Kaleigh Alessandro (KA): Good morning, everyone, and welcome. My name is Kaleigh Alessandro. I’m the VP of Marketing here at Omega Systems, and I will be your host and moderator for today’s webinar. On behalf of Omega Systems and our partners at Todyl, thank you very much for taking the time to be with us.
We have a really timely and important conversation lined up for you today. The topic is security without borders. And if you work in financial services in particular, there’s a really good chance this is going to hit close to home.
Your advisors are distributed today, your platforms are in the cloud, your customers expect you to be accessible anywhere at any time, and regulators expect you to have all of that locked down. So, the question then becomes, does your security model actually reflect the way your firm works today? And that’s what we’re going to spend some time unpacking today. If you are new to Omega Systems or you’re not familiar with us, I’ll give a quick introduction.
We are a managed IT and cybersecurity services provider focused exclusively on serving highly regulated industries that includes financial services, healthcare, and other regulated sectors where the stakes around security compliance and operational continuity are exceptionally high.
We work with RIAs, wealth management firms, family offices, and other financial services organizations to help them achieve stronger security, smoother operations, and more defensible compliance postures.
Todyl, who we are excited to have here today, is one of our strategic technology partners and a leader in cloud native SASE solutions. Together we developed what we believe is a genuinely practical path forward for firms like the ones who are listening in today. So, without further ado, I’m excited to introduce the two practitioners who live and breathe security every single day and are joining me here for this conversation today. First, I’d like to welcome Andrew Scott, field CISO at Todyl.
Andrew works directly with organizations navigating the evolving threat landscape and has a deep understanding of where today’s security models are falling short. So, Andrew, I’d love for you to tell us a little bit more about yourself and your background and give yourself a little intro here.
Andrew Scott (AS): Yeah, and I appreciate it, Kaleigh. Thank you for having me on. Great to be doing this together. Yeah, so I’m Andrew Scott, Todyl’s Field CISO. And a lot of my background and focus for the last decade is either building, leading, guiding, or advising on how do we build security programs in a scalable way, but really that match the evolving, not just threat landscape, but I think the way the businesses are operating, especially coming out of COVID, right? Kind of, you know, that if we work from home, we just talked about this a little bit, but also regulation.
Right. Kind of the increasing of tightening belts. It’s a challenge, but it doesn’t have to be scary or complex. I think that’s what I’m excited to unpack a little bit today. That’s kind of my role is how do I work with we work with Omega, right? Many other organizations, right? Kind of, you know, financial services orgs. They’re here maybe on the line. How do we help navigate this together? So really happy to share some of our perspectives, what we’re seeing and some kind of options and strategies there to support that.
KA: Awesome, excited to have you here. And joining us from Omega Systems is my colleague, Rick Mutzel, our Manager of Technology. Rick works directly with our highly regulated customers to design, implement, and manage their security programs. He’s been doing that for many, many years now, bringing a security and compliance perspective to everything that we’re going to talk about today. Rick, do want to tell us a little bit about your background and what you’re here to talk about?
Rick Mutzel (RM): Sure. So, I’ve been with Omega Systems roughly 13 years now. So got to see us kind of progress and look through the security as that’s been changing and the technology needed to actually facilitate proper security programs for both ourselves and our clients. My kind of day-to-day responsibility is making sure that we have the right tools, applications and products in place for internal and for product delivery for our customers.
KA: All right, well, here’s a quick look at what we’re going to cover today. We’ll start by kind of grounding everyone in the current threat landscape. What’s actually happening out there and why it matters. And yes, we’ve built this session about the financial services industry, but many of the threats and perspectives we’re going to talk about today are just as applicable to healthcare organizations, law firms, and other industries as well. So, if you’re not a financial firm, I hope you’ll stick around anyway.
We’ll also talk a little bit about compliance because the regulatory bar is rising and a lot of firms are not positioned where they may think they are. From there we’ll get into what modern security actually looks like today, including what exactly we’re talking about when we use the term SASE, why it’s gaining so much ground in the industry and time permitting, we’ll close with some Q &A, so feel free to drop questions in the live chat whenever you get a chance to and we’ll get to as many as we can at the end.
Without further ado, let’s get into it and talk about what’s really going on out there today. I threw some recent stats up here on this first slide from a market survey that Omega Systems conducted in late 2025. But more broadly, I wanted to hear from both of you kind of where do you see firms exposed today and what should financial services firms in particular understand about how they’re being targeted? Rick, maybe I’ll start with you.
RM: Sure, so I think the threat landscape has shifted post COVID. The business models have changed from trying to secure the four walls in an office and putting protections kind of at the barrier with firewall and IPS and IDS. And you’re kind of really only thinking about a very finite subset of controls that you need to implement around a known area. COVID hit, people no longer are in the office anymore, and so the actual scope of what you need to protect has expanded greatly to the point where you may not know where or when people are working anymore. You know, all those models have kind of flipped themselves around, and so having the ability to see and protect anything anywhere is kind of the world we live in now.
Threat actors have evolved in knowing this. The traditional just pounding against the wall of known IP addresses where businesses reside is no longer the case. It could be a workstation. It could be a phone. Those things have really shifted and trying to keep up with that is what we obviously are trying to do with things like SASE, giving the ability to protect endpoints wherever they are connected to whatever source of connectivity that they have, sitting in Starbucks, sitting on your Wi-Fi at home, IoT devices residing on those networks, right? Those are all things that keep me up at night from a security perspective. And that’s really what we’re looking at from a risk perspective. The other side of the fence is, now that the four walls are gone, a known source to protect or where a company resides has shifted.
What threat actors are actively going after these days is almost 90% identity. And your identity is what is the easy exposure point. People have transitioned from on-premise to the cloud. And so the cloud is the attack surface and your identity, your username, your password, your email, those things are what threat actors are routinely trying to compromise now. Not saying there isn’t still the traditional brute force attacks and things like that, but any source of identity is really where we’re seeing most of the exposure and the attacks actually occurring.
KA: Andrew, are you seeing or hearing anything different out there?
AS: No, I mean, I’m just going to double down on what Rick mentioned and even compound more, right? Everything is about the identity. Like we like to say, adversaries are logging in, they’re not hacking in. And I think, know, Rick, you mentioned kind of devices and people using the cloud. I mean, I’ll take it one step further. I think it’s really also about the data, right? Why are organizations targeted, especially in financial services? Because you have a lot of data or regulated industries, right? You have a lot of information that’s very valuable to you, but also threat actors and cyber criminals increasingly are aware that that is a great pressure point? To be able to log in, to steal data, and then to extort and pressure an organization. Especially with cloud, SaaS adoption, a lot of that.
It’s what data do we have living out there? And adversaries are simply, as Rick said, stealing those usernames and passwords and increasingly even MFA tokens and finding a way to bypass that. So, they’re adapting and evolving too. Really the threats are about kind of identity-based attacks, targeting the cloud, or where maybe if orgs are lagging behind, as you mentioned Rick, on that kind of four walls and kind of that big beefy firewall or VPN. It still be around and still serves a purpose, but they’re trying to find ways to punch through that as well. It’s really about how do we understand what threat actors are targeting right now?
And then kind of those avenues there around using identity, kind of trying to punch holes in that and quickly gain access to that data that they are going to steal and then extort from. That is what we see overwhelmingly time and time again, right? Whether that’s through, you know, first steps towards a ransomware attack or, you know, data theft, extortion or other things like that for fraud.
KA: Is there anything different about an identity or credential-based attack today than say five or 10 years ago? Because they’re not new necessarily on the surface, but I would imagine the volume, the frequency and how attackers are going about it has probably evolved a little bit in the last few years.
AS: 100%. I think identities are more available now than ever. On the dark web, there’s various groups and cyber criminals that focus specifically on just acquiring identities and reselling those to other groups to utilize, for often maybe the price of a coffee. I think also the use, I mentioned cloud, where we increasingly see that they’re finding ways of using phishing or advanced techniques, whether it’s AI that’s enabling this to get those credentials or even those MFA tokens are registering malicious devices with applications.
They’re evolving as well, and this is becoming more prevalent. I think that the availability of compromised credentials and so forth is definitely out there where it’s lowering that barred entry, but also the techniques in adapting how organizations are using the cloud is evolving too and becoming a lot more prevalent. And that’s things that we really need to be planning for.
KA: Rick, anything you’d add to that?
RM: The dark web or wherever the information is coming from is a large marketplace. And it is. It is a true business model that threat actors are using. They’re not doing it for free. They’re doing it for profit. And so, as we kind of see automations and the adoption of large language models and AI processing, they’re increasingly able to make more revenue on their end by even scrubbing the data. The traditional, I’ll kind of say brute force attacks, throwing spaghetti at the wall is less relevant anymore because modern security solutions are looking for those things, right? And we have controls in place. If there are X amount of failed logins occur in X amount of period of time, then block this IP address or lock the user account out because there’s something suspicious going on. We’re seeing less and less of that. Not to say it isn’t still occurring, but the validation of the threat actors that are selling true validated login credentials is dramatically increasing. And so, we’re not really seeing that on the security side of this is, you know, the 50th attempt or the 150th attempt before they actually logged in from a dictionary attack or a list of just known third party sources for this user that also have the same email address. We’re seeing first login attempts actually successful because these are already validated by a third party source months and months ago and then resold and now it’s being used for a malicious purpose.
KA: It’s interesting, we’ll say. How far the technology has evolved in making these attacks so prevalent. The other thing that’s evolved, there’s my segue, is the compliance landscape and how expectations are rising, notably for financial services firms, but other regulated industries like healthcare as well.
How are you guys seeing those expectations evolve? What does it mean for a firm that’s trying to keep up? How do they keep a pulse on what’s changing and what’s needed from a security perspective?
AS: I’ll start with this. Exactly as we put right here at the top, regulators want proof. And I’ll say even beyond regulators, we’re now seeing more focus and stridency from cyber insurers, from upstream or business partners, third party risk, really taking into account that people are increasingly aware of the threats or just they’re seeing and observing the impact on peers or other industry organizations. And so that’s driving a lot of where it’s moving from threats prevented to controls proven. Really, you need to have this document. And we see that with the SEC regs and kind of the push here that you need to have this documented. You need to have proof that you’ve got these controls in place and that you haven’t just written a document, but that you’re actually living it and doing it. And that is the kind of added pressure now that regulators are holding there too.
Insurers are also not willing to foot the bill for lax security controls. They’re expecting increasing levels of posture capability and that proof there that you are doing the right thing. And I think it’s especially important when we look at financial services or HIPAA, right? That’s also kind of being reviewed? It’s the importance of the data and the functions that these organizations, these verticals support and serve.
That’s increasingly driving regulators to start to take this, I think, a lot more seriously and to raise that bar. And I think that’s good thing right now, just based upon the nature of threats we’re seeing and the impact of day-to-day organizations and people and the exposure to information.
KA: Absolutely. Rick, you spent a lot of years working with customers on improving their compliance postures. What are maybe the most common gaps you found between what firms think they are doing and what is actually in place?
RM: Yeah, I think the most common or I guess most relevant to a lot of the changes that we’re seeing in the regulatory space is the kind of the term continuous or routine, right? A lot of the verbiage between the actual controls change, but the actual meaning is the same where it’s not just a one time or once a year engagement, especially as it comes down to like vulnerability management, logging, retention, those kinds of things where before it was, hey, we do this once a year. Well, that’s great. And it’s a great exercise to go through, but that’s a point in time. Nothing ever changes throughout the year in your environment? know, new computers aren’t added? Software isn’t updated? You know, those kinds of things are generally not accounted for if you’re only doing it once a year. And the regulatory bodies have recognized this.
To the chagrin of most of the businesses that are trying to implement something to meet these controls, but trying to get out ahead of that in that you have to be doing something on a routine or scheduled basis. It can’t just be once a year. The tooling, the applications, the actual structure of your business is changing, and it’s changing more than just once a year, and we do need to have evidence and policy and a procedure to keep up with that. Even saying that, and the biggest challenge is vulnerability management, is a lot of the pieces that are coming out now. Once you are routinely doing something to scan for vulnerabilities, that’s great. But that is only half of the piece to that puzzle. So now I have a giant list of vulnerabilities. Now I have to do something with that.
Now I’ve got an 800 page document with all these red lights and yellow lights and like what do I actually do with all of this information? So, aligning that with a procedure and times and dates and execution parameters around what to actually do once you have found those vulnerabilities. It’s a lot and it’s a lot to keep up with, especially if you’re a larger organization. You could have hundreds of thousands of endpoints that you need to have a remediation plan in place for. It could be millions of vulnerabilities that you have to account for. It’s going to be a real struggle until you kind of have that process nailed down on the timing, the frequency of remediation, and aligning your policies and procedures so that it’s actually practical to enforce that policy with a procedure.
KA: Yeah, that’s a really good point. We’re going to talk about the basics of SASE next, but while we’re still on the topic of compliance, curious if or how either of you are seeing the concept of secure remote access and network security evolving, specifically through regulatory and industry expectations.
Are we seeing specific questions about those on cyber liability applications or on due diligence questionnaires? Personally, I see a lot of RFPs cross my desk. I’m certainly seeing it. I’m curious if either of you have a perspective on the depth of those questions and how they’re changing.
AS: Definitely. I’ll touch on that. You mentioned RFPs or requirements from regulators. I’m going to hit on cyber insurance because I think it’s sort of the de facto regulator that we’re seeing compound. The use of remote or hybrid work and kind of also people traveling and moving wherever, and that move to the cloud means that we can access these key platforms or technologies and resources that and applications that we need to that businesses are really trying to administrate and manage. For instance, training platforms or investment management platforms, or even just a portal to access these other systems.
If we are not securing that from if people working from home or on the road or at a client site or what have you, that is an exposure point, right? So, it’s really getting at the heart of how regulation is adapting to new use of technology and then requiring that those kind of the access to that key information is now tightened up and controlled. We are seeing a lot of that too, right? Those pressures of financial services orgs and others, insurance regulators really being expected to ensure only the right people are gaining access to that information and those systems and applications. And that’s not even financial services. We see that with like healthcare and HIPAA and a lot of the proposed regulations there too of tightening up the belts there.
I think that, yeah, definitely we’re seeing that shift towards remote and hybrid work that has stuck around since we all went home several years ago. And I think that the way that that’s interacting with key critical data that regulators are trying to manage and protect and adapting there as well. I would definitely agree we’re seeing that shift in trend in the market.
RM: I definitely see some very, very specific questions even to us, right? So, yesterday I was assisting with vendor DDQ questionnaires from our customers to us, right? And so, I’m seeing what’s being asked of us alongside what our customers are seeing asked of them.
There’s very specific questions for remote access, even detailing do you allow VPN? So, it’s specifically citing VPN, but then follow up questions of very detailed configurations. Are you allowing full tunnel mode? Are you doing split tunneling, or what devices are allowed to connect to the VPN? And so, like our recommendation to our clients is always like if you don’t need a VPN, why open that door to your environment? I mean, just going back to our previous conversation. That that’s the identity that that is the front door to your system. Identity is used to authenticate that and so putting as many security controls around that as possible is definitely something that we’re always recommending, not just MFA. MFA is the table stakes on authentication anymore. It’s MFA on everything. We’ve been saying that for years, right? And so threat actors know that and they’re looking to bypass that. The next evolution to that is zero trust and enforcing trusted devices.
I know it may be a barrier or friction for users, but using your own personal device from your house to access our VPN should not be allowed. You have no assertion of that device. Like, are they running your acceptable antivirus program? Is it already infected? You know, like those kinds of things. What network are they connected to that a third party can connect into that machine to connect back over the VPN?
Again, these are all things that I kind of run down when we’re having discussions with clients, but specifically the regulations and the insurance companies have caught up to this because they’ve seen it over and over and over again on the insurance side. They don’t want to pay for that exposure because you had lack security controls.
They’re now enforcing this on the front end when they’re doing your security policy reviews, when vendor DDQs are being accomplished for you and your clients. Those questions are being asked. Maybe you don’t do business with a client if they don’t have those security controls in place because it’s a liability for you that you are assuming that risk on behalf of a third party.
KA: Absolutely. All right, well, this is a perfect segue. I’m going to jump ahead because we kind of covered some of these things, but I want to transition now to what we believe is the right modern architecture to protect all of us in this remote first environment. Andrew, let me start with you. Can you explain SASE to our non-technical folks here and talk a little bit about how Todyl’s platform delivers the modern security approach we’re looking for in a way that’s not only secure and effective, but manageable for even small and mid-sized financial services firms.
AS: Yeah, absolutely. Looking back at a couple of things we talked about, one being identity. The way that it’s accessing certain things. I think the way that businesses are operating right now, whether it’s the cloud, whether it’s from devices where they’re working from home on the road and the office and kind of just the different model that businesses are now operating within, and the key critical functions that technology or systems or data that is really important to that mission’s function. That’s the new world that organizations really are now confronting. SASE stands for Secure Access Service Edge. But what’s really kind of key about this is how we meet users where they are.
It’s based upon the device. It’s based upon the identity, multiple points of verification and enforcement versus what Rick mentioned. If I get access into the traditional firewall, perimeter firewall, and network, then there’s really no control over where else I can go.
SASE is the evolution of adapting to not only the threats, but also increasing use of the cloud, devices, identity. It makes it very scalable. What Todyl does is really it’s an agent-based approach instead of a of the physical infrastructure and hardware that many orgs will struggle to implement or maybe see as, you know, kind of cumbersome in that we meet those users where they are. Providing that control of do I know not just this user, but this device, this location, etc. And then what are they actually allowed access to, whether that’s in the cloud, even local systems that are also there so we can broker that connectivity to back office or in office resources, remote users, how that really allows organizations to kind of secure the way that they access systems and data, but also, kind of making it manageable and scalable.
So I think it’s really just the adaptation to how businesses are now operating within the cloud, user identities, etc., and helping them meet those business needs and drivers without adding additional complexity or a lot of overhead and challenges there, and just simply re-architecting for that. This really helps streamline that.
KA: Awesome. Rick, from Omega’s standpoint, what, can you talk about what a managed SASE deployment looks like for a customer and walk us through what that experience is like, what the firm should expect?
RM: Sure, so kind of the holy grail of remote access is SASE. And so, the struggle of people, what do I have to connect to to get access to this service? And what do I have to connect to to get over here? And oh, that’s on a file server that’s still in the ops. Now I need to connect to the VPN.
All that kind of goes away.
The whole premise of SASE is what we were talking about before. Based on identity and access rules and devices, we can make an assertion before the actual connection happens. And because we’re able to do that, you can be always connected because that posture of the person, the endpoint, and where they’re coming from, from a source location, are all telemetry elements that can be used in that assertion.
It’s always on. There’s no more struggle of needing to connect to the VPN now to access this application or I mean, like Kaleigh, when we push this out to you, when we were doing a proof of concept, it was like that epiphany of, I’m now so much more efficient. Right?
KA: It was like light bulb. Yes, I raved about it internally for months and months and months while no one else had it. I was thrilled to be one of the guinea pigs early.
RM: Yes!
So, like it doesn’t really matter where you are or what you’re connected to because the agent as Andrew was talking about is making that assertion and your data is being encrypted. It’s smart, it’s aware, it knows how to route everything, so there’s no more like connecting to different things or I need to disconnect from this VPN and I need to connect over here, right? That all goes away and so we can incorporate into existing infrastructure.
So, if you have offices, we can build the tunnels. We can route all that traffic. We can do zero trust network access so this machine can get to this machine or this machine can’t get to this machine or these set of resources because we know like your identity, your username, what groups you’re in, what location you’re coming from.
So we can intelligently route and give access to resources internally and in the cloud based on those assertions. What that also gives you the ability to do is close all those doors that were traditionally open. If you have a firewall that you’re currently connecting to with a VPN, that’s an exposure point. That VPN endpoint has to be open. You can put some policies and some restrictions on it, but it’s still a door into your environment. With SASE, that goes away. There is no more door because that tunnel is already specified into points of presence within the the ecosystem of Todyl. We already know what that is. We know what the source IP address is. We know we can lock all of that down. And so traditional SSL VPNs go away. That also eliminates the risk of having that actually exposed to the internet.
Same concepts now move up into the cloud channel. Instead of the entire world or certain geographic areas being able to log into we’ll say your 365 account, goes away. And so only access to that comes from that point of presence. You’ve already identified yourself, you’ve done your MFA, you’ve done all your zero point access controls. With Todyl at the agent side before connecting, now we’re only allowing access from that very finite environment into your cloud resources. That also eliminates another huge exposure point in your cloud services.
All your remote sites, you have multiple sites, all of that gets connected into the total points of presence. And now you’re in a closed ecosystem versus having to have all of that exposed and connect that manually. It’s kind of like magic for end users. The actual implementation of it for end users is just, hey, it’s always on, I’m always connected, I can always get to the stuff I need to. The threat actors can’t get to anything because they’re not able to actually get into the infrastructure and into the ecosystem. So, the easy button, the magic happens on the backend and is transparent to the users.
KA: Andrew, anything else from your perspective in terms of the immediate value a firm could see whether maybe they’re just starting up and this is their first choice solution or they’re a legacy traditional network firewall infrastructure that maybe is considering moving to this type of architecture?
AS: Yeah, definitely. I mean, I’ll look at it from two different lenses. I’ll go back to the first slide we did with the threat landscape, right? So, orgs, you know, where we mentioned the stolen credentials, the MFA bypass, etc. I like to say that if you’re truly adopting it in an easy, scalable way, also, like as Rick was outlining, where it could be easily implemented and applied, the only way, let’s say, for instance, that a threat actor can actually, even my credentials or even MFA tokens or other things are stolen, the only way that that user is getting that that threat actors getting access to certain resources is if they’re sitting right next to me because my device is tied to that. It reduces a lot of that risk of where we see attacks even starting from.
A lot of the ways that attacks are beginning, this is mitigating. I think the other part that’s really important, Kaleigh, you mentioned that it sort of seamless and great, is the user experience. Being able to work more confidently, less clunkiness and flow in the way that you can become more productive and have that confidence. I remember when I joined Todyl and started using it, it was a little uncomfortable. I was like, wait, I can actually work in an airport on the Wi-Fi and be OK with this? As a security practitioner, it’s kind of a no-no, but it very much is.
I think that’s where that confidence and trust and being able to be productive, to work, to focus on really what businesses need to achieve versus the clunkiness of kind of preventing people from doing things because of security risks. That’s where this also opens up a lot opportunity to quickly start to support that. I think the user productivity and experience is also very important consideration for businesses. But also can’t deny the threat landscape you know risk reduction as Rick is mentioning. It buys a lot of that space and safety from where we see attacks starting from even beginning it’s going to start to mitigate a lot of that out the gate.
KA: Absolutely. All right, let’s go ahead and take some questions. I have a few here and I encourage anyone who’s listening live right now, if you have a question for Rick or Andrew, go ahead and type that into the Q&A section of your webinar interface.
I guess the first question that I want to make sure we cover is, are there instances where maybe SASE doesn’t make sense? Are there certain types of architectures or complex environments where SASE would not be the appropriate choice.
AS: Sure. I mean, I can start with this and then let Rick chime in. Definitely where environments that are kind of more on prem or air gapped or heavily tightened. It can add a little bit of, you know, I think there’s a planning that needs to happen. Instead of just launching into it, it’s like, okay, what is the system and kind of control that needs to be put in place? I don’t think that there’s ever a pure situation where it doesn’t apply, unless you’re just not operating in the cloud, which I think is more and more rare for organizations. But I think for those orgs that are very much segmented, tightened up, maybe air gapped, it requires more of that planning.
That’s kind of one of the reasons we really are proud to partner with Omega on this is you guys have that really great approach of thinking through it, but it does require that. So I’d say it’s, I don’t want to say it’s not for everyone, but I think it requires some thought process depending on how far you want to go, especially if you’re going to get into that zero trust network access, where now we start wallowing people off from various resources or areas, and that can have an adverse impact to a business if you’re not fully on board with that.
Those are key considerations where orgs may want to really do some reflection or planning before embarking on a SASE journey, but I think the benefits are definitely there for any organization of various types.
KA: I think we all realize given the sophistication of the threat landscape today that it’s not exactly inexpensive to protect users and infrastructure and environment. So how does pricing for a SASE solution like Omega’s compare to a traditional firewall based security model that some firms may be more used to?
RM: I can take that one. You can kind of flip that traditional model of buying hardware and licensing and maintaining that. It’s kind of moved to the as a service model, and so that’s very attractive as it scales as well. As businesses grow, you kind of have an I’m adding X amount of users. You kind of have a predictable cost there. Where we see a lot of friction, frustration or just lack of commitment is I bought a firewall. It needs to be maintained. It needs to be supported and I need to make sure the features are there.
It’s just like anything like you buy an Apple phone. It’s only got a certain time span before the vendor no longer provides updates for that. And when it’s no longer supported, guess what? Now you’re missing controls in your security posture where you no longer get updates. You need to replace. When that occurs, now you have a capital expenditure depending on if you have multiple sites, all those kinds of things, right? Those can get costly. And that’s a budget kind of CapEx that you can move to an OpEx kind of expenditure. With the SASE model where it’s per user, it’s software-based and that kind of worry of lift and shift, downtime for x period of time. If you’re a national kind of deployment, you know, going multiple states going cross country to lift and shift firewall replacements is usually a big burden. Moving that into SASE kind of removes that friction and also the expenditures thereof of replacing those every three to five years.
KA: Great. We talked a lot today about identity and access. I’m curious what the role of employee education plays in maintaining a security strategy like this, because to your point earlier, Rick, right? Feels like set it and forget it, but we want to make sure that employees aren’t taking that secure posture for granted and they’re still keeping their eyes and ears open, so to speak. For either of you, of what are your thoughts on ensuring that the employee awareness and education strategy stays high in times like these?
AS: I’ll start and then definitely want Rick’s perspective on this. Employee education is important because it’s everyone’s job is not just only the security team to try to protect an entire org.
Awareness of the ways identity, compromise and various attacks begin with. Is this link real? Why is someone calling me asking for a support ticket to get access? Is this normal?
What do more advanced phishing emails and things look like? I think that’s really essential when I think about the identity, but I also think that the use and techniques of technologies today, like Todyl and what we’re partnering on together with Omega, is it buys the space back from employees being increasingly sort of, you there’s differences of the first line defense or the weakest link, depends on who you ask. But I think it also buys that space for users and businesses to focus on what they do. I think it’s an unfair situation to ask every, you know, all the accounting teams to really be security experts on these advanced threats when their job is to be doing market or financial analysis or really kind of pushing the business forward.
SASE buys that space as well. Doesn’t mean we’re set it forget it or take it for granted, but it allows people to focus more back on the work and work more confidently. Maintaining the awareness is still really important, but I think that use of different technology approaches actually reduces that burden on end users to have to be always vigilant and really be able to focus on what they do best and kind of keep an eye on for some more advanced things. It definitely supports business productivity there.
RM: 100% agree. The end user awareness and training is more relevant than ever. I think people get bogged down with it. Again, there’s a reason why this is included in every security framework there is known to man. Like, do you do security awareness training? So, the end users are who are actually clicking the buttons. Eventually when a compromise happen, the vast majority of the time it is an end user driven incident, right? They clicked on the link or they opened this file, those kinds of things. So educating people on not necessarily being a security practitioner, but at least having the ability to say this looks weird. Let me stop and ask somebody if I should actually be doing this. But again, those additional security technical controls in place, like Todyl with SASE, your EDR solutions, MDR solutions, those help buy the time, or at least leverage based on logging and alerting that somebody is made aware if an incident happens from an end user, that you can react to it quick enough and be able to mitigate that moving forward.
KA: Great. I’m going to ask for some final thoughts or key takeaways here as we wrap up. Maybe from each of you, what’s the one thing either most firms get wrong when they’re thinking about their security posture or what would you tell a leader in this audience to do differently starting tomorrow?
KA: Andrew, I’ll come to you first. Put you on the spot.
AS: I think assuming you’re too small to be targeted or that you don’t matter. We talked about obviously there’s an important aspect of the role of businesses and organizations value, but I think it’s also the way that, if we look at how AI is being used by threat actors and just increasing that scale and volume of attacks to where they’re going to be able to find the weakest link and the easiest doors, as Rick was saying, to open that exposes. I think really taking into account we’re not too small to be targeted or I don’t matter, but also what would a breach mean for us? What impact would that have if someone gained access to data or the speed of these things? More of that risk management as we talked about and really asking some of those basic questions of what happens during downtime or a breach or loss of data and are we okay with that or are we not? Letting that also guide how you really then approach do you secure your organization? Those steps are critical to both do to start out with, but also not to skip. And really starting to maintain that awareness. And then what that means for your organization, that’s a great place to start. And that can really drive that strategy and what you need to be successful with.
KA: Great. Rick, any final thoughts or words of advice?
RM: I get asked a lot of times from all of our customer base, like what do I do? What’s the first thing I should do? What’s the second thing I should do? And it’s hard to give a catch-all answer. I often try to equate it to similar to what Andrew was saying, like what is the risk appetite? And that appetite for how much risk you’re willing to accept is going to drive the amount of money that you will spend on your security stack. A smaller business, you know, we know we have to check XYZ boxes for compliance reasons, but can we extend that further? And that’s going to go again back to like what happens to my business if there is a breach or if all of my customer’s information is breached and what is my liability, what will that do to my business? And that’s really the key points that you can take to the executive, to the board level, to the C-suite to help fund your security programs and realign what the actual risk acceptance is for your company.
KA: Great points. To kind of wrap up, I’d be remiss if I didn’t leave us with some parting thoughts. I think what really today really drives home is that the security most firms have wasn’t necessarily built for the way they’re actually operating today.
With distributed teams, cloud-based almost everything, people logging in from anywhere, and a lot of organizations potentially still relying on protections that assumed everyone was kind of sitting inside the same four walls. The good news, of course, as we’ve established is that Omega and Todyl have powered a solution that’s designed to solve just this problem. We’ll definitely follow up with some sassy specific details for anybody listening in today who wants to learn more.
I think we left folks hopefully with some good thoughts to think about in terms of their risk appetite, what’s happening in the landscape, how compliance expectations are evolving, and really how that security model is shifting rapidly to help protect users and their environments.
Before I let everybody go, I want to thank everybody for listening in and remind them that they will get a follow-up email with links to the session replay from today as well as some helpful SASE resources, all of which are also available at omegasystemscorp.com.
Thank you to my colleague Rick for joining me for another webinar. We’ve done quite a few together at this stage. And huge thank you to you, Andrew Scott, and the team at Todyl for partnering with us today and in general. Again, I want to thank everybody for joining and we hope to see you all again soon.
AS: Thanks, Kaleigh
RM: Thank you.
