Decoding Data Sovereignty with Jenner Holden

Ever wondered how a NASDAQ listed company navigates the murky waters of cybersecurity? Join us on Identity Radicals with the CISO at Axon Enterprise,Jenner Holden, who pulls back the curtain on their operations and innovative security programs. One such program, which awards physical swords to employees, has successfully gamified the process of security awareness. Jenner also opens up about his involvement in the AZ Cyber Initiative, a program empowering high school students to kickstart their careers in cybersecurity.Holden enlightens us on the importance of security reviews and access control processes – the unsung heroes in the fight against security threats. We unravel the complexities of automating provisioning and de-provisioning processes and shine a light on the hidden risks that linger even after an employee departs. Tune in as we delve into the art and science of detecting unusual activities and bolstering resilience to contain potential threats.We also venture into the labyrinth of compliance frameworks such as Sarban's Oxley, SOC2, GDPR, and FedRAMP. We discuss the challenges of data sovereignty for international clients and the intricacies of securing service accounts. Jenner shares intriguing tales of unusual security threats including police impersonators trying to buy Axon gear. We conclude by emphasizing the crucial role that resilience plays in cybersecurity and the importance of promoting careers in this field.Key QuotesI tend to not over focus on how quickly it takes the security operations center or the incident responders to correct the incident, to fix the incident. I measure how quickly it takes them to detect and start working on it. But I don't want us to rush through the process of identifying what happened to who, when, just to get it closed and quote fixed, because I mean, it's not that infrequent that you hear about a breach that occurred where the company noticed something, they responded, but they didn't quite understand the breadth of the issue.There's always pockets of applications and access that need to be a little bit more manually done with eyes on the ball. But the bulk of it can be automated and we've done a good job getting to that point.Unfortunately, the target is maybe to just pass an audit, not to actually reduce risk to the company. Actually reducing risk probably takes a different approach that we're not yet doing but we're working towards.W hich I would describe as a little bit more real time. So if you could, if you imagine you could classify applications and or more privileged groups and access levels from highest risk to lowest risk. And use systems like Veza could definitely have a role here. And we hope to use it this way to identify through some of the workflow features, right, to identify when a change happens that involves these higher risk areas, the access review must happen right now, meaning not just the normal, they requested access and the access was approved.I would actually set a metric that our number of privileged users should actually be going down over time. Because we don't need people with deep individual access because we have built systems and automated things to the point where the deepest level operations can occur without anyone actually really needing access. If you have a lot of people with a lot of privileged access, that's actually an indicator of just general broken IT operations, probably, or process issues. It's showing me that there's other things in the business that aren't right. Therefore, we have to band-aid it by having people with deep access that can go manually fix things.We're working in other countries across Europe and the EU. And one concept that's important to our international customers is the idea of data sovereignty. So their government data, which is the data that we process on their behalf, the services that we're providing. Must stay within the boundaries that they define, the physical country boundaries, boundaries that they define. And then on top of that, the core identity characteristics of the people that are supporting them and working on that system and operating that system is also important to them from a sovereignty standpoint. So they care about where those people physically reside. Are they in my country? Are they in my continent? Are they on the other side of the world? Where are they when they're supporting the system that holds my government data? And what is their citizenship? Where might their loyalties lie? Right? Is [an] EU citizen okay, or do they have to be a citizen of Italy?Can they be a US citizen or not? These are interesting and complex issues that we navigate with our international customers as a U.S.-based company.Time Stamps4:40-The Information Security Quest for Immortal Honor at Axon7:10-Staying prepared for the inevitability of identity attacks13:15-Understanding provisioning, keeping it effective, and impacts of automation18:50-Pivoting away from the “old school” of access reviews29:20-Unique challenges of service accounts at Axon31:40-The AZ Cyber Initiative programLinks Follow Jenner on LinkedInCheck out all things AxonIdentity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out: Why Veza, Why Anything, Why NowVeza on YouTubeVeza.comOr, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.