Click for Full Transcript

Prologue 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional providing practical privacy advice to overwhelms companies.

Justin Daniels 0:38

Alright, Justin Daniels here, I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:57

And this episode is brought to you by that one this time, Red Clover Advisors, we help companies to comply with data privacy laws, and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, ecommerce, media agencies, and professional in financial services. In short, we use data privacy to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit

Justin Daniels 1:36

And today, what is this gonna mark the end of our kitchen renovation?

Jodi Daniels 1:41

Almost almost a really big important one, we’re going to get a counter. This is very exciting. But then there’s, there’s like a decorative element that that comes, we need a new light. I’ll let you

Justin Daniels 1:51

handle that. But I’m just curious. We have a contractor coming today. And how will you know when you answered the door that that person is the contractor,

Jodi Daniels 2:00

they have a really big counter with.

Justin Daniels 2:03

So they’ll have something that they’re using to indicate to you that this person must be the contractor and isn’t impersonating the contractor.

Jodi Daniels 2:11

I think you’re giving a hint for what we’re going to be talking about today.

Justin Daniels 2:14

Exactly. We’re going to be talking a little bit about identity access management for

Jodi Daniels 2:20

the cloud. Well, since you’re so excited, I think you should introduce our special guest

Justin Daniels 2:26

Art Poghosyan is a serial entrepreneur with 20 plus years of cybersecurity experience. His entrepreneurial journey started with advancing a leading identity management consulting and solutions implementation company, where he led the company’s exponential growth and eventual acquisition by Optiv Security in 2016. Now, as founder of Britive, they are solving clouds most challenging security problem, privileged access security, prior to his foray into entrepreneurship, Art’s security career began as a consultant with a big four firm where he spent eight years working with global enterprises across various industries. Welcome Art.

Art Poghosyan 3:08

Thank you. Thank you. Glad to be here.

Jodi Daniels 3:10

Well, we’re so excited to talk to you today. And we always like to get started to understand how people got to where they are today. So you have founded a new company, we learned a little bit about how you started at a big four firm, but help us fill in the gaps. Sounds good?

Art Poghosyan 3:29

Yeah. So we spent about 20 years in InfoSec. And first half of that was with them, big four firms, and Ernst & Young was the main one in I was a consultant information security consultant working with major enterprise accounts, across industry verticals. And second half was the beginning of my entrepreneurial journey journey in as you mentioned, the advanced of was the first company business that I found it. So little story there when I was starting my first business in 2009. We’re right in the middle of one for you remember that one of the largest economic financial crisis that this country has ever seen. So it was kind of interesting time to do that sort of business. But I kind of took a contrarian bet that the security consulting services were primed for disruption and specifically identity and access management. This was because at the time the market was primarily dominated by the Big Four players for these services, which you know, the the cost and the price tag is was very high very expensive, but customers were also increasingly getting dissatisfied with the outcomes. So, that is the kind of problem and I I decided to take on the you know, boutique approach to expert i consulting services. And that’s what advanced advanced did. So the business did really well. We grew for about six, almost six years actually, before optive acquired us. And after that, I started the Britive journey, which is a cloud, cloud privileged access and identity management solution.

Jodi Daniels 5:20

Well, I as an entrepreneur, myself, I always relish hearing different entrepreneur journey journeys, and a lot of people will say that it’s a when there’s a downturn is actually still a great time to build something and and you took advantage of that. So kudos to you. Thank you, especially with cybersecurity where there is no downturn, then bad people always find an opportunity they do.

Justin Daniels 5:44

Well, one of the reasons we’re excited to have Art here today is we’re going to talk about the cloud. Because Art is I like to say, You know what my date is on the cloud. So of course, that means it’s very secure. And so teeing up our question, which is what is the biggest misconception around security in the cloud?

Art Poghosyan 6:07

Great question. So from the the enterprise business point of view, I think the biggest misconception is that you can actually secure the cloud with tools that were built for the data center. And this is one that that I see almost every day. And I think, one big reason why because it is because most businesses today, when they think about their cloud journey, they think about sort of this lift and shift approach. And it’s very common, they take what they have, in the center data centers, from the physical infrastructure network and move it to the cloud and put it into VMware, and now they have cloud freight. And they kind of tend to think about the security of that world, like it is still the data. What happens over time is their their needs evolve, and they start adopting and using more, you know, cloud technologies and cloud native technologies, which are much more, you know, sophisticated and advanced, like serverless technologies and micro services that big cloud providers like Amazon, and Google and so on, are offering. But you know, the reality of these new cloud tech, new cloud native technologies is that they are very different. Architectural II, they’re very different. And so really, it’s a whole different level of challenge to secure these environments. So that’s, that’s kind of the common recurring theme that I see that there’s that misconception that you can secure cloud with the tools that you already had in the data center.

Jodi Daniels 7:44

Well, we often hear and Justin, you just kind of joked about your data is in the cloud business, so it’s safe. And And truly, though, I’ll talk to companies and they’ll say, Well, my data is in AWS or my data’s in XYZ cloud space, and therefore I don’t need to do anything. It’s all secure. Why is it that businesses say or think I put it in the cloud? It’s secure?

Art Poghosyan 8:12

Yeah, so is this. On this topic, there was a completely different point of view, maybe like 15 years ago, when cloud was new, and it was more like, Oh, nothing in the cloud is secure. So it’s almost like we’ve kind of taken a whole 180 degree shift from that perspective to Okay, so if it’s in the cloud, it must be secure. I think there’s a combination of a couple of different things here that that, to me, at least it explains why there’s that that it. Definitely Cloud has matured and evolved over the past 15 years, and some public cloud technologies have become, you know, popular. I think the a lot of it is because technologies, the cloud technologies, and cloud vendors have evolved in their security. Well, it’s one thing that, you know, is common is a lot of the, you know, the clouds, service, cloud, native service providers, SAS dashpass, anything have, they always try to, you know, show the customers that they have the right level of security, that they are protecting the data prop properly. And they’re not necessarily lying about that, but the reality of how especially large and, you know, very large cloud providers, like major SAS platforms, for example. The reality of these businesses is that a lot of what they what’s happening especially in their, in their technologies, how they’re evolving. It’s it’s difficult to always maintain security at the right level across all especially they’re innovating very fast, difficult to maintain security, kind of equally across all the new features and functionality. We add to that to also the the Businesses are consumer facing business, especially that they’re building a lot of new applications, new, modern tools and technologies for consumers. Especially when it involves data. They’re using what’s what Cloud has to offer the cloud native capabilities like big data and analytics, you know, technologies. So these functions, these business functions, in a way, they kind of run ahead of the security, they are trying to be agile, they’re trying to be very customer, customer centric, and offer new new features and functionality. Well, our offers the technologies, but that don’t always the security features and controls don’t always exist in this new, you know, features and functionality. So what I’m seeing more frequently today is security teams are really trying to play catch up and try to, you know, balance, the business agility, the business needs, with the security requirements and protecting the important data. Pretty cool data like consumer data. So

Justin Daniels 11:07

turn a turning to your company now, Britive, how are you addressing disrupting identity access management security for the cloud?

Art Poghosyan 11:17

City? Yeah, listen, this is definitely near and dear to my heart. I’ve spent a long time in identity and access management solution space. And I believe that the identity and access management plays a much bigger role in the modern cloud native world than it has in the data center world. This is because you know, cloud technologies cannot be protected, protected with a firewall like like the traditional networks were. So Identity and Access has effectively become the perimeter, the front line secure security that the business does have to protect. Unfortunately, though, many businesses are still thinking about securing cloud cloud identities and access, like it as a data center. Britive introduces several innovative concepts and ideas for identity and access management in the cloud. One of them is this concept of zero standing access zero standing privileges. What this means is, the users can be authorized in receive access on demand, just in time when they need it. But it always expires automatically, when their session is over when they’re done, you know, with their activities. This ensures that there is no 24 by seven exposure of access or privileges that attackers love to exploit. Another key concept is to ensure that we are constantly analyzing and monitoring the activities of users in in the cloud technologies, identities and the privileges and privileges and access that they are authorized to have. And our machine learning engine makes sure that we detect behavioral patterns that are different from normal pattern and quickly, you know, take on remediation actions, for example, for alerting to security teams, as well as revoking access on the fly, if that’s what’s needed to to prevent a breach.

Jodi Daniels 13:35

Are there any, you know, some companies might say I’m too small to need these types of tools? So thinking about some of the objections that I’m sure you get when you’re talking to different companies? We’ve talked about some of them already with the need for security in the cloud. Can you share a little bit about what kinds of companies or the type of data that they’re protecting, need to have this type of a tool?

Art Poghosyan 14:02

You know, this one is an interesting one, because there are two camps out there that, you know, the security teams, we rarely hear any objections from them. The security teams always understand that the you know, benefits and value of a solution like private. The the common objections come from the cloud development teams, the folks who are building the applications folks are building, you know, data analytics, you know, platforms and so on. And the approach they they like to take is to say that they can build a solution like Britive, they can do it in house. And there are two two big problems with this approach. The first problem is well, while the cloud developers are more than competent to build solutions, building security solutions in house is a whole different beast and often And the time and the resources and the cost that takes to build solutions, like Britive in house are vastly underestimated. And it’s usually one or two years after they start looking at the the situation say, this is not sustainable, and they start looking for social enterprise. The second scenario is, multi cloud is reality for enterprise, even if they could build in house for one of the major platforms, let’s say AWS, as soon as they start expanding to other cloud providers like Azure and GCP. Now, the cost exponentially goes up, and it becomes a lot bigger, you know, undertaking to doing in house. And to do question, what size and what complexity of organization needs a solution like writer, our belief is that every organization needs a solution like Britive, that has, you know, clouds assets to protect. And if you’re in business, you have at least employee data, if you’re in business, you at least have some customer data, and so on. Right, so and you proprietary, your proprietary assets, and Crown Jewels, all of these things need to be protected. So there really isn’t a part of why and what businesses do or do not need a solution, like right

Jodi Daniels 16:24

here, the build your own tool all the time, especially in the privacy space, I always say there are experts in the field. That’s why you work with the experts, they’ve done it all for you.

Justin Daniels 16:35

Well, you know, when I think about your business in the cloud, and the security challenges of today, I think of Cassia, I think of the vendor ecosystem that provides services as part of the cloud offering. And so my thought is with that in mind, how does your tool for people who use it help them better protect themselves when there’s nothing you can do as a customer, if your cloud vendor has its own vendor get hacked, and because they want access to all of the customers of that cloud vendor?

Art Poghosyan 17:12

Now, that is a, that is a very big problem, you’re correct, Justin, because these days, even small businesses that are very open and have a lot of, you know, a partner, business partners, and they have third parties that they’re there, they’re doing business with. So they’re essentially their security extends to all these third parties that have in some way, you know, control or access to their data to their environment, infrastructure, how Britive it protects that this is actually one of the the biggest value adds to the customers that, you know, as I said before, right, the identity and access in in organizations that are have embraced cloud becomes very, very important for securing the environment. So that goes for the or any third parties that need to be granted access to their environment to their data. And that’s where Britive helps make that very efficient, at the same time, you know, facilitate the business knee while not making that security, be a any kind of, you know, burden or barrier for doing business with this entities, right. So that becomes a very natural and agile method of granting access, and that access always expire. So there’s no risk left to be attacked from the from the outside.

Justin Daniels 18:48

Well, thank you for that. So one thing that we love to ask all of our guests, particularly someone such as yourself, with so much experience in the security field is on a personal level for our audience, what is your best security tip that people could benefit from? Yeah.

Art Poghosyan 19:07

So this, this may sound kind of very, very simple, but really to the broader audience. My best tip is to actually try to learn security. Security and privacy teams these days are the kind of modern day heroes defending against, you know, all kinds of sophisticated attacks every day. And security really has to become everyone’s business to protect our companies to protect our businesses. And so, fortunately, there’s a lot of educational content and material out there about security these days. And every every, every employee, every team member can take half an hour to 45 minutes a day to read up about something like ransomware or privileged credential attacks or phishing attacks, and just really understand how attackers succeed. And what each and every one can do to stop them from from from carrying his attack.

Jodi Daniels 20:06

And when you are not building a company trying to help fend off these types of attacks, what do you like to do in your free time?

Art Poghosyan 20:18

Which is very, very little, but I still do get some free time the end. Thank you for that question. I love outdoors. God, I tried to do some hiking whenever I can. Fortunately, I live close to Angeles National Forest big, you know, wilderness area, I’m close to that. And there’s a lot of hiking trails, so I I spent some time there. But other than that, I like reading books. And ironically, these days, most of them are about how to grow your business. That’s my other hobby.

Jodi Daniels 20:53

So do you have a favorite book that you’ve read maybe in the last little while that you want to recommend?

Art Poghosyan 21:00

Ah, sure. The one that I just finished with? The title was The Qualified Sales Leader by John McMahon and it was a really good book I thought and very timely for where my business is and what we what challenges we need to tackle.

Jodi Daniels 21:21

Excellent. Well, if someone would like to learn more about Britive and connect with you, where should they go? I’m fairly accessible.

Art Poghosyan 21:29

LinkedIn, I respond to messages. Artyom Poghosyan. If you search for Britive, just look for the Founder, CEO. That’s easier. But otherwise, email is

Jodi Daniels 21:44

Excellent. Well, thank you so much for sharing all of this information with our audience. We really appreciate it. The same thing you want to add

Justin Daniels 21:51

no spin. Great. Everyone thinks everything’s secure on the cloud and Art’s here to say that not so much.

Jodi Daniels 22:00

Excellent. Well, thank you again are we’re doing

Art Poghosyan 22:04

just as but we’re getting there with with with Britive and others that are really helping secure the cloud. We’ll get there.

Jodi Daniels 22:13

Absolutely. Thank you again.

Prologue 22:19

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.