What is Trusted Support?  Brennan Baybeck, VP Global I.T. Risk Management, at Oracle joins industry analyst and CXOTALK host,Michael Krigsman, to discuss the role of trusted support as a key component of good IT governance structure of an organization. Learn about the importance and components of trusted support. The increasing security threats and vulnerabilities faced by organizations every day have created a need for security at every level of an organization. This includes the ability to keep systems maintained, updated, configured and patched.

According to Baybeck, third-party support providers have limited access to software code of the software vendor, where critical updates, including patches, are made. Instead, the software support services offered by some third-party providers offer alternative approaches. Organizations cannot sacrifice security and should be working with a trusted partner that provides true security patching, proactive maintenance, and comprehensive support. 

Brennan Baybeck is vice president of Global IT Risk Management for Oracle Corporation (USA). Baybeck leads IT security risk management for Global Customer Support Services at Oracle Corporation. In this role, he also is responsible for leading security, privacy and availability for Global IT’s key enterprise IT services, including GIT’s cloud initiatives. He has more than 20 years of experience in IT security, risk, audit and consulting and has worked in various industries designing, implementing and operating enterprise-wide programs to address global security risks. He has held leadership positions at Sun Microsystems, StorageTek and Qwest Communications, and served as an information security risk consulting manager for several years. Baybeck also has been actively involved with ISACA for more than eight years, serving as chair for various working groups and as a board director.

Transcript

Michael Krigsman: When it comes to enterprise software, support is so important. That's why, right now, we're learning about trusted support. What is it? What are the components of support?

I'm Michael Krigsman. I'm an industry analyst and the host of CXOTalk. We're speaking with Brennan Baybeck, who is vice president of global IT Risk Management at Oracle. Hey, Brennan. How are you doing?

Brennan Baybeck: Good. Thank you.

Michael Krigsman: Tell us about what you do at Oracle.

Brennan Baybeck: I lead a global security risk management organization at Oracle. We focus on security operations, security risk management, compliance, certifications and attestation, and just general security topics as well.

Components of Trusted Support

Michael Krigsman: Brennan, when we talk about support or trusted support, what do we mean? What are we talking about?

Brennan Baybeck: Trusted support is a key component of a good IT governance structure. Inside of trusted support, you would have things like patching, change management, ensuring the integrity of updates and maintenance necessary, as well as other components that I look for would be innovation and automation.

Michael Krigsman: Security and governance are clearly core elements of this.

Brennan Baybeck: Definitely. One of the things that's absolutely necessary is that we are keeping our systems up to date. The threats and vulnerabilities that are occurring on a daily basis, they continue to increase. It's a necessity to keep systems up to date, keep them patched, keep them maintained, properly configured, and that's where the security comes into play.

Michael Krigsman: You need security at every layer in the stack.

Brennan Baybeck: Correct. These IT environments, enterprise-wide IT environments, are extremely complex. They're made up of various components and pieces and parts, so as systems grow more complex. It used to be big enterprises that would only have to be worried about working with, you know, trusted partners and partners that could handle their enterprise needs. But it's extending into medium and small businesses as well now too because of the types of IT environments that are being produced at these businesses.

Michael Krigsman: It's interesting that cloud brings yet another level of complexity to this as well.

Brennan Baybeck: It does and, in those environments, you have to rely on partners, actually. At that point, you don't have a choice. If you have a SAS offering or you're using a SAS service, for example, the partner takes care a lot of things for you. Finding a partner that's doing good vulnerability management, has good change management, understand their patching and how to address their vulnerabilities in their products, as well as providing good visibility and reporting to you is extremely important.

Michael Krigsman: The reporting is a crucial part.

Brennan Baybeck: It's definitely a crucial part. The main reason is because, when you move to using cloud providers, you are relinquishing some level of control, which requires more visibility and reporting and understanding of what your provider, your trusted partner is doing.

Software Patching

Michael Krigsman: Now, where does software patching fit into this equation?

Brennan Baybeck: Software patching fits into the operations management of an organization. It's right alongside with configuration management, the asset inventory and, also, threat and vulnerability management. They all kind of fit together into a process that you do for ongoing software management.

Michael Krigsman: This may be an obvious question, but what are the risks of not following the right software patching protocols and governance?

Brennan Baybeck: If you don't have the right processes and protocols in for software management and good governance over those processes, your business is going to be subjected to the threats and vulnerabilities that are out there today. It just takes one change inside the IT infrastructure to now open up the threat model and open up a new threat vector that could potentially affect you.

Michael Krigsman: What's the relation between security patching and source code?

Brennan Baybeck: If you don't have access to the source code and you don't understand the source code, it's very difficult to protect against vulnerabilities to that source code. Having a trusted support partner that obviously understands the source code or owns it, for that matter, it's very important because they're the ones that understand all of the intricacies of their products and giving you the tools, the technology, and the automation to patch those effectively.

Michael Krigsman: Do you have any advice that's specific for small and medium-sized companies who don't have the budgets of the largest companies in the world?

Brennan Baybeck: For small and medium-size businesses, relying on your partners and your vendors is extremely critical. Now, with smaller and medium businesses aggressively moving to cloud services, you want to find a partner that has the ability to do that along with you as well.

Advice for Large Organizations

Michael Krigsman: What advice have you got for large organizations who are looking at this?

Brennan Baybeck: Don't think you can do everything on your own. Many large organizations, they were able to build these programs up over the last several years. But with their businesses aggressively moving to cloud technologies, rely on those partners to help you with that instead of trying to do it all on your own.

Michael Krigsman: Okay. Brennan Baybeck, thank you so much.

Brennan Baybeck: Thank you.

Michael Krigsman: When it comes to enterprise software, support is so important. That's why, right now, we're learning about trusted support. What is it? What are the components of support?

I'm Michael Krigsman. I'm an industry analyst and the host of CXOTalk. We're speaking with Brennan Baybeck, who is vice president of global IT Risk Management at Oracle. Hey, Brennan. How are you doing?

Brennan Baybeck: Good. Thank you.

Michael Krigsman: Tell us about what you do at Oracle.

Brennan Baybeck: I lead a global security risk management organization at Oracle. We focus on security operations, security risk management, compliance, certifications and attestation, and just general security topics as well.

Components of Trusted Support

Michael Krigsman: Brennan, when we talk about support or trusted support, what do we mean? What are we talking about?

Brennan Baybeck: Trusted support is a key component of a good IT governance structure. Inside of trusted support, you would have things like patching, change management, ensuring the integrity of updates and maintenance necessary, as well as other components that I look for would be innovation and automation.

Michael Krigsman: Security and governance are clearly core elements of this.

Brennan Baybeck: Definitely. One of the things that's absolutely necessary is that we are keeping our systems up to date. The threats and vulnerabilities that are occurring on a daily basis, they continue to increase. It's a necessity to keep systems up to date, keep them patched, keep them maintained, properly configured, and that's where the security comes into play.

Michael Krigsman: You need security at every layer in the stack.

Brennan Baybeck: Correct. These IT environments, enterprise-wide IT environments, are extremely complex. They're made up of various components and pieces and parts, so as systems grow more complex. It used to be big enterprises that would only have to be worried about working with, you know, trusted partners and partners that could handle their enterprise needs. But it's extending into medium and small businesses as well now too because of the types of IT environments that are being produced at these businesses.

Michael Krigsman: It's interesting that cloud brings yet another level of complexity to this as well.

Brennan Baybeck: It does and, in those environments, you have to rely on partners, actually. At that point, you don't have a choice. If you have a SAS offering or you're using a SAS service, for example, the partner takes care a lot of things for you. Finding a partner that's doing good vulnerability management, has good change management, understand their patching and how to address their vulnerabilities in their products, as well as providing good visibility and reporting to you is extremely important.

Michael Krigsman: The reporting is a crucial part.

Brennan Baybeck: It's definitely a crucial part. The main reason is because, when you move to using cloud providers, you are relinquishing some level of control, which requires more visibility and reporting and understanding of what your provider, your trusted partner is doing.

Software Patching

Michael Krigsman: Now, where does software patching fit into this equation?

Brennan Baybeck: Software patching fits into the operations management of an organization. It's right alongside with configuration management, the asset inventory and, also, threat and vulnerability management. They all kind of fit together into a process that you do for ongoing software management.

Michael Krigsman: This may be an obvious question, but what are the risks of not following the right software patching protocols and governance?

Brennan Baybeck: If you don't have the right processes and protocols in for software management and good governance over those processes, your business is going to be subjected to the threats and vulnerabilities that are out there today. It just takes one change inside the IT infrastructure to now open up the threat model and open up a new threat vector that could potentially affect you.

Michael Krigsman: What's the relation between security patching and source code?

Brennan Baybeck: If you don't have access to the source code and you don't understand the source code, it's very difficult to protect against vulnerabilities to that source code. Having a trusted support partner that obviously understands the source code or owns it, for that matter, it's very important because they're the ones that understand all of the intricacies of their products and giving you the tools, the technology, and the automation to patch those effectively.

Michael Krigsman: Do you have any advice that's specific for small and medium-sized companies who don't have the budgets of the largest companies in the world?

Brennan Baybeck: For small and medium-size businesses, relying on your partners and your vendors is extremely critical. Now, with smaller and medium businesses aggressively moving to cloud services, you want to find a partner that has the ability to do that along with you as well.

Advice for Large Organizations

Michael Krigsman: What advice have you got for large organizations who are looking at this?

Brennan Baybeck: Don't think you can do everything on your own. Many large organizations, they were able to build these programs up over the last several years. But with their businesses aggressively moving to cloud technologies, rely on those partners to help you with that instead of trying to do it all on your own.

Michael Krigsman: Okay. Brennan Baybeck, thank you so much.

Brennan Baybeck: Thank you.