Talking with Tech Leaders
Explore the forefront of technology with 'Talking with Tech Leaders,' a podcast brought to you by Be-IT. Dive deep into the minds of the industry's most influential figures - from visionary CEOs and pioneering CTOs to innovative entrepreneurs and seasoned engineering managers. Each episode unveils the secrets behind the tech-driven transformation, offering unique insights into navigating the tech career landscape, mastering interview techniques, climbing the corporate ladder, and the ins and outs of starting your own tech venture. Join us for incredible conversations that connect you with the strategies, trends, and leadership insights shaping the future of the business world.
Talking with Tech Leaders
Talking with... Steve Orrin, Federal CTO at Intel
What if your childhood hobby could propel you into a leading role in one of the world's top tech companies? Join us as Steve Orrin, federal CTO at Intel, shares his extraordinary journey from hacking on a TI-994A and Apple IIe to steering cutting-edge security initiatives at a global scale. Initially set on a path in medical research, Steve's fascination with the internet in the mid-90s led him to pivot into technology, despite family skepticism. His story is a compelling testament to following one's passion and the transformative power of staying curious.
Throughout the episode, Steve recounts pivotal moments that shaped his career, such as transforming Lockstar from a security-focused firm into an enterprise application enabler and his innovative tenure at Sanctum. He provides a behind-the-scenes look at the acquisition of his startup by Intel, highlighting key projects like the Trusted Cloud Architecture and DeepSafe. Balancing innovation with security, Steve offers valuable insights into navigating the ever-evolving challenges posed by AI, quantum computing, and other emerging threats.
Moreover, Steve discusses the critical importance of resilience in cybersecurity planning and the need for continuous learning. Drawing from experiences with mentors like cryptography giant Bruce Schneier, he emphasizes understanding customer needs and maintaining robust communication with stakeholders. As we wrap up, Steve also shares his thoughts on personal resilience, the joy of family time, and must-read books for tech enthusiasts. Don’t miss this episode filled with actionable advice and inspirational stories from a tech leader at the forefront of innovation.
Hey everyone, it's Michael Fair from BIT here. Welcome to another episode of Talking with Tech Leaders, where today I'm joined by Steve Orrin, federal CTO at Intel. How are you getting on, steve, you well.
Speaker 2:I'm doing well. Thanks for having me today.
Speaker 1:Good, no worries at all. Just to give everyone a kind of intro about yourself, you've got three decades of experience in a series of high level roles at companies including Intel, survega, watchfire, sanctum, first Genetic Trust and as the federal CTO, chief Technology Officer for Intel Corporation, you can orchestrate and work with executives on customer engagements in the federal space, overseeing like development of the federal solutions, of architectures and addressing challenges in that kind of government, enterprise and national security arena, which I'm sure will be very interesting to hear about for all our listeners.
Speaker 2:Excellent.
Speaker 1:Yeah, and obviously, in part one, we do your career, part two, we're going to talk about innovation and security in the digital age, and in part three, we'll ask you some personal questions as well. So good.
Speaker 2:Ready to go?
Speaker 1:Awesome, cool, thank you. So we'll get started with your kind of career then. How did it kind of start off for you? Did you always envision yourself doing a career in technology?
Speaker 2:well, it's a really good question. I actually um went to college for research biology and I had this idea that I was going to be an md, phd doing sort medical research. And it really comes from the fact that my loves growing up were both computers and technology, as well as biology. But back in the late 80s and early 90s there really wasn't yet a career in the security and technology domain like there is today, and so I took the other path and focused in on my other love, which was biology.
Speaker 2:Graduated, did some graduate level research, was getting ready to apply to med schools when an opportunity came up to a friend of a friend, had some money, wanted to do something in this internet thing that people were talking about, and they introduced him to me and said hey, steve, you know this security and technology stuff, maybe you can help him out, get the ball rolling.
Speaker 2:And I was thinking you know what Medical school is going to be expensive, maybe I'll do this for a year, put some money away and then and then do med school. And that was my first company, sundata, which we founded in 95 at the very beginning of what would become the Internet revolution. And after three months I was all in I fell in love with everything that was going on, the opportunity, the excitement I got to, you know, sort of leverage, a lot of the things I had sort of learned, you know, by default or trial and error throughout my childhood and breaking apart technologies, hacking things, seeing how things work, and this was, you know, it just was so exciting and so after about three months I went all in and went down that career path and have since stayed in the technology domain. I would say it took about another year before my parents thought I was crazy, but it did turn out really well. But yeah, I never thought there when I was growing up that there would be a career in security and hacking and things like that. And, um, I really, you know, some of those pivotal moments in the early days really shaped how I was going to, uh, sort of go out there and it was, you know, at that time it was everything was possible and still is but it was a smaller industry, so there was a lot of
Speaker 1:opportunity I can imagine. Yeah, I mean, what was the kind of moments going up then, like you know, was there a family member that was in technology? Was there something that someone bought you one time that kind of drove you towards it was the star trek's, you know, I love. What was something that kind of got you into technology?
Speaker 2:well, it's funny. Yes, I was a geek like everyone else star wars, star trek but I think you know. Uh, my very first computer was a TI-994A. That was my father gave to me. You know, that was the very early programming in BASIC. And then the first computer I bought in the mid 80s was an Apple IIe and it was with all the bells and whistles. So I had dual disk drive, 80-column card, if you remember those things, and my very first Haze modem.
Speaker 2:And my mind typically works in the way. Well, this is how things work. Let's see how they don't work. Let's see how I can use it to do things that aren't the same. And so there really wasn't anyone in technology in my family. I mean, my father was in business, my mother was in the medical transcription and admin side of the camp. But the opportunity to just try things.
Speaker 2:And so I got online, I started connecting to BBSs and got to, you know, and just the idea of, well, let's go try things. I mean, whether it was something as simple as well. We got this piece of software. It's a game or it's a tool. Can I use it without paying for it? Well, how do I crack the copy protection or little things like just trying it out, and to do that you needed to learn assembly. Well, now I had to go learn a new programming, which was exciting, and then later in school they had the very early programming that I just fell in love with, so writing in BASIC and FORTRAN and some of those very early development languages.
Speaker 2:But it was always it was. It was more of a hobby than a, something I ever thought would turn into a career, and it was just something you know, and I spent a lot of time online. Would turn into your career and it was just something you know, and there I spent a lot of time online. What was the equivalent of online back then? Bbss and other you know avenues back in the early days, running up the phone bill. So my, obviously my parents were not too happy, but I did work to pay for it.
Speaker 2:But those were some of the early things that sort of led me down the path that I had a love for, this idea of sort of how do things? So, looking at problems, figuring out, you know, decomposing and figuring out what makes it tick, and that is something. As you look at security professionals, they have this sort of this bent to their mind. They don't look and say, oh, that's a device, it does X. They look well, how does it do X? And what happens if I do Y? And that mindset is at the heart of most cybersecurity professionals is understanding how things fall apart is really how you understand how to protect them.
Speaker 1:Yeah, completely Like taking that apart, understanding it and be able to visualize different aspects of it. If you did this or that.
Speaker 2:Yeah, I mean there are definitely some remote controls and toasters and other things that never worked again after I got my hands on them.
Speaker 1:Yeah, that part's not going to go back again sorry no, awesome, let's say.
Speaker 1:It's really interesting to hear. I mean, you definitely do find that that kind of problem solving and, you know, taking things apart, like you're saying, as a great path for technology and understanding how things are done. I remember when I was we doing the, the video, the vhs's if you bought one you couldn't record over it, but if you just got a bit of cell tape over one of the boxes you could then record over it. It's like silly things you know to try and work out Awesome. So that's kind of shaped your early thoughts on technology. You know, getting into joining your friend and, you know, going to a kind of CTO role of that kind of 25 person tech company, um, and that just kind of started to push you down that path of working in different organizations, kind of moving through the ranks.
Speaker 2:Yeah, so, yeah, I, my first company in 95, uh did that for three years and then in 98, I had, uh, an idea uh that I thought would be really useful, and so I it. Basically, I threw together some uh ideas on paper, talked to a couple of key uh folks that I knew and, uh, within you know a month, we were funded up and running. That was my second company and that really was the uh, the jump start of the my entrepreneurial side of my early career. So my first one I sort of fell into it. The second one entrepreneurial side of my early career, so my first one, I sort of fell into it. The second one it was my idea that we and I grew it.
Speaker 2:I reached out to both one of my mentors as well as some other business and technology folks that I'd met along the way, and we pulled together this awesome team to go solve a problem that wasn't being well addressed at the time. In this case it was how do you connect all this wonderful web to the backend mainframes in a secure fashion? People were talking PKI. It was going to save all of us back in the 90s. But if you spent the several million dollars of implementing it, what did you get? Well, I got a certificate. Maybe I could log into a VPN or a network, but you couldn't do anything real with it.
Speaker 2:And so the aha moment for me that I had was well, where's all the real business happening? Where's all the value? Where's the criticality inside organizations? It's all back in legacy infrastructure that don't use certificates, they use RACF, they use other types of credential, kerberos. What if we could map those two worlds together? What if I could connect the certificate to those legacy authentication frameworks and provide a seamless way for businesses to bring their legacy and, more importantly, their business-critical applications to this new internet world?
Speaker 2:And that was that pivotal moment that became LockStar, and we don't have this opportunity very often anymore. But the idea came to me when I was stuck on a plane for seven hours flying, and back then you didn't have this opportunity very often anymore. But the idea came to me when I was stuck on a plane for seven hours flying, and back then you didn't have the movies and the iPods and all the other cell phone. You had nothing. I mean, you were basically stuck there with a book, if you were lucky, or some overhead movie. That was something that you weren't paid for to see, and so being stuck with your own thoughts for a period of time allowed me to sort of think about and sort of pull together these ideas, and when I got off the plane I immediately went, wrote down my idea, called some people and we were talking to investors a week later. It was an exciting time back in 1998.
Speaker 1:That's incredible and you're so right that you know. Even like when I've got my daughter in the back of the car and she's getting a bit cranky, we're always trying to entertain them and keep them busy. But similarly for yourself, if you had been distracted working on your laptop or your phone, your brain wouldn't have been putting problems in your head solutions. You know doing this kind of stuff, so it's really interesting that you say that you know.
Speaker 2:Yeah, that's. You know you have to disconnect for long enough to process, and it is a challenge in our connected world to be able to find the time to come up with that next great idea or how to solve those problems. But you find your peace moments.
Speaker 1:Totally. I mean, and you've kind of created the solution for companies to get these business-critical applications access to the internet or to kind of involve them in being connected to the web. How is the buy-in for companies? Is it quite challenging for them to trust it or to kind of see the value right away?
Speaker 2:No, it was interesting. When we first started the company, the analysts loved the idea. A lot of our IBM and our partners loved the idea and we had some initial beta customers and the security people loved it. It says I finally have a way to secure those things and keep the bad internet from causing damage. And one of the things and it was a really good learning opportunity for me, and thankfully it was really early in my career is talking to the ones who actually own the applications. So we, as a security company, talk to the security people. That's what you do but oftentimes you forget to talk to the stakeholders that own the application, actually own the business. And that's where we found out that they had a more fundamental problem that they were struggling with, even in large organizations, which was just the sheer how do I connect the mainframe or the legacy application to the web, to the internet? So they were, you know. They said I love your idea, I would use your security tool if I could connect the mainframe. And so we went back and huddled and what we figured out is that, in order to achieve what we were doing for our security, we had to have a piece of code running on the mainframe that could take the certificate, interpret it and map it to in the case of a mainframe RACF or ACF2 credential. But what we realized is we had a piece of software running on the mainframe that was using a standard internet protocol and so with literally a couple of months of work, we were able to transition that product to a much larger market, which was how do you web enable a mainframe? And so in that early days again, you have to remember, this is 99. So it's still early in the days we had one of the very first SOAP web service instance on a mainframe and could do a COBOL copybook translation into WSDL, and that was game changer. So that allows someone who had a legacy CICS or DB2 mainframe application to within minutes transform you know, if it was a simple COBOL instantiation transform it into a web-described service that can be populated out to a web application. And that was, again, this is 99. It was very early in the days.
Speaker 2:The only way that people were really getting access to mainframes was through, you know, tn3270 emulators green screens for the web, if you will and this allowed them to just turn it into an API-based service and deliver it out to the web. And that was what really jump-started Lockstar was. You know, the security was almost became inactive. It was important because you needed to secure that connection very well and you need to authenticate, but the fact that they could quickly transform the legacy applications into something that could be easily consumed by the web and by web services, that is actually how Lockstar got to be known, and so we became less of a security company, more of an enterprise application enabling company, which, when you look at the financials, is a bigger market than the security market.
Speaker 2:At that time, enterprise application integration was a huge market the middleware space and all that and so that was one of the transformative things for Lockstar was transitioning from a pure play security company into a applications enabling company with the security play, and that for us, was a big deal and for our customers that were able to migrate to the internet with their legacy applications.
Speaker 1:And it kind of changed that, I suppose, the pitch of your product in the market and gave that growth. I mean, was it challenging in the market? Was it a lot of competitors? Were you kind of? Obviously I didn't know what the market was like then. You know Millennium Bug 2000. Internet's kind of taken off People. I didn't know what the market was like then. Millennium Bug 2000,. Internet's kind of taken off. People are buying domain names.
Speaker 2:What was that like? It's interesting there was competition, but not really in the direct. So back then people didn't really have good categories for things. I mean, the whole idea of a Gartner quadrant was still coming about. So we were lumped together with a couple other companies that also did similar things but for other kinds of applications. So one was a company that did similar to what we did, but they did it for ERP applications, so like SIP, peoplesoft, and so while we were doing completely different things, we'd be going after different applications. We were on the mainframe, they were on client server or big VAC systems and things like that. We were lumped together as competition. We ourselves, I mean we knew each other and we talked regularly. We didn't compete other than for market understanding, so it was more education.
Speaker 2:Later, as companies like Jaketa and others started to do more with their taking their you know, their green screen emulators and really turning that in more to an API structure, the market started to mature and IBM started to bring the mainframe into the modern era, if you will, adding Linux services and other things that made that path easier.
Speaker 2:But when we were starting out there wasn't direct competition but there was sort of a marketplace competition or we all got lumped into the same bucket on the Gartner charts and that's the challenge for the marketing people. But technology wise and, like I said, the industry is much smaller if you think about today versus back then. So you typically wanted to have a couple of people in competition. Today any company has hundreds of competitors pretty quickly, especially in some of the high curve spaces. But one of the maxims that my business people had taught me very early on is that it's good to be the first mover, but you want to have competition because it validates the market From an investor perspective it means that there's something real there and that helps provide credibility to both your customers and to your investors.
Speaker 2:Is knowing that there's something real there and that helps you provide credibility to both your customers and to your investors. Is knowing that there's something you know. You're not so off on the niche that no one is actually going to care about it.
Speaker 1:Yeah, that's so interesting as well, because you're trying to kind of get investors. We've got this thing. It's amazing, no one's doing it and they're like really excited about it. But they're like well, why is no one doing it?
Speaker 2:I suppose that would create that out like you said.
Speaker 1:Exactly, yeah, completely. What was your exit like from there then at Lockstar? That was a three-year journey, then. Yeah.
Speaker 2:It was an interesting journey. We bumped up against 9-11. And so the funding world shut down for a while. What we did is we did exit the company, where we sold our technology to our customers, and we were able to give everyone a clean break. But yeah, 9-11 sort of shut and the problem is that our customers were financial services, insurance and pharmaceutical the Jersey, new York, connecticut corridor, because we were based in New Jersey and that was one of the major areas that was affected by 9-11. And so funding dried up. That happened and we were able to transition our technology so that our customers could thrive and use the code. We gave them access to the source and then provided them the support environment so they could take the products forward, and then we were able to exit the company. It wasn't a big exit, but it at least allowed for a natural transition during those times.
Speaker 1:It's not always about the money and things as well. I mean you gave good value to your customers, your customers. You exited in the right way. I mean in terms of kind of you know, uh, you know getting that back and dividends in the future. I'm sure it's paid, you know, many times over.
Speaker 2:So no great, well done yeah, some of those customers I've come back to at other companies and they still buy buy my bs there you go, there you go.
Speaker 1:It's the thing, wasn't it? It's kind of like paying it forward, isn't it? Um, so you went into first.
Speaker 2:Uh, genetic trust as their eye yeah, that was an interim gig where, uh, it was interesting opportunity, uh, and really, uh, in hindsight, a very important one. Uh, they were a startup clinical trials company that were going to do clinical trials online with an online database and online infrastructure, and I came in as the chief security officer at CISO role with an eye to get them up and running, get them operational, get all the audits and validations and certifications done and then hire my replacement. But for me, besides implementing a lot of things and best practices that I've been preaching as a vendor for a while, it really let me live on the other side and that I think, for my career, was one of the most important learning events was seeing it from the other side, having to deal with security vendors and the lack of interoperability and the lack of good documentation or bad integration, or having to deal getting audited, doing a HIPAA audit, doing a CFR 2111, being able to do the safe harbor rules. I mean it's one thing to say, oh, our product will help support this because we've done the mapping, but it's another to have to be the poor guy who's got to actually do the work, and that learning of what it means to be on the other side, on the customer side, has influenced my career ever since.
Speaker 2:As I design solutions, as I design products or I talk to customers, I know the pain that they've gone through and I don't want to inflict that kind of pain on my customers. I understand it's not always do you have the coolest widget, but does that widget work with what's already there? Do your reports come into a format that I can consume? What standards are you? Those kind of questions are the things that, as a CISO, I had to struggle with.
Speaker 2:I had to deal with, I think, with like 10 different security vendors at the time to secure a single online database and be able to do some of the key management and the data separation, and it was an absolute nightmare. And these were big companies at the time and a couple of small ones too, and that was a key learning experience and I've used that experience as it directed me into Sanctum and Cereg and all the other companies, and even at Intel is keeping an eye on the customer experience, on what is it they're trying to accomplish and what is the environment that your stuff has got to live in. It's got to be able to play in their world. It works great in your development lab. But your development lab isn't representative of a large bank or a hospital system, and so understanding the customer because I was a customer for that period of time really has helped influence.
Speaker 1:It's so interesting that because you build something if you're techie or you'd obviously work at the company who's bought that product you get really excited about it. You do get some customer feedback but, like you're saying, does it continually solve the problem of the customer or do you get excited and you add this bell, that whistle, you've got this at the end and it's like oh, we just want to use that bit.
Speaker 2:Exactly add this bell, that whistle, you've got this. At the end it's like, oh, we just want to use that bit, can that bit talk to this other product from this other customer, which is what I'm trying to actually do inside? Yeah, and that is, you know, it's the, the, the challenges in the integration often with these products.
Speaker 1:Yeah, not completely, and it sounds like you're doing it. You're thinking about these kind of problems early on and you've said obviously that's helped shape the way that you look at problems going forward. So a really good learning experience then. Um, and into sanctum as cto so sanctum was an interesting opportunity.
Speaker 2:They were a security, security auditing tool. Uh, when, when I first joined them as cto, they had built a, basically had two products they had an auditing tool that would scan web applications, looking for vulnerabilities, and then they had an application firewall. And they were very early. There was only one competitor, really, and then a couple others showed up about a year later and the security market was a good market, but it was a finite market. There are only so many auditors inside big banks and big corporations and then you have, like the Deloitte's and the E&Y's and all the others that are doing audits and that's your marketplace and one of the things you know. Once I got in there, a couple of things I looked at transforming our business was one is let's expand the scope of the security tool beyond the security auditor, because what is the security audit really telling you? It's telling you whether or not you've got vulnerabilities or you're protected against certain threats. But who's that meaningful to? Ultimately, if you're talking about a big bank or any regulated industry, compliance is really what's driving a lot of that security. And so what if we could map security vulnerabilities and the remediations for those into the policy, into the regulation requirements and control regimes, and so the first innovation we did was do a controls mapping between we found these number of vulnerabilities and this type and this is the effect what would happen if someone exploited that vulnerability, and that's how it would violate this requirement from a given PCI or HIPAA or CFR 2011 or any of the other regulations were out at the time. The other innovation was less about the security analysis and more about well, what do you do about it? Well, you want to be able to remediate. You want to be able to say you've got a cross-site scripting or SQL injection vulnerability on your webpage. How do you fix it? Well, you got to do input sanitation, input validation, and you've got to do parameter checking, all these kind of techniques. What if we gave that information as part of the tool to the auditor? Well, that's great, but the auditor doesn't fix the application.
Speaker 2:And that's where my aha came. Well, actually, security begins at the beginning. We were coming in at the end, when the product was either done or about to be launched, and doing the security check. That's the wrong place to be starting the process. And so we transitioned the product AppScan and we created AppScan for developers and AppScan for QA, and we made a version of the product for developers and for quality assurance so they could perform the same tests that the auditor was going to do or the compliance requirements were going to require at the beginning of the development process. And so it was the whole shift from do the security at the end, which is what the industry was doing at the time, to building it in.
Speaker 2:And this is one thing that one of my mentors beat into me from very early on is security can't be bolt on, it has to be built in. And so we not only do we build a product for developers, but we integrated it into the development environment. So it was integrated into Visual Studio, integrated into the Eclipse and other IDEs, so that it was just a tool that you would click and it would run. And it gave you code samples. You're running in Python, you're running in C. Here's a code sample how to do input validation. You could literally cut and paste some parameter modification, but it told the developer not, you've got a problem, go figure out how to solve it. You've got a problem and here's example code of how it would fix it.
Speaker 2:And that is really what launched Sanctum to be the company that it ended up being and to really win the market was that transition from a security only to really thinking about how do we help the organization remediate and get earlier in the lifecycle and there's been multiple studies done about return on security investment, about getting at those bugs and those vulnerabilities early in the lifecycle, is the cheapest, most efficient way to do it versus waiting till the end, and so that was the major innovation that we had at Sanctum was moving into the developer and QA market, which, from a business perspective, is a much larger market, because for every one auditor you have, you know 10 QA and 20 developers you know on average, and so you basically have a much larger pool from a market to go after.
Speaker 1:That's incredible. I mean thinking about that 20 years ago you were doing basically secure by design and pushing that kind of philosophy. That's awesome, that's so interesting. It just shows you the amount of money that company will save as well in terms of doing more development, bug fixes or even being hacked and held to ransom. So yeah, that's so interesting. What about the next from there then and kind of the next role that you went into from that?
Speaker 2:so after after we edited, saying that, I went to go do my next thing, I was recruited over to sorvega and really it was to help grow to get that company ready for acquisition. It was a excel. They were an xml acceleration company, had a really powerful appliance for accelerating xml transactions and they had some security capabilities. But they really needed to formalize that security offering to round out the solution set. So I came in as the chief security officer to basically own the security product design development and get it up to snuff with an eye towards exiting the company. And we did. It didn't exit where we thought. We thought we'd go to a firewall vendor or one of the infrastructure players that was sort of who you thought at the time the Cisco's or the Juniper's or those kind of folks. It ended up being Intel that bought us.
Speaker 1:Intel came a knocking.
Speaker 2:Yes, they did. And at the time they were very interested in the XML acceleration side, because XML was a workload, that was a performance challenge, and so could they take some of our technology and integrate it into a chip to make XML acceleration ubiquitous for all. And that was the reasoning behind the acquisition. The security product came along because it was a product that was out in the market and was being adopted by large customers, so it gave us a good footprint. And then, about six months after the acquisition, I transitioned all the products. Everything was operational and I was going all right, I'm ready to go off to do my next startup, because that's what I do, I do startups.
Speaker 2:When the GM and president of the software division the one who acquired us came to me and said, steve, what do you want to do? And I said, well, I like being a CTO, but Intel has a really good one, so I don't see I'm going to take his job. And that's when she said well, I'm thinking of this new idea called pathfinding. And the idea was that Intel classically it's labs, the Intel Labs Research Division looks five to 10 years or further out on the horizon because chip design you know the first idea in your head oh I want to do this cool thing. Five years before it shows up in a chip you buy on your laptop, and there's that long cycle of design and then the productization side. So once things get locked down like this, is the chip. Two years from that point, chip comes out. So what she identified is there's this horizon between where R&D ends and product begins, a two to five year horizon where innovation can happen. But it wasn't being focused on categorically. She was going to stand up a team that was just doing pathfinding, so doing the what can we do with existing or coming hardware and do innovations in software to go solve problems for our customers? And did I want to run the security pathfinding team? And so I jokingly said you see, you want me to basically play a CTO, but with Intel's budget I'm all in. And so that's what I did for about nine years is I did security innovation and pathfinding where we looked at what was already in the hardware that was out today, what was coming in the next version that was going to be a year or two away, and what could we innovate from a use case or from a technology perspective. And what that became is a variety of really cool projects.
Speaker 2:One was and one of my biggest successes was the trusted cloud architecture. So we had, you know, virtualization was hot and this is, you know, 2006 timeframe. Cloud was still something big companies were learning how to spell. But the idea of a hosted infrastructure was coming. There were some niche players getting into it and at the time we had some hardware features that allowed you to boot them a system in a secure fashion. So basically, it would be verified that the firmware was securely booted and it was being applied to virtualization to be able to say, okay, my hypervisor is also being booted correctly. And I made the connection like, hey, we should be able to do this for the cloud and be able to give people because if you think about the cloud, it was different from enterprise, enterprise, I own the system. So, yeah, I can verify it and I'm good. But I trust the system because I can go look at it, I can go touch it. The cloud is somebody else's system. What if we could get the same kind of properties of the warm and fuzz you get from a secure boot, a secure launch of a system all the way up through the hypervisor, but do that at the cloud provider or at the hosted provider and be able to provide back to the tenant the attestation that you are secure. So when I put my workload into that cloud I can verify the hardware, even though I can't physically touch it or even get into the data center, much less know it. And that was the beginning of Trusted Cloud and that has blossomed into an entire industry of secure boot architecture for cloud and virtualization and containers and everything that spawned from there.
Speaker 2:That was one of our innovations and then the other one was thinking about and this was an area I spent a lot. You know we had a lot of projects around. How can hardware help with the malware side of the camp? Malware is doing evil things. It's getting under the OS, it's attacking the very agents you're using to detect it. Where can malware not hide? Well, it can't hide from the hardware it runs on. So what could I use in the hardware to protect the agent or protect against or detect these more stealthy, persistent kind of threats?
Speaker 2:And that's where the beginnings of what became DeepSafe, which was a collaboration between Intel and McAfee to take technology from their agent and put it early into the boot cycle, before OS, before the BIOS, before the malware could even get its footing and then detect anomalies at that level, and that, you know, from there led to a lot of other things and eventually we bought McAfee, and you know history is what it is. But that core idea of, well, can we use the hardware to protect up the stack from a detection perspective was a novel idea and it's still being used today in a variety of ways. You know our most recent technology and trusted threat detection technology uses hardware features to detect behaviors in the operating system. That again, malware can't lie to the CPU You're running there.
Speaker 2:So those were some of the key innovations at Intel. Intel was looking to stand up a federal capability beyond just sales, but actually a federal technology practice. And did I want to be the federal CTO? And so I said so I got to move back east and they were like yep, I'm like all right, I can do that.
Speaker 1:So I moved back east because I was living in California at the time and started the federal office of the CTO and really grew our federal technology practice to help service the federal market. That's awesome. It's some journey you've been on. What an incredible story. I mean on that project they're talking about, because a lot of people don't know, or if you're not in technology, that computer boots up, you know f5, you can get into the bios and you know change some settings and you decided that why are we checking for malware once the operating system is loaded up here, when we could be looking down here underneath it all to see that's so smart. I mean that sounds. It's always. I'm saying it very simple, simplistically, but it sounds like such a good way of doing it.
Speaker 2:Yeah and sometimes it's a Sometimes it's about looking at the problem from a different angle. I think one of the nice things working at a company like Intel you see the world from the hardware up, where a lot of security products and operating applications see the world from the app down. As soon as I hit some sort of API or abstraction layer, I'm done, whereas at the hardware level we see everything. We are at the bottom of everything. Our tool, our product runs everything above it and we have instructions and APIs that go up the stack for tools and operating systems to leverage. So it gives you that different view on the problem than your typical security practitioner, at least back then. Now we've got a much larger community of security people with the hardware bent to them. So you know, the industry has grown significantly. But at that time it was a very unique way and for me, you know, looking at problems from alternate angles is really how I operate.
Speaker 1:No, it's definitely paid dividends for you. I mean thinking about your career, then, and any mentors or people or leaders that you've kind of found very influential. Is there any you'd like to kind of give a shout out to? Oh, there's several.
Speaker 2:I have been fortunate to have multiple mentors throughout my career that have been absolutely critical. Early in my career, bruce Schneier was a mentor. For those who don't know, bruce Schneier is one of the godfathers of modern cryptography. He wrote the book Applied Cryptography in many more sense than is a regular public speaker, and I reached out to him in my first company to get some advice on a crypto system I was developing, and his response is this is all crap. That was the beginning of a budding relationship, but it was. It had a lot of problems, and one of the things he really helped me understand is that before you build a crypto system, you need to understand how to break one. You can't be building security unless you understand and the same. I knew that from a cyber, from a security perspective, but not, you know, from a crypto as well, and so we worked together both at Sundata and then later he was a advisor and participated in Lockstar, and so we had that really good way and he really helped me get access to the broader community of cryptographers the Ron Rivest and others some of the luminaries in the cryptographic world.
Speaker 2:Later one of my CEOs, peggy Weigel from Sanctum, was also a great mentor, and Diane Freeman, of my view of how organizations work, how to understand customer problems and, in the case today, and how to speak in the language of who you're trying to talk to and I think that was one of the things that really helped me early in my career is, you know, I can talk about technology until the cows come home but also understanding how to talk about technology in the terms that your customer, who you're talking to, need to understand.
Speaker 2:If you're talking to a business person who owns healthcare applications, they don't want to hear about cross-site scripting, they want to hear about medical records. They want to understand what are the impacts to my medical records, what are the impacts to my operations. And so being able to understand how to translate technology and issues and problems and opportunities and solutions into the environment and the language, if you will and that's served me in a variety of ways it's also how you can talk to business people about technology problems or talk to developers about business problems and how do you translate back and forth is something that has served me well and I think those both on the technology side, like Bruce Schneier and Jim Russell, my chief architect from Sundata and Lockster were great influences and then on the business side, people like Peggy Weigel and Diane Freeman and others really helped craft the business person I became.
Speaker 1:Some big names there. Completely, I mean. Looking at your three decades and working in technology and security and seeing how it's kind of progressed over that time, what would you say? I'm sure it's hard to do one, but what would be your kind of biggest achievement or your kind of biggest challenge that you faced?
Speaker 2:Okay, so biggest achievement there have been many, I think one goes to, I would say. One of them is at Intel and it's really early at my time at Intel and it's why I'm still here 20 plus years later is that the you know, syncdom was one of my most successful startups.
Speaker 2:We had 500 at Fortune 1000 as customers. We you know it was a pretty big deal back in the day. The first project that trusted cloud architecture you know that I worked on and some of the other technologies worked on the impact of you know, some of the technology I worked on the very first time went to 40 million PCs, and so the impact you can have and where I've had that ability in the case of the secure cloud architecture, that is part of a NIST standard. Now it is adopted categorically across cloud providers. So you see that impact when you can take advantage of it. And so I think from where I found the biggest impact has really been able to deliver products to market or technologies to market that scale.
Speaker 2:The biggest challenge is the one we talked about earlier is when we were excited about our PKI to RACF mapping tool, got it into customers' hands, got the beta feedback and like well, this is a great tool, I can't use it because I can't get my mainframe on the internet. Well, now what? And that was an eye-opening, pivotal moment, and I really give a lot of credit to both my engineers because they'd worked really hard on getting our product to that point, as well as the business people we had and our investors, as we came together to understand A what was the problem? But more probably, what is the opportunity. And that's one of the things that when you look at your biggest challenges or when life is gonna give you lemons, it happens A lot of people say you gotta make lemonade.
Speaker 2:No, make limoncello. Make something exquisite out of that. And that is the idea is bring the right people together and say, okay, what is the opportunity? In our case, at Lockster, the opportunity was to grow our market, solve real problems and sell the security tool, because it's going to be needed just to connect those systems anyway, all at the same time. So how do we transform the way we're thinking? And not, oh my gosh, it's doom and gloom. The customers can't use our product today, and that's really one of the ways that you meet those challenges and can be successful through them.
Speaker 1:It's definitely done with people't it in that mindset, and you've kind of got a team of people you know and you've got that kind of doom and gloom thing happening in a meeting. It's one person just to kind of shift it. Like you know, let's think about this as an opportunity here and really shift that kind of you know that feeling across the room yeah, and it doesn't hurt to have some really good engineers that actually can make your crazy ideas real can we do this?
Speaker 1:uh, yeah, um, awesome. Well, I mean, that's a, that's part one. Is there anything that you would like me to ask you in part, or anything you want to kind of chat?
Speaker 2:about uh, obviously I'm sorry, yeah, either. Uh, let's talk about sort of you know, building off of what you talked about before like what are some of those challenges? You know, in the modern age we are dealing with massive threats ransomware, data breaches, advanced persistent threats, we have bugs in security software taking down the Internet. From an enterprise perspective, there are significant challenges, significant challenges At the same time in the vendor world.
Speaker 2:Every vendor is trying to provide a technology that's going to meet the needs of both the current threat and the future, and so both sides are presented with a unique challenge today of how do we innovate and be able to, at the same time, protect ourselves. So I think that's one of the areas that would be interesting to dive into, and we're seeing innovation happen everywhere at the vendor community, in government, in the commercial and retail markets. But we also know that every day there's a security event, or more than once. There's thousands of security events every day that get reported, and probably millions more that haven't yet been reported. How do we do those together? How do we do those together?
Speaker 1:It's like the innovation, I suppose, versus the cost of security. And obviously with AI and I mean I suppose quantum will eventually crack everything, but I'm sure they're trying to fix that. But how should companies kind of balance that? How is it done?
Speaker 2:Yeah. So this is a really good question and I think there's three things that I would say that help make that happen. Number one is don't stop the innovation, do the innovation and do the innovation. One of the things I like to say to companies is go off and try these things, get your hands dirty, deploy the AI tool into a little environment, get it up and running. Understand, figure out how it's going to deploy into your enterprise. So don't just stop at the lab exercise. Figure out where am I going to go. Tackle a problem that will actually be meaningful to the company.
Speaker 2:And the way you go about securing it is twofold. This is the second two. Number one it's about the team you put together, whether it's an AI project or an edge project or a 5G or any of the technology things that are happening Bringing together the right stakeholders. So, in the case of security having security involved in the design and requirements development Before you get to your first line of code, letting them provide input on requirements Are there certain security controls that need to be implemented in. If the developers know about it, they can build it in. It's gonna be a lot less pain later when they get told no, that they can't deploy because it's not secure. Two, the security and the business folks understand the risk of the environment you're applying your innovation to, and so they can give you the level of risk, the level of security controls. They can give you context for that requirement and that's the other piece of it. A lot of times developers bristle under. You know oh, security wants me to do all these things. Well, really, what security is saying is I need this to be secure and until they know where it's going to live, they really don't know how secure it needs to be. But getting the business folks and security involved in the beginning allows you, number one, to know what are my security controls, but also what's the environment. Are we going to be protecting the most critical application of the enterprise or are we handling the scheduling tool? Those are going to have different ROSE profile files and that gives the context for security so they can apply the security things and then, from a developer and product management perspective, build the security and have it part of the design, have it being tested. That will make you more successful.
Speaker 2:On the other side, one of the things that DevSecOps talks about is this continuous cycle, and that's the other thing that people have to understand. Security isn't a one and done, and it doesn't have to be 100%, because it's never going to be 100%. But you build in the hook points and the key controls and then, as you're going through the development and the quality and the deployment and the security parts of it, you're continuing to meet the needs of a given threat's change. The environment changes, someone does an update and adds a new feature. You didn't know about those kind of things. The world continuously changes.
Speaker 2:So, as you're doing innovation, be nimble, and I think that's it's something a lot of people take for granted. But people take it for granted when they're thinking about the thing they're trying to innovate. You want to not only innovate that, whatever that problem you're going after, but be innovative in your approach of how do you integrate it into the enterprise, how do you secure it. What innovations do I need to make it easy to change my security settings or to manage them remotely. Making those innovation choices early is going to help you, even if you haven't solved the actual security problem. But giving yourself the hook point in the code or in the application to allow for that to be added on is going to make your process much easier, and so when we think about innovation and security, it really comes down to that maxima build it in, don't wait until the end to bolt it on.
Speaker 2:And when we talk about things like AI and edge, one of the things we have to know is that it's going to break things. We're going to screw up, the AI is not going to work or it's going to give us a really weird result. We're going to work or it's going to give us a really weird result. We're going to deploy an edge sensor out in the field and it's going to lose connectivity. There's going to be issues and you've got to build that into your risk profile.
Speaker 2:And security shouldn't stop you from innovating, and innovation shouldn't break security. They should be working in tandem. And when you get the right people in the room and have them along for the ride number one, they feel more bought in at the end. And have them along for the ride number one, they feel more bought in at the end. So it's not like, oh, you're thrusting this new innovation on me, they're part of it, and so that sense of ownership will actually help you be more successful in actually getting it adopted and deployed within the organization, and so I think that's really at the heart of it. It's the team and less about the technology.
Speaker 1:And have you seen kind of AI being used more and more, or kind of large LMs that are focused on cybersecurity being used more within organizations to help protect them.
Speaker 2:That's a really good question. I think every vendor. If you go to a big security conference, you will see AI everywhere we're all using.
Speaker 2:AI, ai is going to solve everything. Well, let's start with no, it's not going to solve everything, but AI is a very powerful tool, and so we're seeing AI being used and tested and evaluated in a variety of areas areas like automation, areas like anomaly detection. Sims are using an LLM to train them to be able to look for a correlation of events. There's a lot of places with a lot of good research. There are some companies out there looking at various forms of AI, not just generative or LM, but other kinds of AI for identifying threats earlier than before they become catastrophic, identifying some of the mapping vulnerabilities as they're discovered to potential exploits or activity on the network. So there's a lot of work happening. One of the things that I like to look at is that a lot of folks are looking at hey, I can use this AI and I can go solve and find that next big APT that no one's ever seen before. I'm going to use an AI and we're going to detect the next advanced threat. That is a little bit hard to do. Matter of fact, it's almost impossible, because what drives AI is data. Ai is driven and consumes data. It's a data-eating machine, and what's the problem with a one-of-a-kind APT is we have no data on it, or if we've seen an APT from that organization. We've got maybe one instance. There's not enough data to really train a good AI to detect the next one. That's why you need threat hunters and XDR and EDR and all these solutions to really dive into what's really happening and make that cognitive leap and then over time, train up a corpus of knowledge about how some of these things work. Where I see the biggest banger for the buck for AI is not on the exquisite exotic, you know APT, but on the 90% of the stupid stuff that happens every day. That's where we can see the biggest return on investment for AI is automate and have the AI go after all those firewall blips, all those events that keep hitting in the patch management, vulnerability management, all the updates, all the stuff that it takes, all of your cybersecurity, people's time and energy every day, the firefighting, where we've got repetitive mundane human loop processes that happen all the time. What does that mean? We got lots of data. We can train an AI on that and then let it loose and there will be some fits and starts. Once in a while the CEO's email may go down because they automatically patch something that broke it. But I think that's okay if you're blocking and really taking out the next data breach because you're automating something that, at the end of the day, our cybersecurity teams are underfunded, overworked and underslept, there's no way they're going to catch everything. They're constantly firefighting. We're not getting good use of that workforce. That's where AI can really shine.
Speaker 2:And you look at where AI has been successful in other industries. It's repetitive, mundane, kind of manual processes. Let's automate those. No cybersecurity, that is going to be the place and it's not like it's going to replace the cybersecurity or for a sec professional. It's going to allow them to focus on the 20% hard, interesting problem. Let the AI deal with the 80% of the every day, and that as I think, the best application of AI and we're starting to see some of that happen.
Speaker 2:The other areas, you know, one other area I think I'd mentioned is we're seeing it looked at from a different perspective of not can I detect the threat, but how do I apply, you know, context around policies.
Speaker 2:How do I use the?
Speaker 2:How do I evaluate what data should be delivered to a customer?
Speaker 2:So, using AI to better understand the use or predict the better uses of data or data security into that zero trust idea of I need. I can't just implicitly tell you I know you, we've authenticated, but I can't trust you. In a zero trust world, I've got to have to re-authenticate you at this moment. Every time where AI can be helpful is giving some of that context about the environment of what you're trying to do and predict. In the case of a generative approach, what is the likely things that we should give you? And give you that minimal set, as opposed to, well, we don't know everything, so we're going to give you everything and then, if you don't get the credential or or the access you want, you can tell us. But instead of trying to give you all the access and then you know being exposed, using some of the ai tools and machine learning to reduce the things that we give you until it breaks you know breaks and therefore you need to ask for more access as opposed to just giving away access.
Speaker 1:And that's some other interesting approaches people are taking that's definitely interesting when I'm thinking about you know that kind of ai internally. See that's like being blue I people are taking. That's definitely interesting when I'm thinking about you know that kind of AI internally. See that's like being blue. I'm just trying to use this from my own mind, but then obviously there'll be people out there that are, you know, hackers, organized groups, you know, and say they're using like red AI or they're trying to train AI to become dangerous, to go and, you know, find vulnerabilities and to actually be working in real time on themselves. Are you seeing that now or is that something you're going to see in five, ten years?
Speaker 2:You talk about the adversaries using AI. Let's face it, AI is a tool Like a hammer. I can use it to build a house or hit somebody upside the head. Ai is no different. It is already being used by the cyber criminals. Nation state. It is absolutely. The examples are plenty.
Speaker 2:We've seen really well-written phishing scams I mean English language with interactive chatbots behind it. We've seen there was an example a few months ago of a deepfake video with a chatbot tricking a financial person into transferring money out of a company. It was a deepf fake of the CFO with audio, with the chatbot behind it, interacting with a human and got them to transfer $25 million. I mean, they're using it. They're using AI to do that automation. Well, I need to be able to scan all these ports and identify the services and which ones are active, which ones need authentication, which ones are reporting but not active. That kind of information discovery and information reconnaissance work is being. They're using AI Because the fact is, there's too much data for a human to go through. Scanning through the dark web, looking at all the different assets out there and finding their interesting ones. Well, I've got a correlation. I've got a bank account over here. I've got another bank account over here, but I've got a similar username. Ah, that's the same one, let's try the same. But that kind of correlation can be done at scale.
Speaker 2:So the adversaries are using AI today and I think the most important thing we have to remember is, while we're figuring out the right policies and processes and governance of how to use AI for security, they don't have those kind of rules and regulations. They will use the technology If it gives them a 1% better outcome. It's cost effective because it didn't cost them anything or cost them very little for the potential outcomes. And so oftentimes we have to be a little bit more nimble in our application of new security technologies or AI to augment our security technologies. Because the adversaries are there, so we need to be able to meet that challenge more effectively because, like I said, we have to be right security technologies because the adversaries are there, so we need to be able to meet that challenge more effectively because, like I said, we have to be right 100% of the time. They only have to be right once, yeah.
Speaker 1:And I suppose, looking at companies that have got their data in-house and keeping that secure and keeping their systems secure, should companies also be looking externally to their CFO that's got a video out there that could be deep, deep faked or they've got audio files of their voice that you know within 20 seconds it could be replicated. Should be looking at that data and trying to draw it in, or I don't.
Speaker 2:I think the the horse has left the barn. I don't think you can pull that data back, data live. You know the internet is forever. But I think there are tools and techniques of how organizations can better both train their individuals to recognize potential phishing campaigns or to have double checks in place. So you know, like the two-person rule, so before you respond to something, verify independently through a third channel. So there's training and then there's software techniques, you know being able to do a better job of verifying the hosts.
Speaker 2:In that particular company's example, if I remember correctly, the hacker had hacked in and delivered the communication over an internal channel, but when they looked at the path, they saw that it was actually originating from an external. So, looking at some of those inspection points and turning the dials to 11, but this is going to be an ongoing challenge, both inside corporations as well as in our individual lives. So how do we know what we see is real? It goes back to one of the very first memes on the internet, when you have, you know, a couple of dogs sitting at a computer and says well, no one knows you're a dog on the internet. Um, no one knows you're a deep fake on the internet either.
Speaker 2:Um, that being said, there are some really tools. Intel's put out an open source tool called Fake Catcher. There's a bunch of universities that basically use AI to detect deepfakes, detect AI and be able to understand and be able to see some of the subtleties, whether it's biomarkers or some of the ways that generative AI engines generate. The AI can be detectable and so the fight is on. We are in the cat and mouse game now of detecting the bad thing, the bad guy getting better at being detected back and forth. This is that game, but the game is definitely afoot and, as we enter into both the social media as well as corporate communications, understanding how do I protect my brand in this digital age it's going to require both proactive work as well as detective uh kind of approaches to be able to identify when things are being used maliciously and I suppose in looking at you know, being a cso in a company, I can imagine it's so hard to there's things happening all the time, every day.
Speaker 1:You know technology is moving so quickly. Now I think you know it's like the curve, the vertical curve that you know. But how do you stay up to date with the latest trends, technologies, threats? Does it have a good team behind you? What's the kind of best way to look at it? Do you think?
Speaker 2:yeah, it's a good question. I would say there are probably two or three things that you know you should do I do. One is like I said you have to have the right team, and this goes back to some advice I was giving everybody. Make sure you surround yourself with people smarter than yourself and listen to them. But a qualifier to that is having the right, more diverse team of folks. So, in the case of a CISO, not only do you need to have security hackers and things that are giving you the information of what's currently, but also have operations. People have business, people have others talking to you so you get a better picture of your situational awareness across the organization, across the industry. So surround yourself with a diverse team of folks so you get those varying different ideas and thoughts and early access.
Speaker 2:Be ready to understand that you're not always right. Varying different ideas and thoughts and early access. Keep your you know open your mind. Be ready to understand that you're not always right, and so you gotta be always learning and understanding. And the technology is changing faster than we can keep up with Every time you get your handle on. Okay, I understand how GPT works. Oh, now there's RAG. I gotta go figure that out. Oh, rag is no good and we gotta do adoption training Like it's to do adoption training.
Speaker 2:It's constantly changing, especially in the AI space, and in the security space is no different, and so just be nimble and be recognized.
Speaker 2:You're not going to know everything, but keep the lines of communication open. In the case of a CISO and I've worked with many CISOs over the years one thing that they all agree on and has been really powerful is speak to your peers and not just say hi at a conference, like have you know the? The red phone on your desk? Or you can call up a bank or a hospital or another industry and talk to them about what they're seeing, because we've seen some great examples where, whether it be a regional bank would often see an attack long before the major banks did, because they were the beta test for the adversary, um or something that was in healthcare transitioned to financial services after they finished successfully attacking healthcare.
Speaker 2:So that cross-domain, the adversaries aren't vertically aligned. They're about getting the money, getting the access, doing the damage, and that peer-to-peer communication is absolutely critical, and we see that across CISOs and cyber professionals, even in the vendor community. Even if you're competitors, having those open lines communications with your peers at the other organizations because collectively we're all going after the same problem and CTOs and CEOs operate is we want to have smart people on team, but we also want to have access to smart people outside the organization and people in the similar roles at similar companies, at other companies.
Speaker 1:That's great advice, kind of getting that market intel. It's not about your competitor being your competitor. You kind of want fair game really and actually sharing that kind of things that are happening in the market in terms of security or threats. Then it's hugely advantageous for both, absolutely. What about quantum? Then it's obviously out there, google have one maybe. Do you think that'll change things a lot in 5-10 years? Do you think it'll makes it very challenging, or?
Speaker 2:Quantum's a really good question. So I can tell you quantum's going to come. I can't tell you when. If it's going to be five years, it can be 10 years, it can be 20 years. You know there's big debates about when a practical and the key word is a practical quantum computer that can do the things that we're worried about. Now we're already seeing some benefit on science where quantum computers are doing some interesting things. We're starting to write some really cool. We as an industry write some really cool algorithms that are quantum native. So there's a lot of really good research From the problem space everyone's worried about.
Speaker 2:Why we need a post-quantum approach is that there's some fundamental aspects of what quantum computing brings to the table that basically make many of our security primitives that we've been running on for 50 years become no longer secure or not secure enough. And that is the moment that you're really talking about is when does a practical quantum computer come online that can apply Shor's algorithm and basically break RSA, diffie, hellman and all the other public key crypto systems? So regardless of when let's say best case scenario it's 20 years away there's three things we've got to keep in mind. One it takes time to deploy new technology. So if I built a new software today, an add-on that is the post-quantum, I've got to deploy it to all the customers in the world that have it and I've got to wait until all of the people they talk to have updated. So, because you're going to have to have a hybrid mode for a while because not everyone's going to be on it, it's the same thing when we, you know, you move from one version of TLS to another, you still have to support the legacy version until everyone's on board. So there's a long period of time before you actually get to a post-quantum ready environment, even if you started deploying today. So that's step one.
Speaker 2:Step two we're still working on the algorithms. I mean, we've got some good ones that are being looked at. Nist has published what are things that are big contenders, but we're still figuring out some of the cryptography and there's some heated debates in various parts of the cryptographic community whether Lattice are the better way or Hash Function and, by the way, they may be great for a mathematic, but they all are terrible when it comes to standard hardware implementations because it's the hardware itself or the software environment that you're typically running in Windows and Linux wasn't designed to handle the structures of Lattice-based math, and so post-quantum cryptography is hard to do, which means we've got to upgrade our hardware and upgrade our software to support those algorithms. But here's the one thing that I think is really critical, why we need to act today on doing something, and this is the important one Even if it's 20 years from this moment in time before a quantum computer comes online, your data, whether it be national secrets, personal identifiable information, regulated information needs to be secure at that moment, and the data that's being breached today, that's encrypted, the data that's being harvested off the internet today that's encrypted, is going into a database or into a storage farm somewhere waiting for that day.
Speaker 2:And so, even if we don't have a quantum computer attacking us today, we need to start implementing quantum safe protocols larger key size and start doing the work, because when that moment happens, whether it's five years or 20 years from now, all the data from this moment, and probably from 10 years prior, will become available, and that is the problem.
Speaker 2:It's not that the data in 20 years could be attacked, yes but it's the data going back in history that's just waiting. Now. If it's who you put money on for a football tournament, who cares, but your personal identification we're all going to be around in 20 years. That's still going to be data. That's going to be valuable National secrets across every government. It's going to be regulated information banking information, ip, pharmaceutical data, designs, all of this, everything that we take, that we care about that. We say this data needs to be secure, not just for this moment, but for any amount of time. This data needs to be secure, not just for this moment, but for any amount of time. That's why we need to start doing the quantum readiness and start implementing bigger algorithms. Looking at the math. Why we can't wait for a quantum computer is because the data that's already being generated is what's going to be at risk.
Speaker 1:I haven't even thought about it like that. It's so interesting because it's like a cache of what's here now, because then I'll be able to know oh, here's something from 2015. Here's all that data and I can just literally run through it very quickly exactly wow, right, okay, a bit more scary I'm sorry about that yeah, that's all right. Um, I suppose kind of finish up on part two then is what kind of advice or, uh, what advice would you give to kind of like tech leaders working in security or architecture now?
Speaker 2:So I'd say there's you know three things that and I like the number three I think things come good in threes. One is you know, understand you're a customer, whether that's an internal CISO or security professionals understanding their business units or security vendor understanding their customer and what you know, design your security controls, your security solution for the environment you're going after and get them involved, and that's really making it relevant to the organization as opposed to just it's the best security widget on the planet. That is number one. Number two is think like the adversary. Whatever security you're doing, whether you're the CISO who's constantly being attacked, or a security vendor who's trying to sell to that CISO, or a security auditor who's coming in, Think about how the attacker is going to get in, how the attacker is going to use that data, what data would they go after? Understanding your adversary is one of the key tenets to how you can better protect yourself and not just the adversaries. You've seen, you know it's not like, well, I've got these kinds of attacks, so that's my adversary. The adversaries are constantly changing and they're taking tactics, they're changing motives. So you have to be able to think ahead and think okay, what would they go after if they did this. That kind of gaming of this nerves. And then the last piece of the puzzle is you will be hacked. It's going to happen. Whether you're an enterprise or a vendor. Your product is going to be compromised.
Speaker 2:Have a plan, get it implemented and test it. Whether it be a disaster recovery, like we all went through this last weekend, or any other cyber event and that wasn't a cyber event, but cyber events will have the same effect, which is systems go down, you lose access. What is your business continuity and disaster recovery plan? What is your remediation plan if the bug is found in your critical tool? Have a plan and then game it, and that's the thing that I think people don't do often enough.
Speaker 2:They have a great piece of paper that says here's our plan, but they never actually run the actual plan through an exercise, and so when the fireballs go off, no one really knows what to do or have never actually done it. But running the scenario actually gives people comfortable so that when the event actually happens, the lawyers know what they need to do, the marketing people know what they need to do, the IT people know what they need to do and who they need to call, and that makes you more efficient and more resilient, because ultimately, the goal here is resiliency. We are going be attacked, it's, it's happening all the time they're going to get in, it's how we respond and recover. Is really the the the mark of a mature organization?
Speaker 1:that's so important. Yeah, I mean because, uh, let's get the the disaster recovery document out, let's say 2005 on it, oh no or worse.
Speaker 2:Yet it was sitting on a laptop that's currently crashed.
Speaker 1:It was painful moments. You were talking about the, obviously the worldwide. You know it was kind of catastrophe and that was a third party that applied a patch or makes us allowed to kind of like apply a patch on a basically Windows OS, and I think that's kind of what brought everything down.
Speaker 2:Yeah, so basically there was a. You know it was a. Basically, there's a malware detection tool that updated and they hook Remember, in order to do their job, they have to hook low into the system, internals of Windows, and be able to identify when aberrant behavior is happening. At the lowest level, there was an update. It caused an error to basically flow down and cause a logic attack Not attack, wrong word A logic error that basically blue-screened to death A lot of systems are caused instability or, in some cases, not just a blue-screen, constant rebooting.
Speaker 2:There was a lot of adverse reaction to what was essentially a bug in a code that pulled down data that then corrupted the system, so it highlighted the fragility of the systems we run on. This is one small piece of data that took the whole thing down and the reliance on digital technology across the board airplanes, hospitals, government agencies and everyone in between. We still rely heavily on our technology and we need to have better plans for resiliency, both at the enterprise level. How do we recover from that kind of event? Because, again, I think the good news this time was it was not a malicious attack. It was a bug in a piece of code that we all rely on and that happened, and so the vendor was actively working with its customers, with the industry, to help remediate and identify the problem. This would have been a very different experience if that same kind of event had been from a cyber adversary who's not going to help you recover, who's going to encrypt their attack, who's going to try to hide the effects, and that would have prolonged, potentially, the recovery phrase. And so I think this is a good eye-opening moment, like, okay, we had this event and it caused a lot of disruption, but I'm hoping that organizations and people individually learn from this.
Speaker 2:What do you do for yourself individually? Number one make sure you have backup for your critical files because you're not going to be able to access them. Number two, make sure you have a plan for how to recover your system. Even if it is, I've got backup. I can go get a back computer and use that cloud backup or that USB attached external drive to upload it and get back to working state. How do you in your personal life and of course then in the enterprise, recover, because these kind of events aren't going to never. They recover because these kind of events aren't going to happen again.
Speaker 2:And this is, by the way people don't remember. This is not the first time. There was a similar event about 10 years ago, where a different company's tool did an update and crashed all the systems. 10 years ago it's hard to believe, but just 10 years ago we didn't have as much pervasive technology in everything that we do today. Today it's even worse from the perspective of the seer. The sheer surface area of everyone using technology across the board could shut a country down.
Speaker 1:Couldn't it stop an economy?
Speaker 2:it shut down almost every country and most airlines. And yeah, it was. It was a big deal and the only saving grace it was a friday, so at least you had the weekend to work on it yeah, completely, I know, yeah, wow, no, that's so.
Speaker 1:That's really insightful. Thanks very much for going through that. Um. Going into part three, then just kind of some final, uh, personal questions um what drives you steve?
Speaker 2:so I think that's two things that drive me. Number one is, like I said, the solving hard problems. I love the challenge of, you know, give me a big, hairy problem that there isn't a good solution, or something that's unique that no one has really tackled well before. I love problems, I love figuring out how to go about things from really odd angles and seeing if it works, and then the other half of that is having an impact. So great, you solved the problem, but seeing that it actually affects people, business, daily lives, saves lives, helps the world. I find that those two things get me up in the morning is can I go solve some big problem or help solve a problem and what's the impact? Can I have impact? And it can be on a team, on a company or on the world. You want to be those. Those are things that drive you. You know, get me out of bed and wear sides to coffee and my kids waking me up and what would your favorite technology be just now?
Speaker 2:then, or something favorite tech you love using lots of cool tools, so everyone's gonna say something ai, I'm sure, um, and there are some really cool ai tools. I think one of the ones that I'm using every once in a while is a plug-in that basically transcribes Teams calls, and what I like about it is it actually gives you the action items with who's with, so it folds the things that you need to know. I mean, we talked for an hour, but here are the two things I got told I have to go do. Great, I have those. They're in a Word document, I can put it into a task. I'm off to the races, so that's a really cool tool.
Speaker 2:But I think one of the coolest technology gadgets that I've been playing with is with the Flipper Flipper Zero. It's a little hacking tool for wireless and RF, bluetooth, nfc and other network things, and it's a little self-contained tool that allows you to go off and really test the security of a variety of different day-to-day IoT devices. I just find it's been fun playing around with some of those hacking tools.
Speaker 1:I've seen people videos of this, I think on TikTok or Instagram, where they're going into buildings and the RFID scanner thing and they're like there we go, or they're going to train stations and they're through the cross. It's crazy what it can do.
Speaker 2:It is, and it's like I said. What's nice about it? Because I have a variety of other little gadgets that do individual things, and I can do an NFC attack, I can do an RF attack. It's all inside the same little device, so it allows you to play around with multiple different things at the same time. It's just when I've got the 20 seconds of downtime. That's something to do. That's a little fun from a technology perspective.
Speaker 1:Helping companies out as well, exploiting vulnerabilities. After a demanding day at work, how do you kind of relax and unwind?
Speaker 2:Good question. I love to cook, so I've got two small children and we love to cook, and so that's really the way I separate from, because the only thing I have my phone for is if there's a recipe on it, otherwise it's in my pocket. And so cooking is really something I get to do with, and having the kids involved when they're home and not running around crazy is a great thing. And then the other thing I like to do is, you know, spend time with the family. You know getting away from the work environments. You know having dinner together, putting them to bed, um, those kind of activities. You know, when I was younger and not married, uh, and did have kids, you know I'd like to go, you know, play poker in a tournament or something like that, but nowadays I find that just sort of the simple things.
Speaker 2:You know cooking dinner with the family no, exactly same.
Speaker 1:It's a change.
Speaker 2:World isn it, but it's definitely worth it.
Speaker 1:Book recommendations that have influenced you.
Speaker 2:So there's one that I quote all the time and that's Good to Great, by Jim Collins. I got the opportunity early in my career. Peggy Weigel, my CEO, was friends with him and so she brought him in to give some talk to the executives. And I have to say it was funny at the time. I'm reading a nonfiction book that wasn't a cryptography book, Just like why am I reading this business book? She's like Steve read it, You'll understand. I read it and it was like a mind-boggling changing because it really got you to think, like I said earlier, what's behind the scenes, what's driving the business, and so his understanding of what is at the core of the businesses he analyzed.
Speaker 2:Like you think about a Starbucks or Walmart, you think of Starbucks as a coffee company. No, they're a real estate company. They're about having the right location to drive traffic into their store. And Walmart is not a retail organization, it's a logistics company. It's about how to make sure the shelves are stocked and have the inventory management. And understanding their business from a technology vendor perspective lets me understand. What are their critical things that they care about? Does Walmart care about if somebody comes in and hacks the sale, changes the price of an item on the shelf? Or do they care if someone disrupts their inventory and logistics network? They care about both, but they care about the logistics network more because that's their core business understanding people's core business.
Speaker 2:And then the advice he gives, both in the good to great and the built to last, is around the team dynamics. What do successful CEOs and technology leaders look like? It's those that get the right people on the team and listen to them and drive them, and that's some of the best advice I've gotten. So I always recommend Jim Collins' books.
Speaker 1:I'll definitely go and check them as well.
Speaker 2:Both to technology people and to non-technology people.
Speaker 2:And then, for anyone who's an engineer working on security, there's a book it's from back in the 90s called Security and Usability, and in my startups it was required reading for every developer Because as we develop security products and technologies, if we don't make it usable, it won't be used. One of my mentors, dan Geer, once told me that for every button you require a user to push, you lose half your users when it comes to security, and he's very close to right on that. If you think of not in the application you want to do, but if I have to do any extra steps I have to do to secure, whether it be send a secure email or access a site, every step you'll lose half your users. That was his maxim. And what really hits at the heart is you've got to make security seamless and easy to adopt into the flows or you're going to lose people. I mean you'll use first your non-technical folks, but even if you make it frustrating and too hard, even a security professional is going to throw your stuff out very quickly.
Speaker 1:Yeah, no, I completely agree. If you've got a form to fill out and you see the next page, you go. Nope, quick and easy. Um, would your parents understand, uh, what you do in your job?
Speaker 2:so early on they had no idea they. They were uh, baffled by this whole technology thing. Especially I was doing email security and they had just gotten on email. So what do you mean? I need to secure it. So it took a while, I think, uh, my parents did come around to understanding the need for security and how I was providing better security for the market. And then now, in my current role, I think they understand the function I do. They don't understand any of the language I speak when I'm doing it, but helping the government adopt technology and secure it against nation states that much they understand the actual bits and bytes. No.
Speaker 1:Big job. I'm sure they're very proud.
Speaker 2:Yeah, it's a very big job.
Speaker 1:What about dinner guests? If you could pick three, dead or alive, who would they be and why?
Speaker 2:That is a good question. I'd be looking for a heated, fun conversation. So who would I want to have dinner with? I would put it'd be across a couple of them. I'd put Neil Gaiman, the author of Sandman and Other Things. I'd like to have somebody who is there and sought out Keith Richards, and then I'd get someone interesting from a literary perspective.
Speaker 2:Well, actually, you know, from a history I'm thinking someone who saw some of the early days, like Ford, just sort of that industrial revolution, and so thinking about sort of science fiction, but not classic science fiction, sort of thinking the art of the possible Neil Gaiman, Keith Richards, just because cool music across the decades, and then someone who saw the Industrial Revolution and helped spawn it and sort of, you know, looking at today and where it's come. I think those would be interesting. I've had some very interesting dinner. I've been to some really interesting dinners throughout my career. I had the opportunity to have dinner with Vinton Cerf, creator of the internet, and Tim Berners-Lee and others. So I've gotten some really cool opportunities to hear from some of the technology. I think I want to go outside the technology domain and hear from some people who've lived cool lives.
Speaker 2:That's awesome I think I'll invite you to dinner.
Speaker 1:You've got a lot of stories to tell me now. That's fantastic, steve. Thank you so much for your time, have you? Have you enjoyed the? Enjoyed the podcast?
Speaker 2:yeah, this has been fun, uh, really good time and great, a great conversation, thank you, no, really, thank you very much for making the time.
Speaker 1:Um, so I'll get it, uh, over to our marketing guy to start editing and hopefully, uh, maybe going for like the 26th of august. We're kind of like launching it. I'll try and get it back to you by maybe the 5th or the 12th, just to kind of give it a vet and make sure you're happy with it.
Speaker 2:That's actually perfect. I think we are going on vacation. I want to say it's like the 13th or 14th. We're heading out to the beach, so I will have limited connectivity. I won't say I'm completely disconnected, but I will be mostly disconnected for two weeks.
Speaker 1:I'm going away tomorrow for two weeks with the family, so I'm looking forward to the break and just spending time with them, you know.
Speaker 2:Awesome, well, thanks so much, steve Cheers. Thanks.
Speaker 1:Cheers, bye.
Speaker 2:Bye.