Sept. 16, 2024

#388 Mastering Endpoint Management & Identity: Insights from IT Veteran David Boscia

#388 Mastering Endpoint Management & Identity: Insights from IT Veteran David Boscia

In this episode of The CTO Show with Mehmet, we are joined by IT veteran David Boscia, who brings over 32 years of experience in the IT domain, including leadership roles at NCR Corporation. David shares his journey managing tens of thousands of endpoints, discussing the complexities of handling a global network of devices and the challenges that arise in ensuring compliance, security, and smooth user experience.

 

David delves into the importance of identity and access management (IAM) in modern IT infrastructure, stressing how critical it is for organizations to control who has access to key business functions. He also discusses the role of compliance and the importance of managing a heterogeneous environment, where different operating systems and devices require varied approaches. David talks about the future of endpoint management and how the industry is moving toward converging tools, though we are not entirely there yet.

 

The conversation explores strategies for effective endpoint management, particularly in a remote work environment that has grown since the pandemic. David offers practical advice on managing updates, ensuring security, and overcoming user resistance to change, providing insights into the balance between security and usability. He also shares his thoughts on passwordless authentication and its future, noting that while the journey toward passwordless systems has begun, it’s still evolving, with organizations needing to adopt a phased approach.

 

AI’s impact on IT management is another key topic in the discussion. David explains how AI is being leveraged in endpoint security, identity verification, and IT operations to reduce user friction and improve security. The use of adaptive controls to combat issues like MFA fatigue and how AI can support smarter, more context-aware systems is also covered.

 

As the episode concludes, David offers valuable advice for IT leaders looking to improve their endpoint management practices, emphasizing the importance of balancing security measures with a seamless user experience. He also touches on the role of continuous learning, auditing, and user training in building a robust IT management system. You can connect with David on LinkedIn for more insights and follow-up questions.

 

More about David:

 

David Boscia is a seasoned IT leader with over 30 years of experience in Information Technology, specializing in Identity and Access Management (IAM) and end-user computing (EUC). As Director of IT at a Fortune 500 company, David has led significant global transformations, improving employee digital workspace experiences while ensuring compliance with evolving security standards. His innovative leadership has modernized IT infrastructure, enhancing collaboration services, mobility, and security operations across the enterprise.

 

With a proven track record in program management and vendor negotiations, David managed a $38M budget covering various IT services, including collaboration tools like Microsoft 365 and mobile device management via Airwatch and Intune. His core competencies include managing complex global projects, contract negotiations, mergers and acquisitions, and risk management. David’s leadership continues to drive innovation and digital transformation in IT, advancing security and enhancing employee experiences in today’s dynamic work environment.

 

https://www.linkedin.com/in/davidboscia/

 

 

00:00 Introduction and Guest Welcome

01:11 David Boscia's IT Journey

02:21 Challenges in Managing Endpoints

05:17 Strategies for Endpoint Management

11:05 Importance of Identity and Access Management

13:28 Best Practices for Identity Lifecycle Management

20:04 The Future of Passwordless Authentication

32:33 AI in IT and Endpoint Management

39:49 Final Thoughts and Advice for IT Leaders

42:32 Closing Remarks and Farewell

Transcript

[00:00:00]

 

Mehmet: Hello and welcome back to a new episode of the CTO show with Mehmet. Today I'm very pleased joining me from the U. S. David Boscia. David, thank you very much for being with me here today. The way I love to do it is I give it to my guests to introduce themselves. I know you have a long experience [00:01:00] within the IT domain and you know, I would love you to share with us your experience and you know your journey and then we can take the discussion from there.

 

David: Sure. I'm excited for um, the podcast here today and And, uh, yeah, I have 32 years of experience at NCR Corporation as a executive director in the IT realm across various functions, but certainly end user compute, identity and collaboration and security items, hardware and software asset management are all things that.

 

David: I touch it's, it's really the end user experience that I managed throughout my career. So, uh, 32 years of experience. I'm, I'm happy to share, um, a lot of, uh, uh, things that maybe others listening to this podcast can, can, uh, can gain experience with.

 

Mehmet: Yeah, absolutely. And again, thank you very much, David, for being here with me today.

 

Mehmet: So I know like majority of your experience [00:02:00] was, you know, managing large numbers of, of endpoint. And, you know, uh, even when I think about it from my personal perspective, you know, I was working in a university and we used to have like, you know, uh, a couple of hundreds, let's say, but for you, it was like tens of thousands.

 

Mehmet: So it's a daunting task. So Oh, yeah. Would you like Tell me from your experience, what like are some of the biggest challenges you have encountered in in in this area? Sure. You

 

David: know, thousands of endpoints are difficult to manage, even if you've got, you know, a process that, um, is is very good for one, uh, when you open up, you know, global community.

 

David: Um, you find that there's many challenges in reaching that global community from a centrally managed environment. Visibility to the assets, right? They may be offline, they may not be online. And you want to make sure you have, [00:03:00] um, a clear site to access and administer and update those endpoints. That's often a challenge.

 

David: Um, you, you might have, you know, customer engineers working in the field and don't boot up their laptop very often. Um, so it, it becomes a challenge for you to reach those assets to update them on a regular basis. Um, you also have, you know, the typical resistance of change from your employee population.

 

David: I'm too busy to make this upgrade today. I've got other things to do. This is going to take 10 15 minutes of my time and I I'm getting ready for something. I want to postpone it. There's a lot of reasons why people resist change. So, uh, you have to plow through those, uh, types of challenges to keep your environments updated.

 

David: And, of course, uh, you You've got variety of endpoints. We're not just, you know, Windows shop or Mac shop and you do use different tools for for different [00:04:00] environments all the time. So you have to have the skill sets across those different tools, um, and repeated processes that work consistently across all your endpoints.

 

Mehmet: That's a great perspective. So, you know, having a heterogeneous, let's say environment, David, and this is just a question that popped out of my mind. Um, is it a miss to say, like, we can truly unify the management because, you know, the reality is the operating systems, you know, are built in different ways.

 

Mehmet: So Windows is not like Mac. It's not like, Linux, it's not like androids on and so on. So, and because, you know, the reason I'm asking you this David is when it comes to, to management. So we need to talk a lot also about compliance and security, and especially across large number of endpoints. So is it like, is there a way, or like, do you, do you think, [00:05:00] you know, the technology is, is, Converging in a way that we can really, really have, you know, this, uh, kind of a convergence to manage these.

 

Mehmet: Different OSS and to make sure that the compliance and security across, you know, all these endpoints are there.

 

David: I think we're headed in that general direction. I'm not sure we're there yet. But when, when you, you talk about tools to manage your environment across all the different, you know, endpoints that, that I discuss, you, you definitely have tools that say.

 

David: I can do it all right. Uh, but sometimes you go after, you know, best in practice. Uh, you know, the, I guess the, the top, you know, magic quadrant garden or magic quadrant, you know, type resources for each of the different areas. You'll find different tools at the top. Um, You know, I think we're not, we're not there yet and having, you know, single set of tools that does it all.

 

David: [00:06:00] But I think we're headed that way. Now, the other thing to think about when we look at those operating systems are all, you know, getting updates at different intervals and times and things like that. And some of them might have, um, more sensitive or, um, more concerning issues that arise where you have to go after them at a different interval.

 

David: So. you're going to have a lot of variety coming from the vendors. Um, so you have to be prepared to sequence and manage them and and using one tool versus two tools may not make that much of a difference.

 

Mehmet: Got you. Now, of course, uh, you know, talking about the tools, so, but there must be kind of a, you know, strategy that you found like most effective and, you know, I'm pretty sure also like David, you can shed some lights on, it's not only about the large number of the devices and, you know, like the mix of, of operating systems.

 

Mehmet: And I think, you know, [00:07:00] what happened, especially after the pandemic, like people start to be like all solo. Distribute them all, you know, remote work. And it became like also hard to, you know, to make sure that these devices, like these endpoints are like getting the latest updates and the latest, you know, patches.

 

Mehmet: So what was, you know, the strategy or what's the strategy you think, which, which was the most efficient, you know, and effective, uh, whether like it's tool, whether it's like a strategy overall to make sure that the endpoint management is done the right way.

 

David: Yeah. Um, You need to be able to measure your progress.

 

David: Um, regardless of whatever tool you use, um, you know, what's your coverage? Um, you know, when we talk about world class patching, you're, you're, you're over 95 percent patched on a monthly basis, or even more aggressive than that. So, um, you know, how do you make sure that you're [00:08:00] 95%? So you're using some of your tools to, Generate reports or end point inventory reports and things like that.

 

David: But, and you're constantly chasing failed updates. So you need to have, uh, resources, uh, dedicated to ensuring that you're, um, you know, going after the failed events. Um, and, and then on the other hand, you, you need to enforce compliance with controls. Uh, so. I mentioned before, there's some resistance, right?

 

David: While, while you can resist update, you, you have, you might have that level of control at some point, uh, you're going to lose access to the network, right? And those are posture checks that you might put in place to make sure that, uh, people are advancing. And if they don't, there's consequences and you can't get your job done if you don't have access to the network, right?

 

David: So there's different ways of, of doing that. Um. [00:09:00] Yeah, I have to be sensitive to, you know, business continuity and making sure that you have, uh, the right level of, um, time to offer an employee to do an update or what they have to do on their side has to be reasonable. Um, and then at some point you just cut them off.

 

David: Um, but that, that's a, uh, uh, a strategy that kind of goes across the board with all things security. There's a balance between, uh, business continuity and the security controls that you put in place.

 

Mehmet: Yeah, David, just, you know, out of curiosity here, you know, because you said like people usually, uh, there is the change and we know this, like, especially when it comes to technology changes.

 

Mehmet: Have you seen, for example, you know, removing, for example, of course, not to force it in a bad sense, but like, let's say we want to do something. So we need a little bit to kind of, at the same time, empower the, the, the user. [00:10:00] But at the same time, remove like the full access or the full, the full admin access from them.

 

Mehmet: Have you seen the strategy, something that might work also?

 

David: Yeah, absolutely. Uh, you know, I mentioned, you know, at, at some point they, they get cut off and that's the, you know, the end of the cycle. Um, but what we've done before in the past is, is we give them kind of a. You know, some nagging pop ups, um, you know, that say, okay, here's the countdown.

 

David: You can only defer this 1 more time, you know, before you lose access to the network. So, uh, that's, uh, you know, somewhat of a compromise to give them a little bit of time, uh, to make the deferrals that they need to get other things done in the business, but knowing that there's some hard. You know, point at the end of that cycle where they're going to get cut off.

 

Mehmet: Absolutely. Now, of course, part of managing endpoints, and this is something very critical, you know, in the whole environment, which is, [00:11:00] you know, access and identity management. And I want like to to discuss a couple of things with you, David. So I am or like identity management as it's known, it's very critical.

 

Mehmet: For cyber security. So can you elaborate, you know, the importance off this technology and the integration of the systems? Like, for example, if someone still using active directly, I'm not sure if it's still the case. I know, at least here in the Middle East, people still use the on Prem Active Directory.

 

Mehmet: But of course, Microsoft is looking for Azure AD or intra ideas. They are calling it and you know, like other systems like You name it, the Oracle ERP, the Workday. So, you know, walk us through, you know, why, you know, this component of identity management is so critical. Um, and you know, takes good part of, of managing also the end points.

 

Mehmet: Sure.

 

David: You know, I might, might be obvious, but I'll state it anyway. The businesses must control who has access to what business functions in [00:12:00] their company. Um, you know, just, Let's say finances, right? So let's say you use Oracle ERP for your finance system. Well, you don't let everybody in your company access certain functions in the Oracle ERP environment.

 

David: So, uh, the way to mitigate that is you, you know, you have identities and your identities are tied to roles within the business that do certain functions. Um, so that. Marriage between identities and rules and functions is critical to business operations on a regular basis. Um, but how do you ensure that the identity, uh, that you're using is truly that person?

 

David: Um, you know, we, we know that there's, um, there's fraud, right? But we also know that, uh, businesses must. Rules and responsibilities and who has access to rules up to date as well. So group management or things that, you know, the business is responsible to make sure that the right people have access to the right [00:13:00] systems at the right time.

 

David: So, you know, those are to me, you know, clear identity and access management challenges for a business is that, you know, you need identities, you know, you need rules and responsibilities. Now, how do you keep that all clean? How do you make sure you are who you are and your identities? And that whoever you are, you have the right access or roles and responsibilities enabled in your systems.

 

Mehmet: Absolutely. Now regarding also the best practices, David, and we know, and, you know, I remember from my days when I was, you know, on that side of the, of the table is, you know, managing the life cycle of the identities, right. And this is related a little bit, even to the full picture of managing, you know, the asset life also as well.

 

Mehmet: And, you know, when the user leaves the organization, so we make sure like. Of course he or she, they will return, you know, their assets, but also like it's connected [00:14:00] to, you know, the identity. And because if we don't, uh, follow the best practices, again, we're going to have some, some risks. So what are the best practices, you know, that, you know, you've seen, Beneficial in managing the life cycle of identities within, uh, organization.

 

David: Sure. Um, yeah, this is, um, I guess a long answer because there's so much under the hood to, to that question. Um, but obviously you need to manage your identities through the entire life cycle. From onboarding to offboarding, you need to, um, make sure, as I mentioned before, you have. The right identities in motion, uh, tied to the right roles and right access and to do so requires a lot of, you know, controls and audits and things like that in between.

 

David: Um, but 1st and foremost, you have to have security [00:15:00] baked into your design of, of, of everything in identity. From the beginning of the life cycle to the end of the life cycle. Um, example is strong authentication methods. You know, what's what's the right level of authentication required for any given application?

 

David: Um, you might have different tiers of of applications with different level of impact to the business. Um, and. Based on that, you develop your authentication. Um, so authentication could be, you know, just real simple access. If you're on a network and you're a managed device, you have access, right? Another might be okay.

 

David: Well, let's present your credentials a little bit stronger way. We need MFA. Um, and, you know, we can go down that. security path into, um, something a little bit less frictionless, uh, like, you know, password lists and things like that over time. [00:16:00] Um, but once you have all those controls in place, you need to audit them, right?

 

David: So, uh, are those controls effective? Do you have any, uh, opportunities to address on a regular basis? There's always opportunities, uh, where you have to, uh, not just. Patching but, you know, other things that come up where you say, okay, I'm aware of of this opportunity. Um, it's, you know, rated, you know, X on our security concern or risk radar.

 

David: Uh, therefore, I'll get to it. In Q4. Um, so you have to prioritize all this work is a lot of work there. Um, and kind of stepping back. You also need to train your users, right? So from day one, um, they need to be, uh, security where, uh, there's all kinds of ways to do that, but you want to train your, um, all your users with your security policies, um, and what they can and can't [00:17:00] do with their identities.

 

David: Next. Um, because in the end, uh, we all know this, that, um, identities are most often breached, um, by the end users making mistakes. Whether it's a phishing or otherwise, an end user, their credentials can be compromised. Um, and so you train them on a regular basis. You've got lots of onboarding that happens on a monthly or or even a weekly basis.

 

David: And you want to make sure that they're introduced with all the security awareness that they need. Um, and for those that have been with the company for a while, you need to refresh them. Um, and you know. And capture the fact that they were trained, right? So you need to hold your, your users responsible for security just as much as your controls and making sure that your controls are in place.

 

David: Um, and then, you know, by design, we're, we're talking about, like, zero trust principle, right? So think about, um, [00:18:00] ways of, of managing your identities, knowing that. Um, you have access to nothing until you're granted access. Um, there's different ways of doing that and a lot of different tools and services under the Zero Trust Principle.

 

David: Uh, but that's, that's quite common nowadays. Um, and, and you need, all your systems need to be scalable. Um, so you can't throw everything at the help desk. Um, we know that the help desk can't solve, you know, all the problems. Well, yes, they can. Uh, there's limitations and, and who all wants to, to interact with help desk on a regular basis.

 

David: They, they want to be self sufficient and things like that. So, uh, so think about scalability of your, your services. Think about things like, um, self service, uh, tools and services. I mentioned earlier, like group access. Um, that could be very easily managed by, um, a self service environment where you request access to a group that enables you access to [00:19:00] Oracle financials and somebody who manages or owns that group will get engaged in a workflow with the approval process to make sure that you are who you are and you should have access to that Oracle financials environment.

 

David: So. That's an example of the flexibility that you need to establish in your overall design and plan.

 

Mehmet: Right?

 

David: Yeah. And, you know, and automation, right? You know, let's, you know, push aside the, um, the whole process of self service, but. Let's automate things where we can, right? We know that we're hiring a financial person into our organization.

 

David: Let's automate access into Oracle financials out of the gate. Um, role based access, uh, should be a part of your onboarding process. Um, and, and that should just flow naturally and not engage a person to be, you know, to be doing that. Of course. You have to validate the ident identity upfront and that's, [00:20:00] we'll get into more of that discussion later.

 

Mehmet: Yeah, absolutely. So you mentioned Passwordless, David, you know, and I know people are complaining since long time, like why we still use passwords. Right. So, um, it's a very hot topic. I know, like there are like. multiple initiatives by big vendors such as Microsoft, you know, and rest of some of the big security players in the market that are pushing for passwordless.

 

Mehmet: So first, like, you know, in simple terms, like even for someone who might not be familiar. So if you can explain, you know, the concept of passwordless, although like it's obvious from the name, but, uh, but I want to also, uh, you know, uh, David to discuss, or if you can shed light on is. How I can implement it and is it easy actually to implement it?

 

Mehmet: So I know it's kind of loaded question, but and I think it's very important part Which is you know [00:21:00] related to what you were discussing before about the authentication which is again It's the beginning of any cyber attack starts there. So I will let you explain that to us David

 

David: Yeah, yes, strengthen our, strengthening our identities, um, is something that's always, you know, ongoing.

 

David: It's, it's a journey. Um, and it's not just something that you just turn on with a single configuration to, to get more secure and the term passwordless, uh, presents an opportunity to the end user. Who's scrambling to keep track of all their different passwords and all these different systems. We know that's a constant struggle and we know because we're measuring it with calls of help desk and other things.

 

David: Right? So we know that our end users are struggling with their passwords. And when that happens, um. They might get, um, you know, fatigued or make mistakes and their credentials get [00:22:00] stolen or lost by, you know, cyber criminals, et cetera. Uh, so when you reduce the friction at the end point with the users, uh, remove the need for passwords.

 

David: Um, it makes your environment much more secure. Period. Um, and going beyond that, you know, there's different, you know, additions of password list where you get to a true identity verification or validation step, which is kind of the next big thing and and identity is to, you know, tie a lot of different things up front to, you know, getting a validation on an I.

 

David: D. And then, you know, storing that validation. Um, and then using it for your next access. So it could be a combination of video. Um, you know, we know windows. Hello is very simple. Um, Passwordless approach on a windows machine, but is it secure? [00:23:00] And could it be more secure? Yes, it could be more secure. And that's where what I'm talking about with identity validation where we take those types of concepts to the next level and and use, you know, the, the, um, the video interrogation along with some identity.

 

David: Uh, you know, presentation could be a driver's license or a passport or whatever combination of credentials that ensure you are who you say you are. Um, and then that that identity gets repurposed. So, uh, that's all, like I said, a journey, um, but it's all with less friction on the endpoint, um, and more security with our identity in the end.

 

David: It's a win win for, for everybody.

 

Mehmet: Absolutely. But just one point regarding, you know, a few things that are happening currently, David, because, you know, just in a couple of few weeks, I did some interviews. Um, so there are concerns, you know, when it comes, for example, to any thing [00:24:00] that is related to video or images that, you know, AI can fake it.

 

Mehmet: So how, how you are seeing, you know, this blending of, of AI and deep fake, and, you know, with the passwordless concept and people are like scratching their heads now, you know, with AI actually, of course it's, it's being used as we speak by the bad actors and they're going to leverage this to, to break in.

 

Mehmet: So how do you see the, the technology, you know, um, Kind of being able to solve this dilemma, I would say, between leveraging, you know, passwordless and, you know, the things you mentioned versus, again, bad actors, again, leveraging the same technology to break in. Right.

 

David: Yeah. So, yeah, that's a great point. I, we know, um, in, in terms of cybersecurity, AI is, is, uh, um, a strong point for both sides of the fence.

 

David: It's a strong point to help us improve [00:25:00] our, um, you know, uh, attack identifications and, and threat, threat actors and things like that. But on the other hand, um, the cyber criminals have that same type of technology and are using it, uh, like the deep fakes you mentioned. Um, but I think IDV and the approach and the strategy there is going to thwart those concerns because, um, if you think about video, um, you're more likely to, um, be using some infrared.

 

David: Uh, camera capabilities that appear image itself, uh, won't satisfy the security requirements. So, um, I think, um, you know, in the fingerprints, you can combine it with a bunch of different things that you feel is most secure. for your organization. Um, and that could vary by application. Um, so one thing we didn't talk about was the, these adaptive controls.

 

David: Uh, [00:26:00] whether you apply adaptive to, you know, MFA or identity, valve verification, um, you, you could have progression or different levels of, of controls. Um, and, um, This whole fatigue thing, you know, if you go from MFA into, uh, towards passwordless, you may have a, a tough journey because you have legacy applications, maybe they don't support, you know, uh, modern authentication, just LDAP or whatever, and it's a journey for you to get to that end point, but you can have stages to get there.

 

David: Um, you know, adaptive M. F. A. Is I would say a stage of getting the password list. Um, and and to answer your question specifically on the front. Um, we know that M. F. A. is, you know, being, um, uh, addressed by cyber criminals and not [00:27:00] as secure as we'd like it to be. Um, and. And it's a piece of that journey. Uh, so as long as you're somewhere in the middle to the end point, you're vulnerable and, and there is no end point.

 

David: Um, as, as much as we describe, uh, opportunities to get better cyber criminals are on the other side, doing the same and finding ways to get holes into your identity. Uh, but we can, we can do better as we go. Go through this journey and the faster we can go, the more we can invest into getting to those end points, the better off we'll be.

 

Mehmet: Right. So David, do you think, you know, uh, what, what you just mentioned, which is the combination of passwordless plus, you know, the, uh, adaptive, uh, you know, uh, concept that you also talked about. So do you think we can see it mainstream in the couple of few years from now? Because are we going to see it?

 

Mehmet: Like see people [00:28:00] stop using actual passwords finally, because, you know, and I think again from returning to the end point, and this is something I used to see, and I still see some time people put their passwords on sticky notes, right? And they put it just in front of them. So when do you think we're going to stop seeing this completely?

 

David: Yeah, I've used the word journey a bunch of times in today's conversation and that's what it is. You, you might get, you might focus on, uh, let's see your financial system saying, okay, that's this 1 here is most important to me. I'm going to go all in on getting to password list for. Oracle European, right?

 

David: You may choose that, but to say that your company is passwordless is going to be a journey because you've got all these different applications with different capabilities. And, and it, you know, at NCR 130 year old company, we've got a lot of legacy applications [00:29:00] that it's just going to take a while to put on that, that cap and say we're passwordless, right?

 

David: It's. So it's not a simple answer to your question, and there's many companies that are passwordless today. I had a conversation with Microsoft who claims to be passwordless. Um, they, of course, are eating their own dog food, and it's working for them, Windows Hello and all that, right? So, that works great, but, okay, turn the, turn the page.

 

David: And a typical large company, maybe all your end points can't support windows. Hello. Maybe you still have windows seven out there, windows 10 machines that don't have the right chip set to get to password lists, right? So those are things that large companies need to, you know, weed out. And over time in this journey, I call it, you know, get to a better spot.

 

David: Um, but there is no date I can give you, but I can tell you it's [00:30:00] happening today. Um, and it might be application by application. Um, you're probably quicker in a small medium business to get to that end point. Um, but, you know, for, for larger companies, it's a journey.

 

Mehmet: Absolutely. Just, you know, to maybe, and it's not a joke really, but I remember a couple of, not that long ago, maybe like three or four years ago, before the pandemic.

 

Mehmet: Yeah, it was like 2019. So I still, I, I went to, to a place and, you know, again, to the point of people, how they, uh, resist the change. So, so I've seen their one application and they told me like, look, this application, we cannot touch. And I asked why they said, yeah, because it's a legacy application and we don't, we don't know how to change it.

 

Mehmet: We came here, we found it. I said, okay. What it has inside and it figured out like they, I think they had a SQL 2005 or something, which is not supported anymore, even by Microsoft. And it's running on [00:31:00] top of a, um, windows. Uh, I think it was a 2003 server also as well. So I said, Oh, wow. Right. So. Why don't change it guys?

 

Mehmet: I said, okay, it's working like like now we don't want to touch it Let it break and then we would see so like this is something really realistic david I've seen it hundreds of times outside my career

 

David: Yeah, for sure. I you know, so so my advice there is to um engage with your um security team cyber security team Um and assess the risk of that application Uh based on what you know Right.

 

David: The data that it manages the business functions that it supports. Um, and what does that mean to the business if it were to be compromised? Um, get a risk score, right? So once you have a risk score on it, you'll, you'll know a little bit more about how to go after that. Um, and if you find that that's a high risk item [00:32:00] or of concern, Then you build a plan to, to, to mitigate that risk.

 

David: And mitigation doesn't necessarily mean you get to that end point. It could be containment, right? Uh, access into this environment is fully contained and you can't do this and this and this in and out of that environment, right? So there's ways to contain applications that you find are, um, risky for other reasons that you can't fix, um, until such point that you can fix them until you can upgrade the environment, you contain it,

 

Mehmet: right?

 

Mehmet: David, we mentioned AI, but in another context, but now I want, I'm curious, actually, to know, um, how AI is being leveraged currently from an IT management and endpoint management perspective. Um, have, do we start to see You know, some really cool technologies coming out, or are we still like waiting for the next [00:33:00] breakthrough, uh, cutting edge technology that would change even the way we think about, you know, I.

 

Mehmet: T. Management and endpoint management specifically. Where are we currently with the A. I.

 

David: Yeah, I'm excited to what I offers to the I. T. Organization. Um, and at least in my organization, we, we, we buy a lot of tools versus building our tools environments. Um, so we do lean on our vendors to, to bring that AI capability into the platforms and services that we use.

 

David: Um, and we're, we're seeing more and more of this come through with, with each of our applications. You know, every vendor that we talk to, if they're not talking AI in a conversation, you should be surprised. Um, so it's, it's here. It's going to have an impact in the context of, uh, endpoint control and, and identity.

 

David: Um, it's, it's already there. Um, you, you see it in, in a lot of, [00:34:00] uh, endpoint security tools, um, that are looking at, um, A lot of different variables, um, and environments like your seem environment gets all these your same environment will collect all these events and and activities in mass. Right? So this is big database of events that are happening.

 

David: Imagine if you're a environment taps into that, you know, daily event log and can bring that context to you. For simple transactions like logging into the network, you can understand a little bit more about where you've been, where you've traveled the logins recently and whether it makes sense to allow you access or, you know, I mentioned M.

 

David: F. A. And, you know, a journey towards a password list. If you implement M. F. A. Today, you might get to a point where. Um, You get, you know, MFA fatigue. [00:35:00] Um, these types of adaptive controls can tap into environments where it knows a little bit more about you, who you are, and can determine whether you need an MFA prompt.

 

David: Right? Uh, so, uh, Even though you might have MFA set up across the board for all your applications, if you prompted everybody every time for MFA, they would definitely get MFA fatigue and just start answering yes, yes, yes, regardless of where it came from. Um, but these types of AI controls can, can be more, you know, add that adaptive element to, to your controls, um, as an example to reduce MFA fatigue.

 

David: So there's a lot of different applications. That's just one example. Um, but, but there's a lot of things when you look all the way down at the end of identity verification validation, uh, there's elements of, of, um, of AI in those controls that are rather new to the market today as well. [00:36:00] Absolutely. Do you

 

Mehmet: see, you know, David, like, uh, especially with the copilot from Microsoft and, you know, these other, you know, generative AI tools that are coming up every day.

 

Mehmet: Are you seeing, like, really? You know, having, uh, an impact on minimizing, let's say the workforce required, for example, to put the people who interact, I mean, the service desk mainly, you know, so, um, so, so are we seeing like more adaptation adoption like in, in that area? Because, of course, what you mentioned is very important.

 

Mehmet: This is what. measures of the people they don't see. So, so anything which is an AI technology that works in the back end on the infrastructure layer, let's say, and facilitate and ease our lives, but people they don't see it. So what usually the end users will see that the bots, which everyone, when you talk about AI, people think that it's only like co pilot and chat GPT style.

 

Mehmet: [00:37:00] Uh, of course it's not that, uh, that's all, but I mean, this is what usually people will interact with. So, What are you seeing there? Are we coming to have like a kind of an A. I. Agent sitting within the I. T. Department helping, you know, your team taking care of the tickets and you know, even because now we have the capability of generating voice and even like even maybe taking a call and guiding them.

 

Mehmet: What are we expecting on that side?

 

David: Yeah, great question. Um, when we think about I. T. And I. T. Support and operations, um, A. I. Is going to have a dramatic impact. And what let's just use a simple example of of of, uh, Calling the help desk or, or not calling the help desk and using, uh, uh, a chat bot, right? Um, our chat bots are evolving using AI dramatically.

 

David: Um, it used to be where, okay, I can't find what I need outta this chatbot. I gotta call the help desk. I got, I want to talk to [00:38:00] someone because you know this right? This chatbot isn't working for me. Um, I'm sure you've all experienced that. Well, I think that the chatbots are getting smarter and better and more in context.

 

David: Um, and, you know, you think about, um, uh, an IVR system. So you, you call the help desk and it asks you a sequence of questions to get to the right person, right? Um, Wouldn't it be nice if you had natural language up front that could get you to the end point. Just describe what you need up front. It'll get you to the end point without asking you 6 different questions where they, you know, there's a pause and validate your response.

 

David: It's a, you're going to get quicker to the end point. So less friction. Um, and that's, that's always a good thing. So I see a lot of different applications in that space for, for operations. Um, and. And perhaps over time, we'll see, um, better automation, better, [00:39:00] um, better activities with these chatbots to solve your regular problems, uh, so that our help desk can focus on the bigger problems.

 

David: Um, and that's, uh, what I'd like to see is that we can get to a better space, uh, where some of the common, easier problems are naturally solved with a good, uh, chatbot. VR system, a good chat bot system, um, where they're failing today.

 

Mehmet: Absolutely. You know, and especially where, you know, this allows the team to go focus on, you know, as you said, the important things rather than repeating something, you know, we can actually automate it a hundred percent, uh, David, like we're almost coming to an end and really, I enjoyed the conversation and, you know, a lot of, of knowledge and wisdom you shared with us today.

 

Mehmet: So what's your advice, you know, for, for, you know, IT leaders, uh, who want to improve, you know, their IT management practices [00:40:00] in general. And I would say, you know, especially the endpoint management part.

 

David: Yeah, I think my number one point there is that you have to have a balance in security and user experience.

 

David: Um, and there's a lot of different controls that we talked about today that if you just. Go and implement them all tomorrow. We know, you know, uh, that'll be a change disaster, right? You, you, you have to manage change effectively with your users, um, and, and balance the, the speed in which you move, uh, change through.

 

David: So, uh, that's, that's a top priority and, and, and it caught us a couple of times in the past that, that NCR, we, you know, removing, um, uh, administrative capabilities on an endpoint. Um, we went pretty aggressively with that and it affected some of our software developers who happened to run a code on their machine that has to install software.

 

David: [00:41:00] And oh, by the way, they didn't have administrative privileges on a machine to install that software. So it becomes a balancing act that you have to do on how you. Deploy security controls that remove, uh, that type of, uh, access. So, um, that's just one example. But, but, um, it's important, um, that your business, uh, um, is successful and they can do the things that they need to do to get the job done.

 

David: At the same time, you're improving your security posture. Um, and, you know, I mentioned before that, that getting to password lists and ID validation is a journey. Um, so, um, you, you may, your, your ears, you know, peaked and you have a strong interest in getting to that end point. Now, um, you know, how do you get there?

 

David: Um, I mentioned before that you just can't, you know, turn a knob and turn it on. You might take [00:42:00] steps to advance your security. At the same time, getting towards that end point, like, you know, adaptive, I mentioned a couple of times, but getting to that end point might require several steps in the middle and you might get to that end point quicker with certain, uh, security, um, uh.

 

David: Ranks, uh, on risk ranks, um, you know, for certain systems that, that are, have a higher risk, go faster. And, and, you know, that, that makes sense.

 

Mehmet: Absolutely. Uh, finally, David, like, uh, where people can find you, are you on LinkedIn? Like where they can get connected?

 

David: Yeah, absolutely. Um, I'm in LinkedIn, obviously, uh, David Basha, it's spelled B O S C I A.

 

David: Um, and Yeah, David. Uh, I was just one word. No, uh, no spaces after linked in, but you can find me there with quick search. Um, and I'm [00:43:00] looking forward to follow up and happy to answer any questions you might have.

 

Mehmet: Great. Thank you very much, David. I really appreciate the time. you shared with us today. It was really, uh, very informative and educative also as well.

 

Mehmet: So, and I'm sure like fellow it leaders, uh, whether, whatever they are in their roles, whether they are in the world, they, they will benefit from, from the knowledge that you shared with us today. And this is usually how I will end my episodes. So this is for the audience. If you just You know discover this podcast by luck.

 

Mehmet: Thank you for passing by. I hope you like it If you did, so please subscribe and share it with your friends and colleagues And if you are one of the people who keep following us, thank you very much for doing so I really appreciate that and keep sending me your comments and feedback also as well Thank you very much for tuning in.

 

Mehmet: We will meet again very soon. Thank you. Bye. Bye