Were you impacted by the Okta compromise announced in March 2022? What were your thoughts on it?
It was the same as when RSA SecurID had an incident about eight years ago or so. That was much more significant because you really can't change vendors. You were limited in what you could do.
With the RSA incident, the switching cost was especially difficult. I worked at the government at the time and we all had tokens, but you couldn't even get new ones immediately. Suddenly we had millions of tokens out there that were no longer usable because they compromised the seeds, so there was no coming back from that. The Okta one's a little different because everything's software now.
I was a OneLogin customer in 2017 when they had a full compromise of everything and that was brutal. Our solution was to move all the apps to Okta as quickly as possible, one by one. That was how we solved that, and there were other ways to solve it, but you had to rotate everything. You had to assume your MFA seeds, user account passwords, and any API integrations were potentially compromised. You just had to assume full compromise everywhere.
Tabletop exercises are great, but you also have to consider the smaller companies too. I'm super surprised when I'm talking to potential customers and they say they don't have any MFA. They have a class B subnet and everything's open, even the data center. And some companies like that have government contracts. How can you have government contracts in your network when it looks like that?