ESG's Dave Gruber discusses email security with Josh Douglas of Mimecast.
Watch more in this series:
Dave: Hi, this is Dave Gruber from ESG, and thanks for joining me in my continuing Modern Email Security series. Today, I'm joined by Josh Douglas, vice president of product from Mimecast. Welcome, Josh.
Josh: Thank you, Dave.
Dave: Hey, Josh, with the current complexity and the modern threat landscape, we're seeing adversaries leveraging email in many kinds of attacks. This has required email security providers to dramatically expand the breadth of their solution. Can you talk a little bit about how security architects need to expand their view of email security and why?
Josh: We could talk about it from an email security 3.0 standpoint, but it's really about understanding external risk, internal risk and even third-party risk, and how do you take all the information that you get across those various different pieces, and apply them to all of your security capabilities.
Dave: Hey, that's interesting, Josh. What was once a point solution, where email security solutions were basically concerned with inbound email and filtering out malware that was associated with that, now we're thinking about email in kind of a different way for a much broader perspective of threats. But at the same time, cloud delivered email has become pretty commonplace with the cloud service providers including some pretty good email security controls at our offerings.
Our research tells us that most think email security's in a state of transformation, some because the whole delivery model of email has changed, but also because the attack surface and threat landscape has also grown dramatically. So, when people are planning upgrades to email security, how should architects be thinking about extending native security controls, including within their offerings?
Josh: So, the one thing besides the external threats that they should be worrying about to keep that external risk down, which is the traditional MTA with security controls, they should also be thinking about how quickly they can remediate, reducing vol time. They should also be thinking about how can they train their users to not click on things. They should also be concerned about their brand and how it's being utilized, and this is the more of the third-party risk, versus, you know, just thinking about this as a one-person show.
This is really a collective problem and how all those pieces marry together and even head out to their other products, so that way they can create a more holistic security strategy.
Dave: So, there continue to be new email solution providers cropping up that are focused on some very specific problems, not the least of which is phishing and business email compromise. Is there a need for a combination of these specialized purpose-built email security solutions in addition to broader email security platforms like Mimecast?
Josh: Yeah. I think that if you're looking at it from a single point solution, standpoint or an augmentation to some of those productivity suites, sure, that could be a case. But that's really a cost effective approach solely by itself. It's not really a security strategy. Whereas, if you're thinking about this as the holistic approach looking across those three risk elements in organizational risk, you have to think broader, because even some of those products themselves, the productivity suite, can be utilized against a company, meaning that the adversary can utilize it to their benefit.
So, you need a more holistic approach there too. You also have to think about the capacity and uptime that occurs with that because some of those API approaches will fail in the process of email security.
Dave: Taking a step back, how is Mimecast thinking differently about email security, and what kind of results are your customers seeing based on your approach?
Josh: Yeah. So, we have a tagline about, you know, making sure that bad things don't happen to good organizations. And there's a good reason for that because we're thinking about cyber resiliency. And some of the results that we are getting out of our customers, because we're thinking about this in a multi-zone fashion and multi-risk fashion, is that our end users, and even the companies themselves, are 5.2 times less likely to click on a malicious link if they have, say, email security and awareness training together.
That means less downtime, it also means less incidents for our companies to have to deal with. It means operational savings. So, instead of thinking about this as a email security problem, we're thinking about it more of a productivity problem.
Dave: The idea of cyber resiliency really hits home for me on a broader basis. Josh, so interesting and so glad that you could join me today. Thank you for viewing another episode of securing email in the modern work environment today. I'm Dave Gruber, this is Josh Douglas again. Have a great day.
