Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning everybody. You kind of can't see me. There we go. How's that? All right. So I'm coming to you live again from Miami, which is why I'm on early. Um because again, we got tons of stuff going on. I'm at the Trend Micro Directions event.
This is an internal event where we bring about 1000 customers and partners together with a whole bunch of trend micro employees to talk about the issues or about 1000 people overall. Um to talk about what's going on, not just with like trend Micro and where we're going, but with the customers and that's what I wanted to talk to you about today is that, you know, companies like aws making a fantastic example of how strong listening to customers and letting customers direct your road map and sort of where you're going, how strong that play can be.
I mean, you don't get 20 billion a year in revenue if that's not a strong way of conducting business. And a lot of companies profess that, that they listen to customers, they are customer driven and that is absolutely true. Don't get me wrong.
And of course, you know, trend micro is no different. What I wanted to talk about though, was that how, while that's an external facing company philosophy for the vast majority of companies, and it's just a question of execution. Um how poorly infosec teams adhere to that principle internally.
So make no mistake. You are a service provider within your company, you need to be educators, but you know, you have what are essentially customers, which is the rest of your organization. So as a security team, working with the business units, you know, it's better to be partners, but realistically they're customers and partners and you need that type of relationship.
But what always shocks me is when I work with csos and ceos and ceos around the world, how few security teams are actually out there listening to their customers, to the business units, to other people within their organization and trying to figure out what they want and what they need.
And the best way to do that is just by listening, going to a business unit and understanding what they're trying to do. The normal reaction for security teams is this sort of default. No, you can't do that. That's not possible. There we go.
Get some color back in there. That's not possible. You can't be doing what you want to do. That's ridiculous. It's a massive security risk. That's a security threat. We can't pull that off. It's that, no, no, no, no, no, that's not the way to go about it.
It's not if you were so take yourselves out of the security aspect and go and say, you know, you're running a lemonade stand and you're trying to, you know, customer comes up and goes, yeah, I'd like a lemonade with no ice. You're like, no, can't do that.
They go, well, the next customer comes up and goes, well, I'd like just half a glass of lemonade. I'll pay the full price. That's fine. I just want half a glass. No, can't do that if all you're doing is no, you're not going to have customers.
Those customers are going to walk away, they're going to do something else. And this is exactly the scenario. We've seen time and time again within organizations where the info security team isn't listening, they're not using their ears, they're not talking to the customers, they're not understanding and listening to the customers about what they need to do going into the business unit and saying, hey, what are you trying to accomplish?
What's your outcome? What's the desired outcome here? What's the goal that you're shooting for as opposed to just jumping on what they're suggesting out of the gate saying, hey, I want to stand up for a web server and put a bunch of private information on.
There they go. No, you can't do that. That's impossible. The proper thing to do is ask a question, open them up and say, hey, why are you, why are you trying to do that? Why is that your goal? Why are you trying to put that information on that website?
They say, well, we need customers to be able to access their records. Ok. Well, let's put some authentication in place. Let's put some mitigating controls. Let's reduce that risk. Let's help you achieve your outcome. So it's amazing that there's sort of this breakdown where companies are professing to listen the customers externally and they do and they drive their external road maps, but internally they don't absorb that and say, wait a minute, I'm a service provider within my company as infosec security.
I need to be listening to customers. I need to be engaging with them. I need to be talking to the business units working with them all the time in order to help them hit their desired outcomes because their desired outcomes are my desired outcomes.
Security is not done in a vacuum. Nobody stands up a company and says, oh, what do you do? Well, we just do internal security for who or for ourselves. Security is there to drive the business. It's to help the business go faster is to help them to do stuff.
They never thought possible before and obviously helping reduce that risk in the process. Not by, if you don't listen to your customers. If you don't listen to the rest of the business, you're never ever going to get there. So I got a roll because I'm here to help listen to my customers, to my organizations, to other people within the security community, to see what's going on to help sort of synthesize that and see what's needed, not just from trend micros products and solutions, but for my research wings for publishing educational content, for getting stuff out there because listening is absolutely key.
You need to do it with your customers outside of the organization, infosec security teams need to absorb that and listen a lot within their organizations. I hope you guys have a great day. I will talk to you on Friday because I'm off tomorrow in transit.
Flying back home. Have a good one. We'll talk to you soon.