’s just something that you stumble upon, but you still cause that outage. So the balance is really, how much do you do there? How sophisticated do you try to get versus looking at a combination of technologies that can reduce the amount that the endpoint has to do?

That’s where I think our focus is. Things like cloud web security, that takes some of the malware out as you’re searching and browsing things like email security. There’s a lot of technologies we think you have to bring together to reduce the amount of risk that you take on the endpoint. And then you’ve just got to be really thoughtful about how fast you go, because the faster you go, the faster you’re trying to respond and push new content for that new virus. The new attack that came out, the more likely you are to make mistakes. You just have to find that right balance point of, okay, I’m doing this. I’m making sure my customers are safe. But that safety is also in not taking the systems down itself, and it’s bringing together the right technologies in the right places.

It’s not all cloud. Cloud’s not inherently better than on-prem in all cases, so it’s using the right technology for the right use case and helping organizations find that balance. The reality is different organizations have a different appetite for risk. We shouldn’t be the full end arbiter of that and say, “This is the risk you’re going to take,” we need to work with them. And as much as we said before, we need to be partners with them and engage with them to figure out the risk they want to take and not force our risk tolerance on them.

Shira Rubinoff: Well, that’s another critical piece you mentioned is not force your thoughts on their organization. There’s no one size fits all. And a lot of organizations struggle with that. When they look at different solutions, they’ll say, “Well, that doesn’t really fit me and they’re trying to make it look like it does.” And to really understand, again, the organization’s risk appetite, but also where they fit in the scheme of things when it comes to the overall security. So Jason, given the maturity of the cybersecurity market, what do you see as the biggest challenge for small and mid-sized businesses looking to adopt enterprise-grade solutions and protection?

Jason Rolleston: Look, I feel for customers. I brought up and referenced RSA, right, in the past. If you go to that conference, I don’t understand how they can process it because even being in industry, it’s so hard.

Shira Rubinoff: Heads spinning.

Jason Rolleston: So many vendors and so much noise, messages everywhere.

Shira Rubinoff: Shiny objects everywhere.

Jason Rolleston: Yeah, it’s crazy. It’s absolutely, I don’t know how they process it. I think that’s the biggest problem is you’re running a small business, you don’t necessarily, you’re not a phenomenal cyber security expert. You’ve got a lot of things to do. You just want to make sure you’re safe, that your business isn’t compromised. I think, look, finding the right partners, finding the right vendors to work with who are going to be grounded and connected to your issues so understand what you’re facing and can really help you through that, who aren’t trying to sell you something that you may or may not need, but are staying focused on what are your outcomes? What is your risk tolerance? What are you doing? What kind of data is important to you? Are you transacting? Do you have customer data that you need to protect? Are you potentially dealing with GDPR and privacy regulations?

So having that engagement, cutting through all the noise and finding somebody to work with, I think is incredibly difficult. And it’s especially difficult when you have, as we’ve discussed here throughout the day, all these vendors telling you, “Well, what you have is not enough. You need this thing and you need that thing and you need to be thinking about these things.” And so that’s really, really hard. And I think it all comes back to us, just keep it grounded. What are you doing? What are the real challenges exist? Let’s take the big ones off and work our way through it. Be systematic about it. Stay focused on the biggest risks and the things that are not as shiny necessarily, but the things you just have to do and then work your way up to sophistication. And then help find other partners. If you need complementarity, you need people to help out and provide services, you need that engagement. You need a partner in this. Not a vendor trying to sell you something, you need a partner. And that’s something we’re really trying to provide and work through our larger partner ecosystem as a different way of engaging with customers, focused on outcomes, focused on keeping things simple in some way and really the fundamentals of security.

Shira Rubinoff: Well, no, thank you for that. I’d just like to focus on the small to mid-size companies for a moment because a lot of them are sitting there watching this, listening to this, listening to other things, running around at RSA with their heads spinning, and trying to figure out where do we fit in the scheme of things, and are we really a target? And how much protection do we really need? How much money do we really need to spend when our CISO, or not even their full CISO because maybe they can’t afford a full-time CISO, what do we need to do in order to be protected? How much at risk are we? What would you say to those businesses listening today and saying to you, “Listen Jason, I just can’t afford it right now. I’m going to put it on the back burner. What really is my risk profile to being attacked?”

Jason Rolleston: Yeah, I think the thing I’d say more than more, it is way higher than what you’re estimating. Whatever you have in your mind, whatever risk you think you’re taking on, I will guarantee you the risk is higher. And I hate security, in some sense, we’re selling on fear, that’s not what I’m trying to do. But it’s trying to just make the point, the reality of how the attackers have shifted the way in which the capabilities they have, they’re able to bring to bear through automation and really go after it. It is a much higher probability that you’re going to get hit. And it’s also the thing that happens. It’s not random ransomware, it’s going to be targeted. They’re going to go at your most important systems, and that’s what they’re going to get. That’s what they’re going to lock down. That’s the data they’re going to steal.

And so some of this is you have to find the right balance and everybody has to decide how much risk they want to take. What I’m telling you is the risk is higher than you think. If you think you’re at the right balance, you aren’t. Doesn’t mean you should spend all your money on security. Clearly you can’t, you’re running a business. You have to be thoughtful about this. But I would say, look, engage with vendors who are going to be willing to engage with you, with partners who want to meet you where you are, not just sell you things, but really help you achieve your goals and who recognize the reality of the space and know that they have to find that right compromise with you. That’s something we’re certainly focused on, as I said, through our ecosystem, and I think we’ve got just a phenomenal set of technology. Again, leveraged and used by some of the biggest companies on the planet that we want to bring and put into the hands of these companies and make it possible for them to get that same level of security over time. But it’s going to be a process, but you’re definitely at more risk than you think.

Shira Rubinoff: Very important points. And Jason, one of the things I like to ask of folks in the cybersecurity world that I speak to is can you share from your own personal perspective a cybersecurity pointer that you think is very important for everybody out there to hear? It either could be something from an organization or even a personal, an everyday life type of cybersecurity hint that would be helpful to somebody.

Jason Rolleston: Look, I think the biggest one I’ll say is I think it’s very easy to overlook fundamentals and basics, be that patch management, or just getting the most out of the tools you have. It’s very simple to get caught up, as we say in this path of there’s some fancy new analytics technology. That’s the thing that’s going to make my security come together. When in reality, as you invest in new things, you have to dedicate resource to those things. When you put energy into something, you are by definition taking energy out of something, and in many cases that math may not work. So being really focused on, am I doing the things that are just the basic things I need to do right? Am I doing those well? Am I getting the full value out of the technologies that I have, the core technologies that are really needed to provide security? That I think in many cases is going to pay off way more than buying some new technology for some corner case or edge out there. It’s just back to basics. Stay focused, make sure you’re getting the most out of what you have.

Shira Rubinoff: I think you couldn’t have said it better. Get back to basics, and I think some people are just trying to jump ship trying to recreate the wheel. So thank you very much, Jason, for your knowledge and your perspective and your advice all around these topics for our audience today, and I look forward to talking to you again very soon. Thank you.

Jason Rolleston: Again, thank you so much for having me. It’s been a pleasure.

Shira Rubinoff: Thank you.

Other Categories