Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader

Download Report

By Industry

By Use Case

Services

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all Stories
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
June 9, 2026 | 34 min

How Microsegmentation Helps Energy and Manufacturing Stay Breach Ready

GigaOm CEO Howard Holton speaks with Gautam Sinha, VP, Energy and Manufacturing at ColorTokens, about the disruptive shifts reshaping cybersecurity across energy, manufacturing, and operational technology environments.

The conversation explores why breaches are now assumed, why perimeter security is no longer enough, and why organizations must focus on limiting lateral movement once attackers get inside. Gautam explains how ColorTokens helps teams gain visibility, identify risk, build confidence through simulation and monitoring, and use microsegmentation to reduce blast radius without disrupting operations.

The discussion also looks at the growing complexity of connected OT environments, the risks created by unmanaged assets and legacy systems, and why breach readiness is becoming essential for protecting production, revenue, and business continuity.

Gautam Sinha: Breaches will happen regardless. Best intent, best folks putting in the best effort every time, uh, breaches will happen. And it’s nobody’s fault, it’s just the nature of folks, the threat actors proliferating, nation states getting involved in the picture. Uh, it’s just gonna happen

Howard Holton: Welcome to another episode of Business Disruptions in Tech. As always, I’m your host, Howard Holton. We are here at RSA 2026, uh, and we are having a conversation with my new friend, um, Batman, uh, Bruce Wayne, uh, Gotham. Hi. The vice president of energy and manufacturing- That’s right, Howard … at Color Tokens. So, uh, I, I had to play with the name just a little bit.

Howard Holton: It’s the end of the day, had a little bit of tequila, but also, uh, you know, how often do you get to do that?

Gautam Sinha: Yes, exactly. And I didn’t forget my cape today, so at least a little more. But thanks for having me over, Howard. Glad to be here. This is a great forum, a great conference that we’ve been at, and it’s really good to see all the folks energized by what’s happening in the cyber defense world.

Gautam Sinha: I come from the world of operational technology, where, um, breaches are a breath away, you know? Oh. Every day is you’re one hair width away from disaster. So I’ve lived that, and I think, uh, it’s nice to see so many people working so actively in the programs to try and fix the problems that are out there.

Gautam Sinha: And, um, especially with AI all over the place. I mean, it’s just taken us.

Howard Holton: So I haven’t really left this room. Is, is AI actually becoming a thing? I, I hadn’t, hadn’t heard a lot. Yeah, you’ve been the,

Gautam Sinha: you’ve been the hermit, haven’t you? Yeah. It is a big thing, but what I do want to appreciate is the fact that folks like you, leaders, um, thought leaders out there, you guys have sort of recognized what, you know, we do.

Gautam Sinha: Um- And, you know, what we do is something that is s- very critical to the world at large in the sense that we do something, we prevent lateral movement, right, of traffic. And that’s some, that’s something that’s not appreciated too much. Because everyone looks at, okay, my password got stolen, my identity got stolen.

Gautam Sinha: But, uh, most clients, most customers, most institutions benefit by having a network infrastructure sort of solution in place, and that’s where we come in. We help prevent bridges, breaches, right? So everyone spends a lot of money. We, you and I have firewalls at home. We’ve got everybody that, everybody’s spending gazillion dollars on, uh, firewalls, on letting the bad guy out.

Gautam Sinha: The perimeter is not what it used to be, though.

Howard Holton: I mean, I would argue there’s no perimeter left. You, you, you got it. Right? You got it. We, we, we could, we can pretend. Yeah. But this thing happened… I’m, you know, I, I missed it almost like I missed AI. Mm-hmm. Um, well, what was it? It was five, five, five years ago. I think we just hit the six-year anniversary.

Howard Holton: Yeah. Right? Um, this little thing called COVID, and all of a sudden, right, all of us in operations went, “Oh, crap, we’re sending everybody home.” Yeah. Well… Right. “I need some laptops. I need some remote connectivity.” And that VPN thing that, that, you know, you hated and was kind of tier three, all of a sudden that became the most important device in the office.

Howard Holton: Yeah. Right? Um, at that point, it, it really was the final nail in the coffin of a perimeter that had been disappearing for- Exactly … for years, and years, and years. And

Gautam Sinha: unfortunately, psychologically, it’s a great thing to have, and it’s necessary. It’s, it’s got a role to play both in the enterprise world, in the factory floor, everywhere.

Gautam Sinha: It’s got a role to play, and don’t get me wrong. You, without it, you’re kind of out there naked. Sure. You, you, there’s no way you cannot do it. But, you know, starting with the Great Wall of China to Constantinople, none of the perimeters have stood the test of time. So- Oh, I love that. I love that … so, so, so we have to be a little creative, and we work with the premise that breaches will happen regardless.

Gautam Sinha: Best intent, best folks putting in the best effort every time, uh, breaches will happen. And it’s nobody’s fault, it’s just the nature of folks, the threat actors proliferating, nation states getting involved in the picture. Uh, it’s just gonna happen. And we start with that premise and say, “Well, well, if it’s happening, what’s the next m- sensible thing to do?”

Gautam Sinha: You know, get ready for it. If your front door is going to be broken then- Sure … at least you can put locks between the rooms in your house.

Howard Holton: Sure. I’ve been in cybersecurity for a long time. It used to be, “Don’t you dare let it happen.” Yeah. “Better not happen.” Then it was, uh, “When do you think it’ll happen?”

Howard Holton: You’re right. Like, “How much time do we have?”

Gautam Sinha: That’s right.

Howard Holton: Then it became, “How bad will it be?”

Gautam Sinha: Exactly. And

Howard Holton: that’s where we’re at today. Today we’re not at, “Don’t let it happen.” Anyone that says that is, is crazy. My board of not overly technical people, they just wanna know, and, and this is not just the one I have now, the one I had before and the one I had before that.

Howard Holton: That’s right. How bad will it be when it happens? Mm-hmm. And what can we do to make it less bad?

Gautam Sinha: Exactly. Right? And, and how do I ke- you know, when you come, when you come from the OD world where I come from, a minute of downtime is in millions of dollars. Sure. Right? Can you imagine New York’s, uh, Stock Exchange going dow- offline for a minute, for example?

Gautam Sinha: The- just, it’s an unthinkable premise, right? Sure.

Howard Holton: You, you and I have a s- somewhat similar background there. My, the place I came to before GigaOm was remanufacturing. Yeah. Right? Uh- There you go … 22 locations, global business, multi-billions of dollars. Like, um, there are, there are… You know, I was talking to somebody yesterday, there are three things I must be able to do.

Howard Holton: Must, period, end of statement. I must be able to pay people, ’cause if you screw up payroll- Exactly. You- You, you can get fined to oblivion. Yes. The penalties for that are terrible. Right. The second thing I must be able to do is ship product. Mm-hmm. Not build it, but ship it. You got it. The third thing I must be able to do is collect money.

Gautam Sinha: Yes.

Howard Holton: Not even pay. Yeah. I can call somebody and go, “Hey, we just got ransomwared. We’re gonna have a delay.” Nah. It’s not actually that big a deal. It doesn’t- If I can’t collect money, I’m done. Yep. I must be able to do those three things. Yeah. When you start talking to businesses and you go, “Uh, okay, so what are your crown jewels?”

Howard Holton: And they start listing any of those other three things, you’re like, “Ah, I think we need to…” Yes. “I’m talking to the wrong person.” Yeah. “I think it’s time to take a step back. How do I get the right person in the room? ‘Cause you don’t understand the, the, the necessity here,” right? And when you’re looking at something like a, a manufacturing facility- Yep

Howard Holton: um, I did a, a, you know, when I, when I kinda took over as CIO and CSO, I flew to Ventura. Mm-hmm. Uh, I go to visit our facility. Mm-hmm. I do a whole tour of the facility. Mm-hmm. Um, and, and, you know, I’m a kind of a cheeky, funny kinda guy, and, and they go, the president goes, “So what do you think?” And I went, “I’m super impressed.”

Howard Holton: And he goes, “Uh, uh, r- really?” And I went, “Yeah, I didn’t realize we built time machines.” And he goes, “What?” And I went, “Yeah, man, I didn’t realize we built a time machine back to the 19, uh, 70s.” And someone sitting next to me goes, “I, I’m pretty sure it was the ’80s.” And I went, “No, no, no, no, no. By the ’80s we’d switched to whiteboards.

Howard Holton: There’s still chalkboards out there. It’s the 1970s.”

Gautam Sinha: Well-

Howard Holton: And, uh, a- and the reality is the, the, the manufacturing of products is how the entire world continues to operate. That’s right. We’re not going to get away, away from it. But we probably have 300,000 manufacturing companies that are still running off chalkboards and whiteboards.

Gautam Sinha: Oh, gosh, yes. And, and, and, uh, you know, you’ll be surprised. I mean, I don’t have to tell you. I’m, I’m not preaching to the choir here, you know? Admin, admin credentials, number one. Right. Post-its.

Howard Holton: Password 123. Exactly. If you ever wanna learn a, uh, like the first thing you do, you wanna find a password, you take a keyboard, you go like this.

Howard Holton: Yes. If there’s no password, just pick another desk. Five desks away, someone will have written their password. And there’s- And they’ll have crossed it out.

Gautam Sinha: Yes.

Howard Holton: And they’ve done it 27 times. Ha-

Gautam Sinha: exactly. Right? So they have been compliant with the policy. Correct.

Howard Holton: Correct. Oh, look, they do use complex passwords here.

Gautam Sinha: And they change it every month- Right … when I send a reminder. But yeah, it doesn’t happen that way. So yeah, the whole notion, you brought up an interesting point, Howard. The notion of a crown jewel, it’s not an asset. It’s not sitting on your server. It’s the operation. It’s the continuous running of your operation that is a crown jewel.

Gautam Sinha: The fact that you keep your factories running, the fact that, you know, a refinery keeps distilling those, the crude oil. And you can imagine what happens if a, if a refinery goes down, right? Yeah, for sure. You see it at the pump right away. So, uh, the, you gotta think of the crown jewels a little more abstractly in the OT world.

Gautam Sinha: It’s not your payroll. It is the payroll, yes, but also the fact that your factory is running full time. Now, the other thing that, uh, seems to have happened over the time, we’ve talked about this IT/OT convergence, and there’s been a serious injection of technology on the floor itself. So, you know, your attack surface has just grown through the roof.

Gautam Sinha: People don’t think about it, but the fact that, you know, somebody brings an NFC scanner to do something, to read off, uh, or connect, make a Bluetooth connection, get the maintenance data and stuff like that, just how many unidentified assets are there? And so the proliferation has gone, it’s become unmanageable.

Howard Holton: Well, there’s no machine that’s not connected anymore. Yes. Right? Exactly. There’s nothing I’m not looking at, there’s nothing that doesn’t have a sensor, there’s nothing that’s not computer controlled. That’s right. Right? The only things that aren’t computer controlled are the, um, the little roller that you shove a box down is the only thing- Yeah

Howard Holton: that’s not computer controlled. Yes. And even that- Yes … has a computer controller on either ends at a minimum. Yes. Right? And it’s recording- It’s like- … how many

Gautam Sinha: bumps a minute you’re getting. Right. And there, there’s a, there’s a sensor out there that’s recording the vibration that’s going to tell you when you need to change the roller.

Gautam Sinha: So even that is- Right … predicated on a, some IIoT device of some kind. And none of

Howard Holton: it- Yeah … is built or owned, none of it is technology that’s built or owned by one source- Exactly … or the business itself. Right. Right? That is, that is hundreds- Yes … of different vendors, hundreds of different security pieces- Yes

Howard Holton: right? Based on how they built, how they controlled, what their specific supply chain was. That’s right. Right? How cautious they were. Mm-hmm. Um, that are just laid out, and you don’t get to control any of it. Yes. I, I guarantee you can walk into any business, any manufacturing business that’s been in business for 40 years- Mm-hmm

Howard Holton: and somewhere there’s Windows 3 or 95 running, guaranteed. Oh, you’re, you’re more extreme than I was. I was g- going to go back

Gautam Sinha: as 11 or 7. Oh,

Howard Holton: God, no. XP maybe. Right. No, I know for sure, like- Yeah … just there were some laptops that were running XP. Yeah. I know for sure, uh, I, I’m not gonna name names, the, I know of a company today that is still running Windows 3 three for one of their main devices.

Howard Holton: And I’m like, I’m like, “Guys.” They’re like, “I know, but the machine’s $25 million to replace.” That’s right. “That’s not a $25 million flaw. That thing’s not connected to anything, so we’re okay with it.” They literally have USB floppy drives- Exactly … that they buy on eBay, ’cause you can’t source them anymore- Right

Howard Holton: that they use to carry stuff over to that machine and go-

Gautam Sinha: Yes, I know that. And, and, and the, this frightening scenario is God knows where that drive has been before.

Howard Holton: I mean, the frightening- Yeah, right … scenario is I guarantee you there’s a consultant somewhere, there’s an IT person somewhere that’s going, “We’ve gotta connect all their stuff.”

Gautam Sinha: Yeah.

Howard Holton: Right? And so they’re, while they’re fighting and fighting and fighting, at some point someone’s gonna not be paying attention and just walk up behind a machine and plug it in. Yes. Why? ‘Cause they started three days ago, and the person above them, you know, started three days ago. Forgot to tell me.

Howard Holton: Yeah. And, and that guy retired. Yes. You know?

Gautam Sinha: Yeah. A- a- and these things slip through the cracks. So, so what we find often in, uh, in an OT environment is, um, folks are naturally more conservative, right? They don’t want to sort of, if it ain’t broke, don’t touch it. Yeah. And I’m designed, I’ve spent 20 years fixing this-

Gautam Sinha: and I’ve made it right. You don’t come in and tell me what’s wrong. Just got it set the way I like it. That’s right. Um, Mr. Operator, please tell me where your router is or where your switch is. Oh, it’s back there on that cabinet up, and nobody knows exact- nobody’s be- ever touched. I mean, if you’re, if you’re lucky and unlucky- If you’re lucky

Gautam Sinha: you see it dangling from the ceiling. That’s right.

Howard Holton: That’s right.

Gautam Sinha: So, so there are some unique challenges we run into that we solve and, and, and, and, and I’m, I’m not- No, it’s fine. S- … telling- How do you solve them? So there’s a, we have, uh, our solutions actually go in and sort of do an observability. Network traffic is visible.

Gautam Sinha: You can collect it from a bunch of sensors, right? Which is what we use. So one thing that we do with our solution is we actually gather the data in a very passive, non-disruptive way. So you don’t have to really tell me where your switch is and everything. We map it out for you. We tell you what the tra- traffic looks like, and we tell you like, “Oh, you got this vulnerability, you’ve got this surface, you’ve got this type of, uh, um, uh, risk exposure,” and we quantify that with, you know, very objective measures.

Gautam Sinha: And we let the clients know that, you know, here’s a policy recommendation, because we have all the, you know, MITRE TTPs, and all the known, um, uh, uh, attack vectors that are out there. Um, and we sort of tell them, “This is, these are your vulnerabilities. You’ve got an open port. You’ve got a, you got inactive ports that are not being used.

Gautam Sinha: Which of your applications actually need to talk- Sure … on these ports?” So we make those kind of recommendations, and then we give the clients an option to go into the simulation mode, monitor mode. So either they build their confidence with time, that, “Okay, I can do that for this set of assets. I can do it for this manufacturing line, I can do it for that manufacturing line,” and in stages grow it.

Gautam Sinha: But the visibility, I mean, I don’t wanna brag, but I have to We recently did a, what we call an assessment study of a major, major, major logo in the world. And we got a visibility into a set of their assets within 40 minutes, things that they had never seen in their life before. Where the traffic is flowing, why is it flowing, things that really opened their eyes.

Gautam Sinha: And now obviously it leads to a lot of, you know, “What now? What now? What should we do?” Which is actually the starting point of- Right. Leads to- … a final solution.

Howard Holton: Yeah. Right? Leads to, “Holy crap, holy crap, holy crap. I don’t know what to do. What do I do?”

Gautam Sinha: Exactly. So, you know, you take them stage zero to stage one and sort of build the maturity map with them.

Gautam Sinha: So, um, so the visi- gi- providing the visibility is just step one, right? We go beyond. We give you the policies, and now with our AI-enabled engines, you can… We do it dynamically. So we are learning constantly. We are going out, trawling the space, figuring out what are the new vectors coming in, what are the threats that need to be incorporated, alerting the clients.

Gautam Sinha: We can do all kinds of things with our central console, setting the level of priorities and the alerts and things like that, which let the clients, uh, not get burdened, uh, by the level of messaging going on or the alerts going on. Because trust me, especially on the factory floor, that guy doesn’t want to get a beep- Nothing

Gautam Sinha: because port 80 is talking to port 55 on the other host, and it wasn’t anticipated. So we, and we sort of cull that out, create a priority, let them know what’s important, what’s not. Um, and, and that resonates well. Um, the other thing, Howard, and you must, you must have seen this in by the spades here in the, in the manufacturing world, uh, network segmentation is a, an element of risk mitigation, right?

Gautam Sinha: Yeah. The plant manager is more worried about the physical fences put- Correct … around his plant. So your- Every time Every time … every time. And so the ROI story has to compete against that. Correct. And that is a very, it’s a very different type of operating environment, and I think this is, uh, this, this… And I’m glad to see that there’s more awareness happening of this kind of a ROI cycle and decision cycle that’s fundamentally different than- It’s really interesting.

Howard Holton: Uh, I’m glad you bring that up, ’cause it’s really interesting when you think about, like, going to the plant and going, “Okay, like, I’m gonna steal some of your budget and this is what I’m gonna do.” And he goes, “No, no. I, I lost 30 tons of copper last year.” Yeah. “I need to stop 30 tons of copper leaving.” Mm-hmm.

Howard Holton: “That’s the security I’m worried about.” There you go. We’re like, “I, I get it. I get it, but I, I need to make sure that the entire manufacturing line doesn’t- Yes … get shut down by a third party- Yeah … that takes us forever to bring it back up. We can buy more copper.” True. Right? Yeah. And he’s like, “I don’t actually care, ’cause when I go to my boss, my boss cares about the copper.

Howard Holton: My boss is not aware at all- Yes … of whatever the hell you’re talking about, which I couldn’t explain to him if I wanted to.” That’s right.

Gautam Sinha: Yes. Right? And, and, and weaving that story and, you know, presenting it as an ROI and a risk and a, you know, GRC consideration is- Pretty much half the battle with network admins and security folks, more on the OT side than in, you know, IT folks, I think we are far more along in our maturity curve- Sure

Gautam Sinha: and understanding. But in the OT world, you run into really old curmudgeonly engineers who designed the- Yeah, for sure. Yeah, for sure.

Howard Holton: P- p- PLC guys that are like, “Don’t touch it.”

Gautam Sinha: Don’t touch it. Don’t touch it. Yeah.

Howard Holton: Well, I’m sorry, what am I not allowed to touch? It. It. What’s it? Everything. Everything.

Gautam Sinha: Don’t step out the door.

Howard Holton: Right? But, uh, I, I think there’s an important thing that we don’t talk about enough in micro-segmentation. Yes. Right? Which is, um, we are reducing blast radius. Yes. That’s the goal of micro-segmentation. Completely. Right? Um, and so think about it like a pie. Yes. You start, the pie is one pie. Your blast radius is the whole goddamn pie.

Howard Holton: Pie. Right? Every single slice you make- Mm-hmm … doesn’t have to, doesn’t have to be the final one. Mm-hmm. Every single slice reduces the blast radius. Yeah. Every single one. Mm-hmm. So don’t think, you know, when you’re thinking about your micro-segmentation strategy, don’t think about, “What is this gonna look like when I’m done?”

Howard Holton: Think about, “What could this look like in a hour?” Exactly. “What could this look like in a day? What could this look like in a week?” Yes. Don’t think about, “Oh, my God, this is a massive elephant to eat.” Exactly. Instead, think about, “How do I just paint a single toenail- Yes … so that I have two zones- Yes … and then three, and then 10?”

Howard Holton: Right. Right? And, and what you’ll find is just like a muscle. That’s right. Every single one you know more about, every single one gets easier, every single one gets more reliable. Mm-hmm. Start with the low-hanging fruit. Make some change today.

Gautam Sinha: Yes. Right? And, and that’s what our solution platform lets you do, you know?

Gautam Sinha: So you don’t have to go out and eat the whole elephant up. Start with your first basic issues, you know, the infrastructure ports, shut them down. It’s pretty easy to identify what those are. Can get a unanimous agreement. For sure. Shut them down. There you’ve reduced, I’ll just make up a number, 20, 30% of your blast radius is gone there, right?

Gautam Sinha: It’s amazing, right. Right off the bat, just by doing this. Right. Then you look at your management ports. Okay. What do you do then? And it’s, you don’t have to go into the applications and figure out the use cases, this user running this process when it talks to this ERP needs this port open. No. Before you get to that level of detail, you- There’s so much more work to do, right?

Gautam Sinha: There’s so much work to do. So much easy- Exactly … low-hanging fruit that you can deal with. Exactly. Exactly. Right. And, and we know that most of the malware spreads through these unexposed ports, you know? Because if anyone is going to put something that sophisticated in your application code- You’re running against- Correct.

Gautam Sinha: Correct … somebody serious. You’re, you’re fighting against somebody pretty serious. You’re running against state actors. Yes.

Howard Holton: And, and they’re also not likely to stop after one try. That’s right. Or two tries. Exactly. Or three. That’s probably the 100th anyways, and they’re gonna go 10,000 more.

Gautam Sinha: That’s right.

Howard Holton: Right? So, like what is it, like 14- At, at that point, call back up. Yeah. You call the FBI. Call the FBI. Yeah.

Gautam Sinha: You call the FBI. Literally call the FBI. Yeah. You, you… What does it take, 14 minutes to steal a credential or something like that, right?

Howard Holton: And, um- That’s a pre-I- pre-AI statistic, by the way. Oh, pre-AI. So I’ll take it to the bank.

Howard Holton: Oh, my God. Okay. I mean, AI is accelerating everything, right? Right. The, the attackers are using them as well.

Gautam Sinha: 36,000 scans a minute is what I’m told. I believe it. Right? And the average detection is, like, more than three months right now. So you can imagine how many Trojan horses are sitting out there in our industrial base.

Gautam Sinha: I don’t know if you caught this, but recently there was an evidence of some, uh, malware that was sta- uh, that state put in a public utility up in the Northeast. They didn’t catch it for a month and a half, a year and some.

Howard Holton: Oh. I mean, the… Should we talk about the telcos? And the fact that a foreign entity has been in the telcos for a number of years and is still in the telcos going- Right

Howard Holton: after we’ve detected them. Yes. Because it is so hard to remove. Yes. Like, uh- The routers went out the window today … these are, these are real problems- Yes … in real ways. Yes. All right. So, so lots of gloom and doom for a moment. Yes. Fine. Let’s bring it back.

Gautam Sinha: Yes.

Howard Holton: So you talk to a lot of customers. You see a lot of good and you see a lot of bad.

Howard Holton: That’s right. Um, there’s patterns that emerge. Yes. Right? Um, we don’t have to talk about… Like, we’re not trying to rank them. Mm-hmm. But if you were to give people one or two or three things that you’re like, “Look, if you just did this, you can do this on your own. If you just did this before I showed up at your door, you’d be better positioned,” what do you think some of those would be?

Gautam Sinha: Um, what I’d really do, I’d like for folks to do is get us through the door. And I’ll tell you why. Okay, so that’s first. And I’ll tell you why. Because we offer a complimentary service, which is called the Breach Readiness Impact Readiness Assessment. And that’s let’s… It’s a no cost, no touch obligation.

Gautam Sinha: Doesn’t take down your operations, nothing. We just run an, uh, run a client, we harvest your network data, we give you the vulnerabilities right away. Then stew on it. Have a talk with us to let, you know, hear what we have to say. We’ll provide you with the recommendations, and then you can go in and decide what to do.

Gautam Sinha: The op- the most important thing is to even have an awareness that the perimeter’s not enough. That’s, that’s the old way of thinking. And I think I, I don’t want to sound, uh, disrespectful. That is a necessary but not sufficient condition to secure your network and your assets. So we have to think about, when you think about network segmentation, you gotta go one level below, which is micro-segmentation.

Gautam Sinha: Which is how do you isolate, contain the breach? You are structurally ready to isolate a breach when it happens, because a breach is gonna happen one way or the other. So what we’re- I’d like to sort of spread the word, especially amongst my OT brethren, to think beyond traditional VLANs and segmentation, and consider lateral movement control that really works, that puts them in a good shape.

Howard Holton: Yeah, let’s be clear. VLANs are not security. They are

Gautam Sinha: not security. VLANs

Howard Holton: are broadcast packet reduction. That’s right. They are traffic management. Right. They are

Gautam Sinha: not security. They are not security. But- Right … but the word segmentation sort of- I understand … has a connotation that, okay, well, I got VLANs. I got this line on this VLAN.

Gautam Sinha: I got that. I got my paint shop on that LAN. So, and then- VLANs are

Howard Holton: simply a way to reduce the costs- The cost,

Gautam Sinha: yeah …

Howard Holton: of the hardware purchase necessary to deal with broadcast domains and traffic management. That’s it.

Gautam Sinha: That’s it. Right? Right. And typically we have to overcome that mental hurdle. So I’m just trying to get the word out there that it’s a different purpose, and you put it very eloquently.

Gautam Sinha: That is, it was not designed to secure your assets. Sure.

Howard Holton: Sure. There are slight side effects. I’m not saying it has zero impact on security. Yeah. But really it’s, it’s security through obscurity, if anything. That’s right. Right? All right. Who’s gonna figure that out? So, um, anything surprising you that you, that you either kind of see day to day before RSA, or anything surprise you on the RSA floor?

Gautam Sinha: I think what surprised, not surpr- I think I should have expected it, but the proliferation of agentic AI solutions is what’s really caught my attention. I honestly haven’t had the time to go down to each booths and figure out how exactly it’s being deployed. I don’t know. Oh, we are all in the same boat, you mean?

Howard Holton: I mean, at some point it just starts, like, the, the thing is so repeated, it starts to feel like the, the green matrix screen. Right. You know what I mean? Like, I don’t think there’s anything actually being said there. I, you know.

Gautam Sinha: Yeah. But I think, I think there’s something that’s, good things are gonna come out of it.

Gautam Sinha: But again, you know, sniffing out what’s really, really relevant and, you know, prioritizing for, for a, for an end client, not providers like us. So the end client, I think the challenge is always going to be, okay, where am I in my posture, overall posture? Sure. Right? And, uh, what are my fires? What, what do I need?

Gautam Sinha: Where is my burning platform? What do I need to solve for tomorrow? What will I not solve in two years that will get my seat under the door

Howard Holton: So, so putting yourself kind of back in that seat, right? Yeah. Putting yourself in that seat, ’cause you spent time there. Yeah. Right? Um, you talk to a ton of clients.

Howard Holton: You see what works, you see what doesn’t work. Um, w- what do you have set for your kinda internal bullshit meter- Mm-hmm … that allows you to go, “This is how I’m gonna address it. This is how I know to smell out bullshit, and these are the questions that I would ask”?

Gautam Sinha: So typically- Yeah And again, I don’t want to alienate anyone, but I do want to say that, um, security folks and network folks have a very different way of looking at the world.

Gautam Sinha: Yeah, sure. Right? And, um, we tend to get bogged down a little bit on the design of the network more than anything else. And I think from our … We hear a lot of things, but I think they’re all constructive because the network guys are the closest to hardware guys in this world, right? That’s true, yeah. So they naturally tend to be a little more skeptical, and, um, we tend to hear some creative counterarguments.

Gautam Sinha: But, uh, I think the solution, uh, and, and truly, I truly believe that our solution helps them solve a concrete problem. We go agentless, we have agent solutions, everything. So they, it’s up to them to sort of adapt and get on with it. Um, but, uh, hype cycle-wise, I don’t think anybody’s indulging in that in our space.

Gautam Sinha: But I think if anything, I would say that, um, uh, we undersell the value that micro-segmentation build brings to the table. Sure.

Howard Holton: I think some of it has to do with the historical- Right … micro-segmentation, right? Micro-segmentation’s more than 10 years old. Yes. Well over 10 years old. Right. But if you looked at it back in 2013, 2014- Yes

Howard Holton: uh, like I got scars, man.

Gautam Sinha: Yes.

Howard Holton: I, oh, I get it. Like- I get it … back in the early days, it was almost an impossible mission- Mm-hmm … ’cause it was so complex and so- Yes … fragile. Yes. Any change you made, you’re like, “Oh, God.” That’s right. Please don’t make me I really … Oh, God, I gotta, I gotta start clicking. Oh, Jesus, this is gonna be bad.

Howard Holton: It’s not that

Gautam Sinha: today, right? It’s not that. And, and, uh, Howard, thank you for putting that into a historical context. So you’re right. So the, this, this is obviously the skepticism that some of the old-timers do bring to the table. But we have changed the paradigm, right? Like I told you, our approach is cut across horizontally, not application-wise vertically.

Gautam Sinha: So we actually take down ports, shut down ports, we restrict traffic according to the- It’s a high level of automation … the level of automation. It’s a high level-

Howard Holton: It’s a high, yeah … of observability. Exactly. Right? This is not humans doing all of the work and having to keep things straight- That’s right

Howard Holton: through an interface that kind of helps. This is led by automation. Yes. This is led by observability. There’s a lot of validation that goes in. Exactly. There, there’s a lot of speed- Speed … to, and there’s a lot of resilience in these modern platforms, right?

Gautam Sinha: Right. I mean, uh, the end goal is, um, we have a, a case example where, uh, we don’t, it is not our example, but, um, a, a use case of micro-segmentation in action where it was implemented in one, um, particular company.

Gautam Sinha: And I, I won’t go into more details because-

Howard Holton: No, it’s fine …

Gautam Sinha: and, and, and, and it was not implemented in a very similar company serving the same, doing the same thing. And one- Was unscathed. They saw the results right away that they are under attack, and they, uh, uh, immediately went into Defcon 2 type of, uh- Sure

Gautam Sinha: response mode, keeping out all these bad actors. The second one went down

Howard Holton: didn’t just go down, I’m sure. Pardon me? They didn’t just go down, right? ‘Cause as we talked about-

Gautam Sinha: Yeah …

Howard Holton: if the first one hadn’t been successfully attacked-

Gautam Sinha: Yes …

Howard Holton: they would’ve been able to get that piece of the pie, and it would’ve stopped.

Gautam Sinha: Yes.

Howard Holton: Without that, it’s not just how fast you responded- Exactly … how long is it gonna take to recover? Exactly. How bad is the recovery gonna be? Right. And it, and the scale is gonna be significantly worse, right? Well, just

Gautam Sinha: think about Jaguar. Land Rover. I, I try not to…

Howard Holton: I’m a car guy. I really try hard not to think about Jaguar lately.

Howard Holton: Are you a Jaguar fan? I was. You are a Jaguar… Oh, yeah. Before they changed to whatever they are now.

Gautam Sinha: I don’t know what they are now, but, but the point is back six, say, eight months ago- Oh, yeah … what a devastating attack that was. I mean, the,

Howard Holton: the JLR attack was so bad- Right … the government of England, of the United Kingdom, Kingdom was considering not how do we pay Jaguar, right, JLR, but how do we make sure that their suppliers don’t go out of business?

Gautam Sinha: That’s right. Right? And, and you know, there’s this new statistic that, um, an attack on one of your hosts takes down s- the interconnectedness is so high it takes down nearly 5.76 other vendors with you. For sure. So you can imagine the spider web that we are living in, right? So one of the requirements that the British Parliament did impose is they’re gonna have to bail out…

Gautam Sinha: So many small businesses went out of business because, again, they couldn’t get paid. No small business can survive three weeks, you know? Just think about production shutdowns. So if you’ve got a mom-and-pop deli shop- Oh, yeah … outside the campus, you’re out of business. You have zero revenues. Yeah, you’re done.

Gautam Sinha: Remember,

Howard Holton: if you can’t make payroll, you can’t- That’s right … you can’t collect money, you can’t ship product. That’s- You’re done. That’s right. Right? So the point that you, that you’re not collecting ’cause, ’cause you’re a mom and pop delivering to a marquee brand in your country even- Right.

Gautam Sinha: Yes …

Howard Holton: um, and they’re just done.

Howard Holton: They can’t, they can’t accept anything new, they can’t process anything new, then you’re done.

Gautam Sinha: You’re done.

Howard Holton: And the, and the ripple of that is potentially in the hundreds of vendors. That’s right. And that’s when the government gets involved, right?

Gautam Sinha: And, and, and, and just the, the numbers being thrown around, like $2.5 billion of just lost revenue.

Gautam Sinha: It’s like zero sales. Right. So then your top line just went to zero for three weeks. So that’s the kind of devastation you don’t wish on anybody, but that’s the actual risk that can manifest itself if you’re not adequately protected. And I think that’s, that’s where, uh, it’s interesting because when they did the root cause analysis and they came up with the mitigation strategies and if you, and if you read the detailed report about how the attack spread, lateral movement, baby.

Gautam Sinha: Always. Always. Always. And that’s- All right.

Howard Holton: So, uh, this has been awesome,

Gautam Sinha: Gautam. How do people get ahold of you? How do they learn more? Hey, you can always get, reach us at www.colortokens.com. I can give out my personal number, which is, uh- Do you want people to, how do you want them to reach you? Yes. Call me, 314-308-0074.

Gautam Sinha: I love it. That’s St. Louis.

Howard Holton: I love it.

Gautam Sinha: I love it.

Howard Holton: All right. And-

Gautam Sinha: Well, this has been fantastic … I appreciate the opportunity, Howard. Great stuff, you guys. Um, and thank you for recognizing us. I mean- For sure … you have, uh-

Howard Holton: We’ve been working together for quite a long time … you’ve made a difference. We’ve been, we’ve been working together for a long time, uh, us and Color Tokens.

Howard Holton: I, I appreciate it. I love the relationship. So well, thanks everyone. This has been another episode of Business Disruptions in Tech. Like, subscribe, follow, and we’ll see you on the next one.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

GigaOm CEO Howard Holton speaks with Gautam Sinha, VP, Energy and Manufacturing at ColorTokens, about the disruptive shifts reshaping cybersecurity across energy, manufacturing, and operational technology environments.

The conversation explores why breaches are now assumed, why perimeter security is no longer enough, and why organizations must focus on limiting lateral movement once attackers get inside. Gautam explains how ColorTokens helps teams gain visibility, identify risk, build confidence through simulation and monitoring, and use microsegmentation to reduce blast radius without disrupting operations.

The discussion also looks at the growing complexity of connected OT environments, the risks created by unmanaged assets and legacy systems, and why breach readiness is becoming essential for protecting production, revenue, and business continuity.

Gautam Sinha: Breaches will happen regardless. Best intent, best folks putting in the best effort every time, uh, breaches will happen. And it’s nobody’s fault, it’s just the nature of folks, the threat actors proliferating, nation states getting involved in the picture. Uh, it’s just gonna happen

Howard Holton: Welcome to another episode of Business Disruptions in Tech. As always, I’m your host, Howard Holton. We are here at RSA 2026, uh, and we are having a conversation with my new friend, um, Batman, uh, Bruce Wayne, uh, Gotham. Hi. The vice president of energy and manufacturing- That’s right, Howard … at Color Tokens. So, uh, I, I had to play with the name just a little bit.

Howard Holton: It’s the end of the day, had a little bit of tequila, but also, uh, you know, how often do you get to do that?

Gautam Sinha: Yes, exactly. And I didn’t forget my cape today, so at least a little more. But thanks for having me over, Howard. Glad to be here. This is a great forum, a great conference that we’ve been at, and it’s really good to see all the folks energized by what’s happening in the cyber defense world.

Gautam Sinha: I come from the world of operational technology, where, um, breaches are a breath away, you know? Oh. Every day is you’re one hair width away from disaster. So I’ve lived that, and I think, uh, it’s nice to see so many people working so actively in the programs to try and fix the problems that are out there.

Gautam Sinha: And, um, especially with AI all over the place. I mean, it’s just taken us.

Howard Holton: So I haven’t really left this room. Is, is AI actually becoming a thing? I, I hadn’t, hadn’t heard a lot. Yeah, you’ve been the,

Gautam Sinha: you’ve been the hermit, haven’t you? Yeah. It is a big thing, but what I do want to appreciate is the fact that folks like you, leaders, um, thought leaders out there, you guys have sort of recognized what, you know, we do.

Gautam Sinha: Um- And, you know, what we do is something that is s- very critical to the world at large in the sense that we do something, we prevent lateral movement, right, of traffic. And that’s some, that’s something that’s not appreciated too much. Because everyone looks at, okay, my password got stolen, my identity got stolen.

Gautam Sinha: But, uh, most clients, most customers, most institutions benefit by having a network infrastructure sort of solution in place, and that’s where we come in. We help prevent bridges, breaches, right? So everyone spends a lot of money. We, you and I have firewalls at home. We’ve got everybody that, everybody’s spending gazillion dollars on, uh, firewalls, on letting the bad guy out.

Gautam Sinha: The perimeter is not what it used to be, though.

Howard Holton: I mean, I would argue there’s no perimeter left. You, you, you got it. Right? You got it. We, we, we could, we can pretend. Yeah. But this thing happened… I’m, you know, I, I missed it almost like I missed AI. Mm-hmm. Um, well, what was it? It was five, five, five years ago. I think we just hit the six-year anniversary.

Howard Holton: Yeah. Right? Um, this little thing called COVID, and all of a sudden, right, all of us in operations went, “Oh, crap, we’re sending everybody home.” Yeah. Well… Right. “I need some laptops. I need some remote connectivity.” And that VPN thing that, that, you know, you hated and was kind of tier three, all of a sudden that became the most important device in the office.

Howard Holton: Yeah. Right? Um, at that point, it, it really was the final nail in the coffin of a perimeter that had been disappearing for- Exactly … for years, and years, and years. And

Gautam Sinha: unfortunately, psychologically, it’s a great thing to have, and it’s necessary. It’s, it’s got a role to play both in the enterprise world, in the factory floor, everywhere.

Gautam Sinha: It’s got a role to play, and don’t get me wrong. You, without it, you’re kind of out there naked. Sure. You, you, there’s no way you cannot do it. But, you know, starting with the Great Wall of China to Constantinople, none of the perimeters have stood the test of time. So- Oh, I love that. I love that … so, so, so we have to be a little creative, and we work with the premise that breaches will happen regardless.

Gautam Sinha: Best intent, best folks putting in the best effort every time, uh, breaches will happen. And it’s nobody’s fault, it’s just the nature of folks, the threat actors proliferating, nation states getting involved in the picture. Uh, it’s just gonna happen. And we start with that premise and say, “Well, well, if it’s happening, what’s the next m- sensible thing to do?”

Gautam Sinha: You know, get ready for it. If your front door is going to be broken then- Sure … at least you can put locks between the rooms in your house.

Howard Holton: Sure. I’ve been in cybersecurity for a long time. It used to be, “Don’t you dare let it happen.” Yeah. “Better not happen.” Then it was, uh, “When do you think it’ll happen?”

Howard Holton: You’re right. Like, “How much time do we have?”

Gautam Sinha: That’s right.

Howard Holton: Then it became, “How bad will it be?”

Gautam Sinha: Exactly. And

Howard Holton: that’s where we’re at today. Today we’re not at, “Don’t let it happen.” Anyone that says that is, is crazy. My board of not overly technical people, they just wanna know, and, and this is not just the one I have now, the one I had before and the one I had before that.

Howard Holton: That’s right. How bad will it be when it happens? Mm-hmm. And what can we do to make it less bad?

Gautam Sinha: Exactly. Right? And, and how do I ke- you know, when you come, when you come from the OD world where I come from, a minute of downtime is in millions of dollars. Sure. Right? Can you imagine New York’s, uh, Stock Exchange going dow- offline for a minute, for example?

Gautam Sinha: The- just, it’s an unthinkable premise, right? Sure.

Howard Holton: You, you and I have a s- somewhat similar background there. My, the place I came to before GigaOm was remanufacturing. Yeah. Right? Uh- There you go … 22 locations, global business, multi-billions of dollars. Like, um, there are, there are… You know, I was talking to somebody yesterday, there are three things I must be able to do.

Howard Holton: Must, period, end of statement. I must be able to pay people, ’cause if you screw up payroll- Exactly. You- You, you can get fined to oblivion. Yes. The penalties for that are terrible. Right. The second thing I must be able to do is ship product. Mm-hmm. Not build it, but ship it. You got it. The third thing I must be able to do is collect money.

Gautam Sinha: Yes.

Howard Holton: Not even pay. Yeah. I can call somebody and go, “Hey, we just got ransomwared. We’re gonna have a delay.” Nah. It’s not actually that big a deal. It doesn’t- If I can’t collect money, I’m done. Yep. I must be able to do those three things. Yeah. When you start talking to businesses and you go, “Uh, okay, so what are your crown jewels?”

Howard Holton: And they start listing any of those other three things, you’re like, “Ah, I think we need to…” Yes. “I’m talking to the wrong person.” Yeah. “I think it’s time to take a step back. How do I get the right person in the room? ‘Cause you don’t understand the, the, the necessity here,” right? And when you’re looking at something like a, a manufacturing facility- Yep

Howard Holton: um, I did a, a, you know, when I, when I kinda took over as CIO and CSO, I flew to Ventura. Mm-hmm. Uh, I go to visit our facility. Mm-hmm. I do a whole tour of the facility. Mm-hmm. Um, and, and, you know, I’m a kind of a cheeky, funny kinda guy, and, and they go, the president goes, “So what do you think?” And I went, “I’m super impressed.”

Howard Holton: And he goes, “Uh, uh, r- really?” And I went, “Yeah, I didn’t realize we built time machines.” And he goes, “What?” And I went, “Yeah, man, I didn’t realize we built a time machine back to the 19, uh, 70s.” And someone sitting next to me goes, “I, I’m pretty sure it was the ’80s.” And I went, “No, no, no, no, no. By the ’80s we’d switched to whiteboards.

Howard Holton: There’s still chalkboards out there. It’s the 1970s.”

Gautam Sinha: Well-

Howard Holton: And, uh, a- and the reality is the, the, the manufacturing of products is how the entire world continues to operate. That’s right. We’re not going to get away, away from it. But we probably have 300,000 manufacturing companies that are still running off chalkboards and whiteboards.

Gautam Sinha: Oh, gosh, yes. And, and, and, uh, you know, you’ll be surprised. I mean, I don’t have to tell you. I’m, I’m not preaching to the choir here, you know? Admin, admin credentials, number one. Right. Post-its.

Howard Holton: Password 123. Exactly. If you ever wanna learn a, uh, like the first thing you do, you wanna find a password, you take a keyboard, you go like this.

Howard Holton: Yes. If there’s no password, just pick another desk. Five desks away, someone will have written their password. And there’s- And they’ll have crossed it out.

Gautam Sinha: Yes.

Howard Holton: And they’ve done it 27 times. Ha-

Gautam Sinha: exactly. Right? So they have been compliant with the policy. Correct.

Howard Holton: Correct. Oh, look, they do use complex passwords here.

Gautam Sinha: And they change it every month- Right … when I send a reminder. But yeah, it doesn’t happen that way. So yeah, the whole notion, you brought up an interesting point, Howard. The notion of a crown jewel, it’s not an asset. It’s not sitting on your server. It’s the operation. It’s the continuous running of your operation that is a crown jewel.

Gautam Sinha: The fact that you keep your factories running, the fact that, you know, a refinery keeps distilling those, the crude oil. And you can imagine what happens if a, if a refinery goes down, right? Yeah, for sure. You see it at the pump right away. So, uh, the, you gotta think of the crown jewels a little more abstractly in the OT world.

Gautam Sinha: It’s not your payroll. It is the payroll, yes, but also the fact that your factory is running full time. Now, the other thing that, uh, seems to have happened over the time, we’ve talked about this IT/OT convergence, and there’s been a serious injection of technology on the floor itself. So, you know, your attack surface has just grown through the roof.

Gautam Sinha: People don’t think about it, but the fact that, you know, somebody brings an NFC scanner to do something, to read off, uh, or connect, make a Bluetooth connection, get the maintenance data and stuff like that, just how many unidentified assets are there? And so the proliferation has gone, it’s become unmanageable.

Howard Holton: Well, there’s no machine that’s not connected anymore. Yes. Right? Exactly. There’s nothing I’m not looking at, there’s nothing that doesn’t have a sensor, there’s nothing that’s not computer controlled. That’s right. Right? The only things that aren’t computer controlled are the, um, the little roller that you shove a box down is the only thing- Yeah

Howard Holton: that’s not computer controlled. Yes. And even that- Yes … has a computer controller on either ends at a minimum. Yes. Right? And it’s recording- It’s like- … how many

Gautam Sinha: bumps a minute you’re getting. Right. And there, there’s a, there’s a sensor out there that’s recording the vibration that’s going to tell you when you need to change the roller.

Gautam Sinha: So even that is- Right … predicated on a, some IIoT device of some kind. And none of

Howard Holton: it- Yeah … is built or owned, none of it is technology that’s built or owned by one source- Exactly … or the business itself. Right. Right? That is, that is hundreds- Yes … of different vendors, hundreds of different security pieces- Yes

Howard Holton: right? Based on how they built, how they controlled, what their specific supply chain was. That’s right. Right? How cautious they were. Mm-hmm. Um, that are just laid out, and you don’t get to control any of it. Yes. I, I guarantee you can walk into any business, any manufacturing business that’s been in business for 40 years- Mm-hmm

Howard Holton: and somewhere there’s Windows 3 or 95 running, guaranteed. Oh, you’re, you’re more extreme than I was. I was g- going to go back

Gautam Sinha: as 11 or 7. Oh,

Howard Holton: God, no. XP maybe. Right. No, I know for sure, like- Yeah … just there were some laptops that were running XP. Yeah. I know for sure, uh, I, I’m not gonna name names, the, I know of a company today that is still running Windows 3 three for one of their main devices.

Howard Holton: And I’m like, I’m like, “Guys.” They’re like, “I know, but the machine’s $25 million to replace.” That’s right. “That’s not a $25 million flaw. That thing’s not connected to anything, so we’re okay with it.” They literally have USB floppy drives- Exactly … that they buy on eBay, ’cause you can’t source them anymore- Right

Howard Holton: that they use to carry stuff over to that machine and go-

Gautam Sinha: Yes, I know that. And, and, and the, this frightening scenario is God knows where that drive has been before.

Howard Holton: I mean, the frightening- Yeah, right … scenario is I guarantee you there’s a consultant somewhere, there’s an IT person somewhere that’s going, “We’ve gotta connect all their stuff.”

Gautam Sinha: Yeah.

Howard Holton: Right? And so they’re, while they’re fighting and fighting and fighting, at some point someone’s gonna not be paying attention and just walk up behind a machine and plug it in. Yes. Why? ‘Cause they started three days ago, and the person above them, you know, started three days ago. Forgot to tell me.

Howard Holton: Yeah. And, and that guy retired. Yes. You know?

Gautam Sinha: Yeah. A- a- and these things slip through the cracks. So, so what we find often in, uh, in an OT environment is, um, folks are naturally more conservative, right? They don’t want to sort of, if it ain’t broke, don’t touch it. Yeah. And I’m designed, I’ve spent 20 years fixing this-

Gautam Sinha: and I’ve made it right. You don’t come in and tell me what’s wrong. Just got it set the way I like it. That’s right. Um, Mr. Operator, please tell me where your router is or where your switch is. Oh, it’s back there on that cabinet up, and nobody knows exact- nobody’s be- ever touched. I mean, if you’re, if you’re lucky and unlucky- If you’re lucky

Gautam Sinha: you see it dangling from the ceiling. That’s right.

Howard Holton: That’s right.

Gautam Sinha: So, so there are some unique challenges we run into that we solve and, and, and, and, and I’m, I’m not- No, it’s fine. S- … telling- How do you solve them? So there’s a, we have, uh, our solutions actually go in and sort of do an observability. Network traffic is visible.

Gautam Sinha: You can collect it from a bunch of sensors, right? Which is what we use. So one thing that we do with our solution is we actually gather the data in a very passive, non-disruptive way. So you don’t have to really tell me where your switch is and everything. We map it out for you. We tell you what the tra- traffic looks like, and we tell you like, “Oh, you got this vulnerability, you’ve got this surface, you’ve got this type of, uh, um, uh, risk exposure,” and we quantify that with, you know, very objective measures.

Gautam Sinha: And we let the clients know that, you know, here’s a policy recommendation, because we have all the, you know, MITRE TTPs, and all the known, um, uh, uh, attack vectors that are out there. Um, and we sort of tell them, “This is, these are your vulnerabilities. You’ve got an open port. You’ve got a, you got inactive ports that are not being used.

Gautam Sinha: Which of your applications actually need to talk- Sure … on these ports?” So we make those kind of recommendations, and then we give the clients an option to go into the simulation mode, monitor mode. So either they build their confidence with time, that, “Okay, I can do that for this set of assets. I can do it for this manufacturing line, I can do it for that manufacturing line,” and in stages grow it.

Gautam Sinha: But the visibility, I mean, I don’t wanna brag, but I have to We recently did a, what we call an assessment study of a major, major, major logo in the world. And we got a visibility into a set of their assets within 40 minutes, things that they had never seen in their life before. Where the traffic is flowing, why is it flowing, things that really opened their eyes.

Gautam Sinha: And now obviously it leads to a lot of, you know, “What now? What now? What should we do?” Which is actually the starting point of- Right. Leads to- … a final solution.

Howard Holton: Yeah. Right? Leads to, “Holy crap, holy crap, holy crap. I don’t know what to do. What do I do?”

Gautam Sinha: Exactly. So, you know, you take them stage zero to stage one and sort of build the maturity map with them.

Gautam Sinha: So, um, so the visi- gi- providing the visibility is just step one, right? We go beyond. We give you the policies, and now with our AI-enabled engines, you can… We do it dynamically. So we are learning constantly. We are going out, trawling the space, figuring out what are the new vectors coming in, what are the threats that need to be incorporated, alerting the clients.

Gautam Sinha: We can do all kinds of things with our central console, setting the level of priorities and the alerts and things like that, which let the clients, uh, not get burdened, uh, by the level of messaging going on or the alerts going on. Because trust me, especially on the factory floor, that guy doesn’t want to get a beep- Nothing

Gautam Sinha: because port 80 is talking to port 55 on the other host, and it wasn’t anticipated. So we, and we sort of cull that out, create a priority, let them know what’s important, what’s not. Um, and, and that resonates well. Um, the other thing, Howard, and you must, you must have seen this in by the spades here in the, in the manufacturing world, uh, network segmentation is a, an element of risk mitigation, right?

Gautam Sinha: Yeah. The plant manager is more worried about the physical fences put- Correct … around his plant. So your- Every time Every time … every time. And so the ROI story has to compete against that. Correct. And that is a very, it’s a very different type of operating environment, and I think this is, uh, this, this… And I’m glad to see that there’s more awareness happening of this kind of a ROI cycle and decision cycle that’s fundamentally different than- It’s really interesting.

Howard Holton: Uh, I’m glad you bring that up, ’cause it’s really interesting when you think about, like, going to the plant and going, “Okay, like, I’m gonna steal some of your budget and this is what I’m gonna do.” And he goes, “No, no. I, I lost 30 tons of copper last year.” Yeah. “I need to stop 30 tons of copper leaving.” Mm-hmm.

Howard Holton: “That’s the security I’m worried about.” There you go. We’re like, “I, I get it. I get it, but I, I need to make sure that the entire manufacturing line doesn’t- Yes … get shut down by a third party- Yeah … that takes us forever to bring it back up. We can buy more copper.” True. Right? Yeah. And he’s like, “I don’t actually care, ’cause when I go to my boss, my boss cares about the copper.

Howard Holton: My boss is not aware at all- Yes … of whatever the hell you’re talking about, which I couldn’t explain to him if I wanted to.” That’s right.

Gautam Sinha: Yes. Right? And, and, and weaving that story and, you know, presenting it as an ROI and a risk and a, you know, GRC consideration is- Pretty much half the battle with network admins and security folks, more on the OT side than in, you know, IT folks, I think we are far more along in our maturity curve- Sure

Gautam Sinha: and understanding. But in the OT world, you run into really old curmudgeonly engineers who designed the- Yeah, for sure. Yeah, for sure.

Howard Holton: P- p- PLC guys that are like, “Don’t touch it.”

Gautam Sinha: Don’t touch it. Don’t touch it. Yeah.

Howard Holton: Well, I’m sorry, what am I not allowed to touch? It. It. What’s it? Everything. Everything.

Gautam Sinha: Don’t step out the door.

Howard Holton: Right? But, uh, I, I think there’s an important thing that we don’t talk about enough in micro-segmentation. Yes. Right? Which is, um, we are reducing blast radius. Yes. That’s the goal of micro-segmentation. Completely. Right? Um, and so think about it like a pie. Yes. You start, the pie is one pie. Your blast radius is the whole goddamn pie.

Howard Holton: Pie. Right? Every single slice you make- Mm-hmm … doesn’t have to, doesn’t have to be the final one. Mm-hmm. Every single slice reduces the blast radius. Yeah. Every single one. Mm-hmm. So don’t think, you know, when you’re thinking about your micro-segmentation strategy, don’t think about, “What is this gonna look like when I’m done?”

Howard Holton: Think about, “What could this look like in a hour?” Exactly. “What could this look like in a day? What could this look like in a week?” Yes. Don’t think about, “Oh, my God, this is a massive elephant to eat.” Exactly. Instead, think about, “How do I just paint a single toenail- Yes … so that I have two zones- Yes … and then three, and then 10?”

Howard Holton: Right. Right? And, and what you’ll find is just like a muscle. That’s right. Every single one you know more about, every single one gets easier, every single one gets more reliable. Mm-hmm. Start with the low-hanging fruit. Make some change today.

Gautam Sinha: Yes. Right? And, and that’s what our solution platform lets you do, you know?

Gautam Sinha: So you don’t have to go out and eat the whole elephant up. Start with your first basic issues, you know, the infrastructure ports, shut them down. It’s pretty easy to identify what those are. Can get a unanimous agreement. For sure. Shut them down. There you’ve reduced, I’ll just make up a number, 20, 30% of your blast radius is gone there, right?

Gautam Sinha: It’s amazing, right. Right off the bat, just by doing this. Right. Then you look at your management ports. Okay. What do you do then? And it’s, you don’t have to go into the applications and figure out the use cases, this user running this process when it talks to this ERP needs this port open. No. Before you get to that level of detail, you- There’s so much more work to do, right?

Gautam Sinha: There’s so much work to do. So much easy- Exactly … low-hanging fruit that you can deal with. Exactly. Exactly. Right. And, and we know that most of the malware spreads through these unexposed ports, you know? Because if anyone is going to put something that sophisticated in your application code- You’re running against- Correct.

Gautam Sinha: Correct … somebody serious. You’re, you’re fighting against somebody pretty serious. You’re running against state actors. Yes.

Howard Holton: And, and they’re also not likely to stop after one try. That’s right. Or two tries. Exactly. Or three. That’s probably the 100th anyways, and they’re gonna go 10,000 more.

Gautam Sinha: That’s right.

Howard Holton: Right? So, like what is it, like 14- At, at that point, call back up. Yeah. You call the FBI. Call the FBI. Yeah.

Gautam Sinha: You call the FBI. Literally call the FBI. Yeah. You, you… What does it take, 14 minutes to steal a credential or something like that, right?

Howard Holton: And, um- That’s a pre-I- pre-AI statistic, by the way. Oh, pre-AI. So I’ll take it to the bank.

Howard Holton: Oh, my God. Okay. I mean, AI is accelerating everything, right? Right. The, the attackers are using them as well.

Gautam Sinha: 36,000 scans a minute is what I’m told. I believe it. Right? And the average detection is, like, more than three months right now. So you can imagine how many Trojan horses are sitting out there in our industrial base.

Gautam Sinha: I don’t know if you caught this, but recently there was an evidence of some, uh, malware that was sta- uh, that state put in a public utility up in the Northeast. They didn’t catch it for a month and a half, a year and some.

Howard Holton: Oh. I mean, the… Should we talk about the telcos? And the fact that a foreign entity has been in the telcos for a number of years and is still in the telcos going- Right

Howard Holton: after we’ve detected them. Yes. Because it is so hard to remove. Yes. Like, uh- The routers went out the window today … these are, these are real problems- Yes … in real ways. Yes. All right. So, so lots of gloom and doom for a moment. Yes. Fine. Let’s bring it back.

Gautam Sinha: Yes.

Howard Holton: So you talk to a lot of customers. You see a lot of good and you see a lot of bad.

Howard Holton: That’s right. Um, there’s patterns that emerge. Yes. Right? Um, we don’t have to talk about… Like, we’re not trying to rank them. Mm-hmm. But if you were to give people one or two or three things that you’re like, “Look, if you just did this, you can do this on your own. If you just did this before I showed up at your door, you’d be better positioned,” what do you think some of those would be?

Gautam Sinha: Um, what I’d really do, I’d like for folks to do is get us through the door. And I’ll tell you why. Okay, so that’s first. And I’ll tell you why. Because we offer a complimentary service, which is called the Breach Readiness Impact Readiness Assessment. And that’s let’s… It’s a no cost, no touch obligation.

Gautam Sinha: Doesn’t take down your operations, nothing. We just run an, uh, run a client, we harvest your network data, we give you the vulnerabilities right away. Then stew on it. Have a talk with us to let, you know, hear what we have to say. We’ll provide you with the recommendations, and then you can go in and decide what to do.

Gautam Sinha: The op- the most important thing is to even have an awareness that the perimeter’s not enough. That’s, that’s the old way of thinking. And I think I, I don’t want to sound, uh, disrespectful. That is a necessary but not sufficient condition to secure your network and your assets. So we have to think about, when you think about network segmentation, you gotta go one level below, which is micro-segmentation.

Gautam Sinha: Which is how do you isolate, contain the breach? You are structurally ready to isolate a breach when it happens, because a breach is gonna happen one way or the other. So what we’re- I’d like to sort of spread the word, especially amongst my OT brethren, to think beyond traditional VLANs and segmentation, and consider lateral movement control that really works, that puts them in a good shape.

Howard Holton: Yeah, let’s be clear. VLANs are not security. They are

Gautam Sinha: not security. VLANs

Howard Holton: are broadcast packet reduction. That’s right. They are traffic management. Right. They are

Gautam Sinha: not security. They are not security. But- Right … but the word segmentation sort of- I understand … has a connotation that, okay, well, I got VLANs. I got this line on this VLAN.

Gautam Sinha: I got that. I got my paint shop on that LAN. So, and then- VLANs are

Howard Holton: simply a way to reduce the costs- The cost,

Gautam Sinha: yeah …

Howard Holton: of the hardware purchase necessary to deal with broadcast domains and traffic management. That’s it.

Gautam Sinha: That’s it. Right? Right. And typically we have to overcome that mental hurdle. So I’m just trying to get the word out there that it’s a different purpose, and you put it very eloquently.

Gautam Sinha: That is, it was not designed to secure your assets. Sure.

Howard Holton: Sure. There are slight side effects. I’m not saying it has zero impact on security. Yeah. But really it’s, it’s security through obscurity, if anything. That’s right. Right? All right. Who’s gonna figure that out? So, um, anything surprising you that you, that you either kind of see day to day before RSA, or anything surprise you on the RSA floor?

Gautam Sinha: I think what surprised, not surpr- I think I should have expected it, but the proliferation of agentic AI solutions is what’s really caught my attention. I honestly haven’t had the time to go down to each booths and figure out how exactly it’s being deployed. I don’t know. Oh, we are all in the same boat, you mean?

Howard Holton: I mean, at some point it just starts, like, the, the thing is so repeated, it starts to feel like the, the green matrix screen. Right. You know what I mean? Like, I don’t think there’s anything actually being said there. I, you know.

Gautam Sinha: Yeah. But I think, I think there’s something that’s, good things are gonna come out of it.

Gautam Sinha: But again, you know, sniffing out what’s really, really relevant and, you know, prioritizing for, for a, for an end client, not providers like us. So the end client, I think the challenge is always going to be, okay, where am I in my posture, overall posture? Sure. Right? And, uh, what are my fires? What, what do I need?

Gautam Sinha: Where is my burning platform? What do I need to solve for tomorrow? What will I not solve in two years that will get my seat under the door

Howard Holton: So, so putting yourself kind of back in that seat, right? Yeah. Putting yourself in that seat, ’cause you spent time there. Yeah. Right? Um, you talk to a ton of clients.

Howard Holton: You see what works, you see what doesn’t work. Um, w- what do you have set for your kinda internal bullshit meter- Mm-hmm … that allows you to go, “This is how I’m gonna address it. This is how I know to smell out bullshit, and these are the questions that I would ask”?

Gautam Sinha: So typically- Yeah And again, I don’t want to alienate anyone, but I do want to say that, um, security folks and network folks have a very different way of looking at the world.

Gautam Sinha: Yeah, sure. Right? And, um, we tend to get bogged down a little bit on the design of the network more than anything else. And I think from our … We hear a lot of things, but I think they’re all constructive because the network guys are the closest to hardware guys in this world, right? That’s true, yeah. So they naturally tend to be a little more skeptical, and, um, we tend to hear some creative counterarguments.

Gautam Sinha: But, uh, I think the solution, uh, and, and truly, I truly believe that our solution helps them solve a concrete problem. We go agentless, we have agent solutions, everything. So they, it’s up to them to sort of adapt and get on with it. Um, but, uh, hype cycle-wise, I don’t think anybody’s indulging in that in our space.

Gautam Sinha: But I think if anything, I would say that, um, uh, we undersell the value that micro-segmentation build brings to the table. Sure.

Howard Holton: I think some of it has to do with the historical- Right … micro-segmentation, right? Micro-segmentation’s more than 10 years old. Yes. Well over 10 years old. Right. But if you looked at it back in 2013, 2014- Yes

Howard Holton: uh, like I got scars, man.

Gautam Sinha: Yes.

Howard Holton: I, oh, I get it. Like- I get it … back in the early days, it was almost an impossible mission- Mm-hmm … ’cause it was so complex and so- Yes … fragile. Yes. Any change you made, you’re like, “Oh, God.” That’s right. Please don’t make me I really … Oh, God, I gotta, I gotta start clicking. Oh, Jesus, this is gonna be bad.

Howard Holton: It’s not that

Gautam Sinha: today, right? It’s not that. And, and, uh, Howard, thank you for putting that into a historical context. So you’re right. So the, this, this is obviously the skepticism that some of the old-timers do bring to the table. But we have changed the paradigm, right? Like I told you, our approach is cut across horizontally, not application-wise vertically.

Gautam Sinha: So we actually take down ports, shut down ports, we restrict traffic according to the- It’s a high level of automation … the level of automation. It’s a high level-

Howard Holton: It’s a high, yeah … of observability. Exactly. Right? This is not humans doing all of the work and having to keep things straight- That’s right

Howard Holton: through an interface that kind of helps. This is led by automation. Yes. This is led by observability. There’s a lot of validation that goes in. Exactly. There, there’s a lot of speed- Speed … to, and there’s a lot of resilience in these modern platforms, right?

Gautam Sinha: Right. I mean, uh, the end goal is, um, we have a, a case example where, uh, we don’t, it is not our example, but, um, a, a use case of micro-segmentation in action where it was implemented in one, um, particular company.

Gautam Sinha: And I, I won’t go into more details because-

Howard Holton: No, it’s fine …

Gautam Sinha: and, and, and, and it was not implemented in a very similar company serving the same, doing the same thing. And one- Was unscathed. They saw the results right away that they are under attack, and they, uh, uh, immediately went into Defcon 2 type of, uh- Sure

Gautam Sinha: response mode, keeping out all these bad actors. The second one went down

Howard Holton: didn’t just go down, I’m sure. Pardon me? They didn’t just go down, right? ‘Cause as we talked about-

Gautam Sinha: Yeah …

Howard Holton: if the first one hadn’t been successfully attacked-

Gautam Sinha: Yes …

Howard Holton: they would’ve been able to get that piece of the pie, and it would’ve stopped.

Gautam Sinha: Yes.

Howard Holton: Without that, it’s not just how fast you responded- Exactly … how long is it gonna take to recover? Exactly. How bad is the recovery gonna be? Right. And it, and the scale is gonna be significantly worse, right? Well, just

Gautam Sinha: think about Jaguar. Land Rover. I, I try not to…

Howard Holton: I’m a car guy. I really try hard not to think about Jaguar lately.

Howard Holton: Are you a Jaguar fan? I was. You are a Jaguar… Oh, yeah. Before they changed to whatever they are now.

Gautam Sinha: I don’t know what they are now, but, but the point is back six, say, eight months ago- Oh, yeah … what a devastating attack that was. I mean, the,

Howard Holton: the JLR attack was so bad- Right … the government of England, of the United Kingdom, Kingdom was considering not how do we pay Jaguar, right, JLR, but how do we make sure that their suppliers don’t go out of business?

Gautam Sinha: That’s right. Right? And, and you know, there’s this new statistic that, um, an attack on one of your hosts takes down s- the interconnectedness is so high it takes down nearly 5.76 other vendors with you. For sure. So you can imagine the spider web that we are living in, right? So one of the requirements that the British Parliament did impose is they’re gonna have to bail out…

Gautam Sinha: So many small businesses went out of business because, again, they couldn’t get paid. No small business can survive three weeks, you know? Just think about production shutdowns. So if you’ve got a mom-and-pop deli shop- Oh, yeah … outside the campus, you’re out of business. You have zero revenues. Yeah, you’re done.

Gautam Sinha: Remember,

Howard Holton: if you can’t make payroll, you can’t- That’s right … you can’t collect money, you can’t ship product. That’s- You’re done. That’s right. Right? So the point that you, that you’re not collecting ’cause, ’cause you’re a mom and pop delivering to a marquee brand in your country even- Right.

Gautam Sinha: Yes …

Howard Holton: um, and they’re just done.

Howard Holton: They can’t, they can’t accept anything new, they can’t process anything new, then you’re done.

Gautam Sinha: You’re done.

Howard Holton: And the, and the ripple of that is potentially in the hundreds of vendors. That’s right. And that’s when the government gets involved, right?

Gautam Sinha: And, and, and, and just the, the numbers being thrown around, like $2.5 billion of just lost revenue.

Gautam Sinha: It’s like zero sales. Right. So then your top line just went to zero for three weeks. So that’s the kind of devastation you don’t wish on anybody, but that’s the actual risk that can manifest itself if you’re not adequately protected. And I think that’s, that’s where, uh, it’s interesting because when they did the root cause analysis and they came up with the mitigation strategies and if you, and if you read the detailed report about how the attack spread, lateral movement, baby.

Gautam Sinha: Always. Always. Always. And that’s- All right.

Howard Holton: So, uh, this has been awesome,

Gautam Sinha: Gautam. How do people get ahold of you? How do they learn more? Hey, you can always get, reach us at www.colortokens.com. I can give out my personal number, which is, uh- Do you want people to, how do you want them to reach you? Yes. Call me, 314-308-0074.

Gautam Sinha: I love it. That’s St. Louis.

Howard Holton: I love it.

Gautam Sinha: I love it.

Howard Holton: All right. And-

Gautam Sinha: Well, this has been fantastic … I appreciate the opportunity, Howard. Great stuff, you guys. Um, and thank you for recognizing us. I mean- For sure … you have, uh-

Howard Holton: We’ve been working together for quite a long time … you’ve made a difference. We’ve been, we’ve been working together for a long time, uh, us and Color Tokens.

Howard Holton: I, I appreciate it. I love the relationship. So well, thanks everyone. This has been another episode of Business Disruptions in Tech. Like, subscribe, follow, and we’ll see you on the next one.