Scroll Top
400 S El Camino Real Suite 1050, San Mateo, CA 94402
Join Now
its-already-time-for-dspm-a-conversation-on-innovation-with-katherine-walther

It’s Already Time For DSPM – A Conversation On Innovation With Katherine Walther

Videos
13/02/2024

00:00:03
Mohit Tiwari:

Katherine, it’s wonderful to meet you. Thanks a ton for taking the time hanging out with us. I respect your personal story a lot. It has very few buzzwords and a ton of substance, so I thought that would be a good place to start from is how you got to be leading innovation at Trace3. 


00:00:26
Katherine Walther: 

Thank you. It’s a great question and something I probably don’t talk about a lot, or maybe I should be talking about more, but I came from the practitioner side. I came from the practitioner and leader side. I spent the majority of my career in the same position that many of your clients, your prospective clients, all of Trace3’s clients sit in, which is: “I know I’m not the only one who has this problem. I know there are other companies like me that have made the decision.Why can’t I find a good source of advice?” And that was me. I remember asking our partners and looking for other companies that I could find the same advice for. When I came across Trace3 and the fact that Trace3 had a group that was dedicated to it, it wasn’t a sales role. It wasn’t an engineering role. It was dedicated to understanding the landscape, understanding and communicating with our clients so they could figure out what people were doing and how best to solve the problem. I had the opportunity to basically pay it back to an industry that I felt really needed it.


00:01:33
Mohit Tiwari:

That’s amazing. Just in terms of timeline, you were practitioner and then you’ve been leading innovation? 


00:01:40
Katherine Walther:

Yeah, so I have been with Trace3 almost eight years, eight years in total. Prior to that, I spent about 18 years doing… I started off in help desk and worked my way all the way through, like most people of that time would do, all the way up to IT leadership. With Trace3, I’ve been in with the innovation team for roughly the eight years, although I did a little stint with the sales teams just because I had never been in sales before. It probably made sense for me to understand what that was. Then I came back to lead the group and it’s been three and a half years now of leading the group. 


00:02:27
Mohit Tiwari:

Amazing. It’s particularly interesting in the industry. It seems like innovation is where science projects happen in the industry, whereas at Trace3, your innovation team is what leads Trace3 into tangible business. I was just curious, what does a day, a week, a month, a quarter essentially looks like at innovation at Trace3?


00:02:51
Katherine Walther:

It’s so true. Actually, when I first joined the company, innovation was a word that was a little bit more reserved for IT. Then the advent of the chief innovation officer came along and business took it over and it became more of a business function, business function and innovation for new product lines, new market segments. Innovation during that time left IT and it wasn’t really the IT thing to do. Now it’s starting to come back. During that time, Trace3 has continued to boost the innovation part of it for specifically IT. What it now really has represented, especially in light of a pandemic that pushed people into making technical decisions that they may or may not have been ready for. Then all of the environmental variables that go along with it and the emerging use cases coming out all the time, it has become now not just the way to make the Trace3 differentiator, but it’s actually driving business, which is driving IT value, which is then driving business value. 


00:04:01
Mohit Tiwari:

Super interesting. As part of innovation, do you get to see, what does it tangibly mean? Does it mean that you are finally incubating new companies or new products? 


00:04:15
Katherine Walther:

I completely missed that part of the question. I didn’t give you that answer. A day in the life, our mission is really to scout and vet emerging technologies. What we’re looking for are those trends. Every morning, my team scouts, we view what’s going on, and we’ll come across very interesting solutions. My second question after what it is that they do is, can we find other solutions like it? Can we find the market? Can we find the competition? If we can find the competition, can we establish that this is a trend? If we can establish it’s a trend, can we establish that it is solving a problem that is necessary? Is it ancillary? Is it solving a problem that people don’t know about quite yet? That’s what a day in the life is looking for. The flip side of that is advising clients on that journey. We’re finding these trends. This is what these trends mean. Oftentimes, especially now, you always have this set of mandates that come from executive leadership. That mandate really tends to necessitate innovation. Given the recent rise of emerging use cases, there’s a groundswell of individual contributors in IT that are pushing innovation up. I think that’s also interesting as well. When we highlight to our leaders that are our clients what might be happening, they might not fully know that that problem even exists in their environment because maybe the innovation started at the ground level, at the individual contributor level, and not so much a mandate from a leader. 


00:05:58
Mohit Tiwari:

That makes sense. That’s really interesting. At least from my experience, it seems that Trace 3 is pretty unique in this aspect, whereas you counsel, you have these coaching sessions with customers where you bring in new technology from cloud to security to LLMs and so on. I thought that was quite interesting how at the edge of the curve you’re really staying. 


00:06:26
Katherine Walther:

I agree with you. We do have a few copycats. We do have a few other companies who are extremely well-respected that are doing the same thing. I think the investment that Trace 3 has made to not only have the group but grow the group and grow the group’s focus has made the differentiator for Trace 3, that’s for sure. 


00:06:49
Mohit Tiwari:

That makes sense. On the flip side, I heard Sandy Salty, your CMO, once mentioned to me that part of Trace 3’s mission is to be very intimate with your customers. How much does that play into what type of innovation are you bringing in to the customers? 


00:07:07
Katherine Walther:

It’s such a great question. A lot of companies like Trace 3, a lot of solutions integrators like Trace 3, who maybe started off as a reseller in the same way that Trace 3 did. The relationship of a reseller is very different than the relationship of a solutions integrator. If most companies haven’t made that relationship jump, then the innovation doesn’t even work because what you’re essentially saying to your clients is, I have instilled enough trust in our relationship. I’ve proven that Trace 3 can deliver enough for me to put you in front of a team that does nothing but study the landscape and you trust what comes out of that group. I think that the intimate relationships are 100% the precursor to the messaging that comes out of innovation and the recommendations that come out of innovation. 


00:08:00
Mohit Tiwari:

That makes sense. You said something about wetting the market as well. What is your process or your lens on how do you evaluate which problem is incipient and which companies are solving that problem in a step function jump manner? 


00:08:22
Katherine Walther:

In some cases, I draw upon my experience and the team has experience as well. We draw upon that experience and that’s easy to jump on. There’s other cases that are probably smaller use cases that we’re not 100% sure the problem even exists. In fact, our team, every morning we find ourselves coming across at least one solution where I would say, is that a problem? Is that problem existing? Part of the vetting process just doesn’t include things like how much are they funded? Where are they funded? Do they actually have a product? How much experience do the founders have? What are they able to present? All of those pieces that you would expect vetting would include, but it’s the market vetting that I think makes the most sense. Because if you sit alone in a market, then there may not be a big enough market to say it’s worth us putting our name behind and saying we think this is going to be a thing. If you sit in an adjacent market, maybe it’s worth bringing up. But if you sit in a market where there’s incoming, then the problem is probably already well established. Or it’s at least well established early enough that you have a fair amount of investors who have decided that that problem statement truly exists. And you know, you found yourself in this very same position.


00:09:48
Mohit Tiwari:

Yeah, absolutely. Absolutely. One question that I was thinking about, Catherine, is what are the areas of investment in cloud infrastructure or security where you think that there is a step function jump that is incipient? What executives should be thinking about? 


00:10:11
Katherine Walther:

Yeah, I think, so this is probably my favorite trend. And if anybody’s listening to this, who’s heard me talk before, I’ve said this trend, so pardon the repeat. But for years, years, we have been hearing and I get different numbers, but I think it’s probably eight years or nine years, we’ve been hearing about identity as the new perimeter. And I don’t think that we’ve been able to actualize or even operationalize that concept. Because we’ve always had this infrastructure focus on protection, you know, we’ve had this castle concept of protection and cloud has changed that paradigm 100%. And so leaders who have tried already and probably struggled to do this, you know, zero trust, or now what you know, Gartner is calling an identity first security strategy. It’s very difficult to implement an identity first security strategy when you cannot contextualize the asset to the identity and understand what that relationship looks like there is, I can’t even I can’t even begin to fathom a way to do that. And so now what we’ve seen in cloud, and more specifically in cloud security is, you know, we got the glimpse of it with CSPM, we even got the right, you know, started to head in the right direction with CIM. But now with data security, posture management, we’re really seeing the asset, however, private, or important to an organization be tied directly to the access that it may have available to it. So this becomes, I believe, the biggest strategy play for most organizations that are in cloud, even if you’re in cloud a little bit, which is to move towards an identity first security strategy. And that isn’t a single solution that you buy. Rather, it is a combination of solutions that are informing identity, so that we can eventually get to a more dynamic access .And I think this is how we achieve this identity first security strategy. That is like the most important thing.


00:12:40
Mohit Tiwari:

Amazing, amazing. And Katherine, how if I was an organization… Trace3’s customers are all pretty large organizations, right? So what symptoms should I look for to see if this is the moment for me to invest in this breaking trend? 


00:13:00
Katherine Walther:

Yeah, I think, well, look, some organizations won’t make the investment until an incident happens. And obviously, you know, better to make the investment at some point than at no point. But ideally, you start to make that investment before an incident happens. And I would go as far as to argue that the organizations that have already started to invest in data security posture management, are seeing that they were either on the cusp of something that could go wrong, or they’ve witnessed something that has gone wrong. So I believe that most organizations who have already been cloud, who have already adopted cloud security posture management, are really well positioned to take on data security posture management. I believe that both of these posture management tools, and I’m inclusive of the CNAP. So those listening, I’m inclusive of CNAP. But those tools signify a change in operations, not just a change in operations to security, but a change in operation to cloud operations. And I think that change that we’re going to see is going to come in the form of new identity leaders, we’re going to have new identity tools, we’re going to have tools that broaden the ecosystem of what vulnerability looks like, because we’re contextualizing with identity. So if that’s the end state, and you’re you’re at cloud security, then then it’s already time for your Data Security Posture Management.


00:14:43
Mohit Tiwari:

And you mentioned something really interesting, you kind of said that Data Security Posture Management is foundational towards starting an identity focused security program. And it sounds, in hindsight, pretty obvious, you know, data is what I’m protecting, security is what I want. Data security should have been a thing for a while. Why do you think now is the time that the sort of gold rush has started? 


00:15:11
Katherine Walther:

Well, I think the castle was easier to control when it was on premise. And when the castle was easier to control on premise, data security took a backseat to infrastructure security. And data security became more around just infrastructure. And so I think, as an industry, we’re just barely starting to make the shift to redefine data security. And I think that shift is we’re probably still at the beginning of the shift. You know, even though we’ve been studying it for a couple of years, we’re probably still at the beginning of that shift industry wide to make that change. So I think there’s that. (15:58) And when the castle was easily controlled by those that manage the infrastructure, replicating data, moving data, the growth of data was far less explosive than it is now. Now it is so easy to spin up more data in the cloud, it’s so easy to replicate more data. In fact, it’s so easy that if it is not begging leaders to re-question what they thought data security was, it should be by now because replicating it can go far and wide with a very, very little entry fee to do so.


00:16:38
Mohit Tiwari:

That makes sense. So it’s just the cloud migration really has also taken off. And I see what you’re saying. All the plumbing and all the ease of elasticity of the cloud is really driving this stuff. 


00:16:51
Katherine Walther:

For sure. And you can think about it. I mean, even in my past life, different business units needed access to data and they wanted to play with data in their way. So they would replicate the data, they would use the data for their own purposes. And when you did that in an environment that was 100% on-prem, look at all of the approvals that you needed to get a copy of that data. You don’t need that anymore. And it’s so much easier to replicate data. It’s so much easier to spin up another database. It’s so much easier to save unstructured data everywhere. 


00:17:30
Mohit Tiwari:

That’s awesome. That’s awesome. And kind of jumping into the, okay, if we identify the problem and I want to figure out how to make sense of the very fast growing community of products in this space, what do you look for? And how would you place Symmetry in this graph of attributes? 


00:17:54
Katherine Walther:

Yeah. So I think… in my opinion, much like all other posture management, this is the beginning. This is the very beginning. When we’re looking at the landscape of options, what you really want to look at is who’s most poised to go to the next chapters of what cloud data security looks like. And that has so much to do with how well we can create the relationship between the data asset and identity. And that’s where foundationally how we start to make sense about how the market starts to shift or break up a little bit. And we know what data is important and where that data is and how do you want to classify it and who’s responsible for that, of course, has something to play with it. But ideally what we’re really looking for are those companies that can go beyond the posture management. I believe much like cloud security posture management was chapter one, we’re seeing CNAP is chapter two, data has a chapter two. And I think that chapter two is those solutions who are poised to go to that chapter two, which is really creating that contextual relationship of identity to asset are going to be the most poised to go into chapter three, which is going to be more of a protection response.


00:19:26
Mohit Tiwari:

Amazing, amazing. I think that’s really great. And in terms of who would be the primary landing point for this new class of products, right? So the way you phrased it is that this link between data and identity has to be made and operationalized for cloud heavy organizations. This could land up in IAM teams. If we go the identity first route, this could land up in security architecture, kind of cloud security teams, or this could even be driven by data centric compliance organizations. How do you think as an organization, if I’m an executive leader, how should I onboard this new class of technology?


00:20:09
Katherine Walther:

Oh, it’s such a good question. For which I’m not sure I have the best answer to it because I think that in an organization that especially who is invested in cloud, even more importantly, multi-cloud, where identity sits today is equally important. If that identity group has moved into security, as we’ve seen that trend take hold, then I think security becomes the owner, the key champion of this. But you can’t do this with just security champion alone. Operationalizing the results that come out of this is a joint effort between the data teams, the operations teams, or the cloud ops teams, and the identity or security teams. Because ultimately when a breach happens, or if when a breach happens, ultimately it will be that trifecta of folks that are going to have to answer those questions. How did this happen? What did we lose? How can we prevent it in the future? And it will be the conglomerate of those three groups that have to answer that question. It cannot be singular alone. But there has to be an owner. Three people can’t own it. And three leaders probably doesn’t result in something well. So I believe today that’s likely going to sit with most security teams. If we continue down the path of identity for security strategy, I believe we’re going to see a new leader come out of that. And that leader might be something like the VP or president of identity and analytics. In which case, some of these tools might end up being under that person.


00:22:08
Mohit Tiwari:

Makes sense. And at least one thing that I have observed is if most organizations, if they have a partner, they can call up that partner like Trace 3 to help do an assessment and evaluation and find a more tailored way for where the organization is today. 


00:22:28
Katherine Walther:

For sure. I mean, at some point in time, it might get to the CrowdStrike model where it is more of a managed service than anything else. And that’s probably when you think about the explosion of data and then you think about all the implications behind it, maybe there’s a model there that makes sense.


00:22:54
Mohit Tiwari:

Awesome. Awesome. And one other thing that we’ve noticed is a lot of companies really scrambling to figure out their strategy to put LLMs, large language models, more generative AI techniques to use. And that itself has acted as a catalyst for cataloging what data do we have across the environment, creating safe spaces so that private models can be trained and so on. What are you seeing and how do you propose organizations think through their data strategy in this context? 


00:23:30
Katherine Walther:

So I have been telling people that large language models, leveraging large language models is going to give Data Security Posture Management the violent shove forward. Because the first and foremost is when most organizations are going to leverage an existing foundational model, they’re going to bring their private data they’re going to bring in their own prompt engineering against a foundational model that already exists. We’re already seeing that as the most cost effective resource effective way for most organizations to take advantage of it. But you are bringing your own private data, which means that the first rule applies and you have to know what data is where and who can access it and not who is inclusive of service accounts. And this becomes the biggest and first line of defense that most organizations are going to have as they start to take advantage of this emerging technology.


00:24:37
Mohit Tiwari:

Amazing. That’s awesome. And similarly, like, you know, there’s a very foundational question pretty much on the other end of the almost innovation spectrum, which is you have backup disaster recovery as a top order concern, especially with different types of ransomware attacks and such. Is there a use case for, hey, we should have a more considered disaster recovery strategy for our cloud environments? Should that be? Could that be a landing point for data security? Or should we just leave it to…


00:25:12
Katherine Walther:

Oh, that’s an interesting question. I don’t know the answer to that. I’m not sure. I haven’t thought about that enough. 


00:25:23
Mohit Tiwari:

We can keep this one for a second episode.


00:25:27
Katherine Walther:

Yes, I think so. I’m going to do some thinking on that.

Related Posts
Clear Filters
Symmetry Systems Shines as Finalist in Cloud Security Alliance Startup Pitchapalooza
Symmetry Systems Shines as Finalist in Cloud Security Alliance Startup Pitchapalooza
September 24, 2024
Symmetry Systems Shines as Finalist in Cloud Security Alliance Startup Pitchapalooza
Talking DSPM: Episode 4 – Dr. Mohit Tiwari
Talking DSPM: Episode 4 – Dr. Mohit Tiwari
September 10, 2024
Talking DSPM: Episode 4 – Dr. Mohit Tiwari
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Tracking
This website uses functions of the web analytics service Google Analytics.
Required
YouTube
This website uses YouTube service to provide video content streaming.
Required
Privacy Policy Cookies Policy