Inside the Pentagon's new zero-trust policy

[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. We took notes from employees and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it, infosecinstitute.com/free. Now, on with the show.

Today on Cyber Work, I speak with Steve Judd, Solutions Architect at Venafi about the recent directive from the Pentagon that a zero trust policy be implemented at the Department of Defense within the next four years. Is this workable deadline? What are the hurdles to be jumped? While we're here, Steve also tells me about what a solutions architect actually does and why he thinks it's the most fun job in cybersecurity. Keep it right here for Cyber Work.

[00:01:25] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Steve Judd is a Solutions Architect at Venafi with over 25 years of experience leading and mentoring high quality or highly technical teams. After many years working on application and API development, he has spent the last eight focused on cloud native platform engineering and is particularly interested in helping organizations improve their software supply chain security and transition to a zero trust environment. That last point is very important because today we are going to be talking specifically about the recent news of the Pentagon's zero trust policy with regards to the Department of Defense.

So Steve, thank you for joining me today. Welcome to Cyber Work. It’s great to have you.

[00:02:19] Steve Judd: Great. Thank you for inviting me.

[00:02:21] CS: My pleasure. So, Steve, we always like to break the ice with our first-time guests by getting a bit of their origin story. So where did you first get excited about computers and tech? I see your undergrad was a Bachelor of Science in Computer Study. So it's clearly been with you for a while. But what was the initial draw?

[00:02:40] SJ: My math teacher at school. I reckon, so we're going back to the early ‘80s, and I was a teenager. One of my math teachers started a lunchtime computer club. Yeah. So I went along. We had things like and some sort of Sharp, and it was just a bunch of really, really antiquated computers these days. But, yeah, I mean, we learned by – You had these magazines that just printed lots of games. Of course, they never worked. So you type them all in. Actually, I got more joy out of debugging the code than playing the actual game, so yeah.

[00:03:25] CS: Oh, yeah. Yeah. The game was always like a figure walks across the screen, and it took you like 700 lines of code to get it to work.

[00:03:33] SJ: Absolutely. Yeah.

[00:03:35] CS: Yeah. My dad and I used to do that. We would sort of exchange. We would go back and forth once one of us got tired of clicking or whatever, but yeah. Then it was always just like one little typo that would be the difference. Yeah. That’s cool. Yeah. So that's been with you for a very long time. Sir, what age were you you said when the math teacher –

[00:03:55] SJ: I reckon I was about 14.

[00:03:57] CS: Oh, yeah. Yeah, yeah. I'll stick with you.

[00:03:59] SJ: I quickly realized that I had an aptitude and unliking for computer studies. So I did it all the way through school, and it was like an obvious thing to do at university. I went straight into the IT industry.

[00:04:16] CS: Yeah. I’m assuming you were working with basic mostly, but were you learning other sorts of languages around that time?

[00:04:24] SJ: Yeah. Assembler and COBOL were my –

[00:04:26] CS: Nice.

[00:04:27] SJ: Yeah, yeah. I mean, that's what we got taught at university was COBOL and Assembler and a bit of Pascal. In fact, my first job was for a chocolate company, Cadbury's, and I was supporting their mainframes. So it was some Assembler, a lot of IBM type stuff. Let's just leave it there for the moment because it's quite old, but yeah.

[00:04:59] CS: I appreciate you keeping Cadbury chocolate safe because I like that very much. That, to me, is a vital industry, especially this time of year. Yeah. So I want to talk a little bit about what you do now. Can you tell me about your own work as a solution architect for Jetstack? So what are some of your average tasks or strategies or problems that you need to solve for your clients in an average week's work?

[00:05:24] SJ: So Jetstack is wholly owned by Venafi, and Jetstack is like – We have products, so CERT-manager, which I might talk about later. That's Kubernetes certificate management product. But the bit that I focus on is pure kind of cloud native and Kubernetes consultancy. A lot of that is with financial services companies, gaming companies, the defense company as well. What we're doing is, as you probably are hopefully well aware, Kubernetes, quite a big deal these days, super popular.

So I spend a fair bit of my time helping companies raise their maturity, in terms of the way that they use Kubernetes. A lot of that, frankly, is around the security because, unsurprisingly, all these companies, especially the regulated ones, are very careful about what they get up to because they have auditors, regulators. They have to explain any bad decisions in front of very stern-looking individuals. Yeah. So security is taken super seriously, and this is where, I suppose, especially over the last couple of years, I've spent more of my time around zero trust. How do you do machine identity, especially, and the other aspect, which is securing your software supply chains?

[00:06:58] CS: Yeah. So with – Oh, I’m sorry. I was going to say, with regards to the job position of solutions architect, so it sounds to me like you're sort of not quite the project manager but the set the project person, where the client says, “We need this, this, and this,” and you're saying, “Okay. Well, we'll need to give you these seven things in tandem.” Then you sort of create like a detailed plan that works for them and then you –

[00:07:22] SJ: Yes. That's, I think, reasonably fair. So I'll go in and the customers will go, “We have these challenges. We have these pain points. How are we going to solve them? What's the kind of industry standard ways of doing it? What are your opinions based on the fact that you've done this sort of work with other clients to provide us with best practice?” I think a lot of the phrase du jour is we want best practice, and it's people like myself because we've been working in Kubernetes and then this space for a while. We kind of know what that best practice looks like and how to achieve it and how to tailor it for each individual client in their particular environments.

[00:08:10] CS: Okay. Yeah, that makes sense. Yeah. I just want to make sure because, again, we have a lot of listeners who sort of listen to our episodes and get a sense of what they want to do with their life and stuff. So if they're thinking, “What's a solutions architect exactly,” that helps them out a great deal.

[00:08:25] SJ: It’s a very broad term, and I carefully enjoy the fact it's a very broad term because it allows me to do, frankly, quite a lot of different things, if that makes sense. So I also do a lot of conference speaking. For example, this year, I must have done about three or four different sort of security conferences, the two KubeCon security, the Cloud Native Security Con conferences, one in Valencia and one more recently in Detroit. I was speaking at those two. So it gives me an excuse to do a lot of that kind of stuff too, which, weirdly, I enjoy.

[00:09:05] CS: That’s a plus, for sure. Yeah. You get up with the folks there. So, Steve, I wanted to have you on the show specifically, as I said at the top of the show, to discuss something your organization emailed to me that I thought would be relevant to many of our listeners. We have a lot of students who are in government, in military or defense contract or want to be, namely the news that the Pentagon has recently announced zero trust strategy to guide Department of Defense cybersecurity priorities and investment.

The first thing you mentioned was that there are deadlines and possibly even pretty tight ones to submit execution plans and completion dates preventing this from being a good idea that just drifts along for months or years on end. So, first, can you share the scope of what this directive entails? What are we talking about in terms of the size of the issue, the resources to act, and the possible disruptions that are possible during this change?

[00:10:01] SJ: So I don't know huge amount about the DOD. I'm much more au fait with the UK-based sort of government departments, but none of them are small. So I do know that the DOD has got somewhere in the region of 2.8 million staff in one form or another. What you're talking about with zero trust is that every actor in your environment, whether human or some kind of machine, needs to have a verifiable identity which it can then offer whenever it requests access to something else in that network.

We're talking not just about human beings needing some higher level of verifiable identification, so multifactor, for example. We're also talking about the individual servers or devices, drones, whatever that is in that network that's going, “Hey, can I have this piece of data? Or can I go and do this thing to this server over here?” All of that is what zero trust is trying to kind of create, if you like, is the fact that you need to have this identity. It has to be verified. Once that happens, you can then start making decisions about, well, is this thing actually authorized to access that resource or read that email or [inaudible 00:11:29] that piece of data or whatever.

I think it's huge. It's been coming for a while because this all kind of kicked off when President Biden issued his executive order in May 2021. Then after that, in fact, January this year, there was a federal memorandum to talk about specifically the zero trust strategy of complete federal level. This is the DOD’s kind of response to that, where they're starting to sort of flesh it out what this means for the DOD, and it will affect all of the departments. They've made it very clear that it's going to affect everybody.

The document, I think, is a reasonable start. It's got – They've defined what they're expecting to see, albeit a very high level, and they've put some timelines in there. They divided it into things like users and data and applications and devices. You can see these target timelines and then the advanced, and they've specified, again, at a high level what this actually means. Then they've left it up to the departments to go and figure out how on earth they like to do it.

[00:12:50] CS: Right. Well, yeah, it sounds an awful lot like the CMMC 2.0 requirements that kind of were finally finalized earlier this year, and one of our guests so that there's like something like 300,000 vendors that are being given mere months to achieve compliance. But there's only a few hundred auditors available to take on the work. So this is a little more self-directed I'm imagining, where it's like you – There's not necessarily someone that's going to have to come in and audit your particular portion of the system. It's more like the implementation I imagined is maybe a little more internal. Is that right?

[00:13:24] SJ: Yes. No, absolutely. So I think it is different to the idea, where you're basically insisting that a supplier has to get to certain standards of cybersecurity and be externally audited to that fact. That being said, it'll be interesting to see how it works out in practice and how many exceptions they're going to have because, obviously, if you've got a legacy system that has absolutely no chance of, let's say, integrating some kind of single sign-on mechanism, then what are you going to do? You need to create an exception and justify why it still exists on the network and what the mitigations are. This is the same, to be honest, as private sector. I mean, the banks that I work for have exactly the same issues.

[00:14:20] CS: Yeah, yeah. I mean, to that end, do you think the strategy went far enough in terms of tightening identity and access? Is there anything that you would have done differently if you had the magic gavel?

[00:14:33] SJ: No. I genuinely – I have actually read the document or 30 odd pages of it, and it looks good. I think the thing is the devil is in the detail, though. It will be – I don't – There are going to be some departments, frankly, who will be able to speed ahead quicker than others. They have a lot of challenges, which I can't begin to imagine how you would deal with them, like multifactor authentication in a hostile environment. How are you going to do that? I mean, you know. Oh, just use your phone and press the indicator app.

[00:15:15] CS: They're gaining on me, but hurry up. Hit the thumb ID on your phone to make sure.

[00:15:21] SJ: Yes, exactly. Yeah. So like I said, I think the devil is in the detail, but it's a good stab. I appreciate that. Many people probably think that the timelines are too long. They’ve got probably, what, four years now until 2027 to kind of achieve what they call the target zero trust. That seems like a long time. Obviously, it's not when you've got a large bureaucratic organization. That being said, all the malicious actors out there aren't standing still.

[00:16:00] CS: No, no. Yeah, yeah. This isn't like racing, where you get the flag car or whatever, while the person is getting over there. Yeah, yeah. So as I mentioned before, I was recently speaking to one of our instructors, Leighton Johnson, on a recent episode about the aforementioned CMMC deadlines. We talked about the fact that vendors and industries that want to work with DOD and can't get their compliance in place by the deadline could very well be left outside, until they get everything sorted out. So we also discussed the fact that these vendors know what requirements need to be visible and reportable to auditors.

If you were waiting for the finalized CMMC to come through, like that was probably not the move because you know what you mostly need to do. So with regards to zero trust, is there anything that sort of DOD departments can and should start doing right away to ensure that they're not scrambling at the last minute?

[00:16:54] SJ: I think, to be honest, I would have expected them to have already started. I mean, it was, as I said before, President Biden kind of fired the starting gun on that one. That was basically we're getting serious about this. I have absolutely no doubt that the intelligent minds within the DOD kind of could see the writing on the wall, read the runes, and go, “Probably need to start worrying about this right now.”

[00:17:23] CS: All right. What’s going on? Yeah. Yeah, absolutely. I invite you on the show. It's the Cyber Work podcast. We want to talk about people entering the industry, specifically. I mean, I like hearing this sort of speculation about the work of the next couple years. But how, if at all, will these coming changes to DOD cybersecurity initiatives affect professionals who are trying to break into careers doing security for DOD? So if you're currently a cybersecurity student or working in the field and looking to transition in this type of federal military work, are there any additional skills or processes that zero trust will make mandatory for anyone in this space who might not have otherwise been working on things like that?

[00:18:09] SJ: I am biased because I work in open source and cloud native. But I would say that's where I'd start focusing. I think more and more people are going to be required. I think that the security industry is fascinating in the sense that there are individuals who live in, shall we call, the traditional world of security. It is changing, and that that's a very compliance-based. You kind of go, “Yes, I’ve done this. I've ticked off this. I've ticked off this.” I think it's moving more to what they call a risk-based kind of industry.

I do think that there's a lot of opportunity for people getting into it. As I said, it is definitely – For me, anyway, cloud native is where everything is moving towards. Certainly, within Venafi, that's what we see and that's the way we're going as well is to provide cloud native solutions which, obviously, involves security hugely. But I think cloud native lends itself to a kind of zero trust model in terms of the way that you can provision your software-defined networks, for example. Yeah.

[00:19:37] CS: I mean, similarly to that point, will zero trust implementation open up any new or expanded job roles in this space as with like management of machine identities? So I'm guessing identity access management, we'll also need more people with all of this. Where do you see this sort of – There's so many gaps in employees and so forth. But what will this open up a specific new type of sort of security professional role?

[00:20:07] SJ: I tell you the one that I really want to see is, and it really was a real shame that DevOps became a thing rather than DevSecOps. I think the Sec bit in the middle was kind of slightly forgotten about for a period of time, and it's actually obviously crucial. Also, I think that we're seeing a rise of platform teams, and having security professionals that are platform engineers, I think, is going to become a thing.

My background is mostly application development. Then I moved into sort of let's call it platform engineering because I find that space really interesting. Security became part of my interest circle as it were because it's quite new. It's not new, but the new tooling and patterns of interests. It’s like, “Whoa.” So that's why I get into that. But I think there's – I come at it from an application side, rather than from a security side is probably where I'm trying to go with that statement.

What I'm trying to say is I think that there's a lot of opportunity for people who maybe don't see themselves as pure security professionals to be able to contribute and make a difference in this space.

[00:21:41] CS: Could you unpack that a little bit more in terms of what constitutes a cybersecurity professional? What kind of hybrid skills are we talking about? Or what people of maybe not specifically tech backgrounds do you think could fit well into this area?

[00:22:03] SJ: For people that are not hugely technical and not really wanting to be, I think explaining security is probably – People that can communicate these concepts are a bit like hen's teeth. It is –

[00:22:21] CS: Yeah. Compelling narrative. Yeah.

[00:22:25] SJ: Yes, thank you, compelling narrative. So I think people that can understand that to be able to communicate it because everybody's got to do security. Like you have to bring it over to all of the user base. You've got to bring it over to product managers and to application product managers and so on. It's like, “No, no. You really need to do this stuff. This is how you need to do it.”

I think then there are the people that bridge the gap between, let's say, the application developers and the pure CISO kind of teams, if you like, because still a lot of security teams are not very au fait with cloud native technologies or cloud in general. You need to bring them on that journey. So I think there's a lot of room for people who can grasp the concepts but don't necessarily need to explain the ins and outs of a 256 encryption mechanism, if you know what I mean.

[00:23:27] CS: Right, right. Yeah. Or make it work. They just need to explain why it does work or why it used to work.

[00:23:34] SJ: Yeah. OIDC. Just trust me. You need it. Don’t worry about it.

[00:23:37] CS: Yup. You need it. I can give you some graphs as to what happens if it doesn't work, so yeah.

[00:23:42] SJ: Yeah, exactly. Yeah.

[00:23:45] CS: I want to go back a little bit. You mentioned that you were sad that things went to DevOps and that DevSecOps kind of got left to the wayside a little bit. Can you talk more about that? Because we've had – Obviously, I tend to have DevSecOps people on here. But like what are your impressions in terms of whether or not the Sec part is being sort of left behind? I'm assuming for expediency’s sake, right? A lot of it is like speed issue. We don't have time.

[00:24:15] SJ: Yeah. On the face of it, it doesn't add business value. If you're an application developer, and you've got five features that are going to attract more people to your application or your mobile web app, saying that you've built something in a secure way with best practices in supply chain security, or it's not really going to get your product owners particularly excited. Does that make sense? It's more I think –

[00:24:49] CS: Yeah. But, again, I think that's an issue of creating a compelling narrative. Like you have to really explain why you don't want there to be like big, crazy vulnerabilities in the midst of this thing, just because you were able to get it two weeks. We were talking about how crazy this four-year window is for zero trust. If you work in cybersecurity, you're used to having deadlines that are completely unreasonable. So I think that really feathers nicely into this notion. Like I said, I've talked to people about this before, and they always say that like the Sec part, it just adds – It's kind of like I want you to do this project with 50 parts.

But after every single step, you have to come back to me and look. Then when I have time, I can look at it to make sure that it's done correctly. Then you go back. I think people who want to do things, they just want to get into the flow and do it. So, yeah, I think there's still kind of a project management process issue involved in making DevSecOps viable. I mean, do you see any ways around that?

[00:26:00] SJ: Yes. I was – What you said really resonated because, as I said, I work with lots of banks, and you just end up having two things that happen. One is you get a bit of shadow IT happen. Or the other thing, which is just as tragic is that you've got this great, elegant solution, and everyone goes, “Yeah, but it's going to take us six months to implement it because we've got to go through all of these security hoops. So we'll go with this other approach, which is much worse. But we know that we'll be able to get it, achieve it in a month,” if you know what I mean.

That really kills me, and I think it's a matter of – Again, it's education. It's bringing the security people closer to you, which is why I said I think there's opportunities for kind of platform security engineers. So you don't want this us and them siloed environment. You want to get those security folks close to you so that they deeply understand what you're trying to do, without you having to write a 20-page design document with all of the security mitigations listed. They'll just kind of get it easier and be able to facilitate that process that you were talking about.

[00:27:23] CS: Yeah. I imagine. Boy, it just seems to keep coming back to communication and stuff too because I think there's this this perception that if you're going to have the security person overseeing the development and getting the best practices and getting this, you don't want to come in like Debbie Downer like, “Look, I know it's going to slow things down. But we really need to make sure that this, this, and this are safe.”

I think, again, there needs to be a way to – I'm speaking into the void here, but there needs to be a way to make this less like the speed bumps that everyone is fearing. No one wants to hear from your email, if they're like, “Oh, God. There's Debbie Downer again, telling me why I did this thing wrong that I'm very proud of.”

[00:28:10] SJ: So this is part of this move from compliance-based security to risk-based security, right?

[00:28:16] CS: Yes, yes, yes, yes.

[00:28:18] SJ: I think that that's part of the answer. By the way, if I had a great kind of plan for how to do it, I'd be totally starting my own business, and I'd be –

[00:28:29] CS: Yeah. Right, right.

[00:28:30] SJ: Which within months so I'd think if I had a silver bullet for this.

[00:28:34] CS: At the end of the year, it's the holidays. Let's speak in sort of – Let our wish list run free here, in terms of what we want for things. Yeah.

[00:28:45] SJ: Dear Santa.

[00:28:46] CS: I want the world. Yeah, exactly. So for listeners who are trying to get into the security space, putting in the hours in class or their first jobs, you talked a little bit about [inaudible 00:28:57]. But what types of specializations or areas of study or experiences will give them the advantage in the resume pile in the sector? Like what should they be emphasizing?

[00:29:06] SJ: I think I would start by going onto something like YouTube and having a good dig through some of the good security conference talks. So I'm thinking of Black Hat, DEF CON, Cloud Native Securitycon. They put a lot, if not all of their talks, onto YouTube. So I think those are a good place to start to try and figure out which bit of the security lifecycle or focus you want to focus on because it is kind of a huge topic, right? So there's a lot to it.

I would invest my time in some of the certifications. My background over the last few years I spent on Kubernetes. So I'm kind of biased. But Kubernetes have a whole bunch. The Linux Foundation, they do a whole bunch of certs. Some of which are just – They do a cybersecurity set, but they also do like Kubernetes security one as well. I think that one, by the way, I haven't done. It looks really, really hard.

[00:30:22] CS: It’s a goal for 2023.

[00:30:24] SJ: Yeah, absolutely. Then I also –

[00:30:26] CS: Let’s keep that list going.

[00:30:29] SJ: Yeah. But there's also the cloud, the hyperscalers. So AWS and Google have got a whole bunch of certs that you can do, and they've got some that are very much focused on security. I think doing that for somebody that perhaps doesn't have a lot of experience in this sector, that's a pretty good way of demonstrating our level of aptitude.

[00:30:53] CS: Yeah. Can you speak to some rookie mistakes that you see young professionals that you would like to help them avoid in terms of maybe studying something that's not going to be relevant in five years? Or just start chasing or just spending too much time in a book or too much on hands-on without anything to back it up, anything like that?

[00:31:16] SJ: I would start, I think, with the basic building blocks of security. That's stuff like sort of TLS. How does that work? Or how does HTTP – How does your web browser talk to a secure server? So all the basics of SSH. Those, to me, are the kind of building blocks. How does encryption work? Don't get too bogged down in thinking I'm going to write my new encryption algorithm. Please do not do that right. Don’t. I would start with those basic building blocks because that's what everything is built upon, frankly.

I would start also looking at – I think, the whole multifactor authentication is a really interesting space because it hasn't been solved particularly brilliantly yet. There's lots of reasons why, obviously, multifactor is better than not having it. But you still need to understand what the man in the middle attacks could be and how you can be taken advantage of. So those would be – I guess, I probably wouldn't get too hung up on individual vendor products, to be honest, frankly.

[00:32:42] CS: Yeah. Jump into those if you think you're going to work for a place that needs them.

[00:32:46] SJ: Yeah, absolutely. My only final thing on multifactor authentication, make sure you have multiple of these factors. A couple of months ago, I was in London, staying in London. I had a night out. I had my phone stolen, which had my only multifactor on it. I was stuck in a hotel with no phone, so I had this real thing, like I can't get into my email because it's requiring my multifactor authentication, which is only on my phone, which has been stolen. My other one is at home, and I can't find my wife to get her to press the yes button. I was like, “Okay, this isn't very good.” So that was my rookie mistake albeit two months ago. Now, I have a couple of YubiKeys as well.

[00:33:41] CS: Yeah. I would say one of my returning guests, one of my favorite people, Susan Morrow, talks about just how exciting and how knotty the digital identity space is right now. But that's one where, like you said, like with cryptography, like this is being sort of decided by like 15 people in a room, it seems like, and maybe isn't the thing you want to necessarily jump into first. But like working out the applications and the ways to sort of make it adoptable on a mass scale, it might be better than something overly like, “Well, I'm going to solve digital identity,” or something like that.

[00:34:21] SJ: Yeah, yeah. Don't boil the ocean, I guess. I mean, once you start getting into this space, I think it's trying to simplify it for developers and so on. Perhaps that sounds a bit naive, but part of the problem with security is it's just really, really complicated. That's what puts people off. Like they'll go – This is the problem with supply chain security, which is I know we're not really talking about that. But that's like the other area that I do a lot with, and everyone goes, “Oh, God. That looks really hard, and I don’t really – I'll park that until next year or whatever.”

[00:34:59] CS: Yeah. I mean, we could do another whole hour on that. But, yeah, I think I really do try to speak to people who are just trying to dip their toe into security and learn about this for the first time. I think there is that sort of overwhelm of like there are some route things you can learn, like learn how to set up a network, learn how to secure that network, learn how every single thing in the computer works. Then from there, you can sort of add the specialties. But like beyond that, it's hard to even sort of conceive of the 47 different job roles that sort of make up the entire ecosystem and which of those is the path to where you want to get to eventually.

[00:35:44] SJ: I guess, I mean, as I said, I didn't start off in security, and I've moved around doing quite a few different roles. So I think you need to stay curious all the time. You need to be constantly learning, which probably sounds really cheesy. But I think in IT, more than any other industry, if you want to continue to progress and have an interesting career, I think you've almost got to kind of reinvent yourself like every five years. There are so many technologies, which I adopted with enthusiasm. Then probably five years later, it was like, “Okay, it's time to move on to the next one.”

[00:36:24] CS: Yeah, no one’s doing that right now. Yeah. Right, right. Yeah.

[00:36:26] SJ: Absolutely. It could well be that Kubernetes in maybe three or four years’ time for me is like, “I'm done with Kubernetes now. I need to move on to whatever the next kind of technology is.” So I think being curious, staying current is really essential. Then the last one and again is ask questions. Go on to open source, kind of Slack boards, or forums, and ask questions. Be humble but ask questions.

People, I think, are super willing to accommodate people. I’m on a bunch of security-related sort of open source Slack forums. Without a doubt, the people are very keen to kind of help newbies come in. So that’s something that –

[00:37:19] CS: We had a past guest. I'll just sort of button that with this or add it to it that people in cybersecurity are very happy to offer assistance, but they also want to get some sense that you've done some of the work yourself. They're happy to care. If you come in and say, “I don't even know what this is. What is it? How do I start,” you're going to get a lot less support than if you say, “Well, I've tried this, this, and this. I've hit a brick wall.” They say, “Aha, perfect. I can work with that.” They’re not going to cut your steak for you like –

[00:37:48] SJ: Absolutely. Yeah. I totally agree. It's very –

[00:37:53] CS: I think, yeah, that's where the come in sort of humble as well. I think there's a lot of benefit to that. So all right, well, as we wrap up today, tell us more about, and I apologize for mispronouncing for Venafi, the type of services you provide your clients. Are there any sort of projects or things your company is excited about in 2023?

[00:38:13] SJ: Oh, yes. Venafi basically provides what we consider to be the leading kind of machine identity product. So essentially, with machine identity, you've got an enormous number of certificates that you need to produce, you need to manage, you need to expire, rotate. So Venafi provides a whole suite of products around doing just that for enterprises, as well as that we have like a code signing product as well. It’s like there's an on-prem version of it, and there's also a SaaS product as well, which fits into that space, which is kind of modularized.

I think I said at the beginning of this discussion, Jetstack, created this tool called CERT-manager, which is basically the de facto certificate management tool for Kubernetes, open source tool. So we donated that to the CNCF, but there's an enterprise version of it, which fits into Venafi’s kind of product portfolio. So that's what Venafi as a whole focus on. They've also got this consulting division, which is basically Jetstack. So we provide general cloud native and Kubernetes consulting.

Obviously, we talk to clients a lot about machine identity, but it's much broader than that. It's a sort of a lot about, well, how do you get most out of Kubernetes and how do you deal with software supply chain security. That’s kind of in a nutshell what we get up to.

[00:40:04] CS: That's great. We’ve got one last question here, very important. If listeners want to know more about Steve Judd or Venafi, where can they go online?

[00:40:12] SJ: Well, there's venafi.com. Jetstack.io would be the website. To get ahold of me, I'm on LinkedIn, and also you can email me, steve.judd@jetstack.io.

[00:40:26] CS: Great.

[00:40:27] SJ: That’s – Yeah, definitely.

[00:40:28] CS: Yeah. We have people who definitely write our guests. So check your inbox. It might be very soon. Well, Steve, thank you for joining me today and breaking down all of these different important security developments. This was so much fun.

[00:40:42] SJ: No, I enjoyed it. Really good to talk to you. Thank you.

[00:40:45] CS: And as always, I'd like to thank you all for listening to and watching the Cyber Work podcast on an unprecedented scale. So it's end of December here, and we would like to thank you for an amazing 2022. I think we nearly tripled our numbers in terms of use, listen times, and subscriptions, and couldn't do without you.

Before I go into, I just want to let you know to go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. One more time, go to infosecinstitute.com/free or click the link in the description below to get your free training plans, plus many more free resources for Cyber Work listeners.

Thank you once again to Steve Judd and Venafi, and thank you all so much for watching and listening. We will see you next week. Take care now.