Preventing Cyber Attacks with John Davis, Federal Chief Security Officer of Palo Alto Networks

Automatic TRANSCRIPT

Hey y'all we have a new giveaway this week. Thanks or partner. Beta were giving away the skylight touchscreen photo frame with a skylight. You can email photos directly to the picture your frame from anywhere at any time and the photoshop instantly think of it as like the modern digital photo frame you can upload email share it with friends and they could also also upload directly and then you can watch the sweet sweet memories role in together the skylight retails for one hundred fifty nine dollars and you can actually go and try them out at any any. Beta store around the country or learn more at skylight frame dot Com skylight is so easy to use one hundred percents satisfaction guaranteed or your money back doc use Discount Code Mission for ten dollars off at Beta Dot Com V. Eight T. A. DOT CO or sign up for giveaway. Ah Mission DOT ORG slash giveaway welcome to mission daily today. Ian Is joined joined by John Davis Vice President Federal Chief Security Officer for Palo Alto networks where he leads cybersecurity initiatives and global policy for governments around the world to successfully asphalt prevent cybersecurity attacks on today's episode in John Disgust John's firsthand experience with cybersecurity attacks the current security landscape and he shares advice vice insurance companies can use to improve their security on today's episode. Ian John Discuss John's firsthand experience with cyber security attacks the current security landscape deep and what tools and advice companies can use in order to improve their security mission. Daily is created by our team mission dot Org. I mean phase on chief content officer here at mission dot Org and we have on the other line John what's going on. Hey in grey day to do an interview like this. I'm looking forward to it yet. Metoo so we met about two years ago a little over two years ago when I put on in investing Ethic Summit knows hosted by Palo Alto networks we have a connection because we both went to West Point and and the former. CEO of Palo Alto networks also went to West Point. So we have a little bit of of shared history and you have a a passion for for leadership tip and everything I'm curious. You Know How's the world treating you sense great. I've been with Palo Alto networks almost four years. There's after thirty five years in the military and based on what I was doing when I left the Pentagon as the senior military cyber adviser Sir my role at Palo Alto networks is actually very similar to to what I was doing in that and the Pentagon role and that's a building and maintaining ending trusted advisory relationships with leaders of of different organizations in order to achieve common interests goals when it came into cybersecurity in the entire cyber buyer in Palo Alto networks has over sixty thousand enterprise customers. Immerse maintaining trust in in this digital age. I I'm curious before we dive in. What would you say like what is the security landscape ape you know in the digital world. Look like twenty nineteen. It's a it's. It's a pretty astonishing thing if you ask me so the digital title age the some people have called this the fourth industrial revolution and I think that it's because the digital environment brings us all US promise opportunity of all shapes and sizes and this movement is direction. There's no stopping. There's no going back. It's it's on a path with with no u-turns and as we are all increasingly connecting nearly everyone and everything in the digital environment we're increasingly dependent on it for everything that we do including our personal public safety our economic competitiveness even our national and international security but as a result of this path that we're on we're also increasingly commercial and as we connect everyone in everything that risk aren't just at the scale is going to increase I I think the risks is that the the impact of of the vulnerabilities will become more dangerous. I mean just think of it. We're connecting life. life-sustaining devices public transportation systems energy electric grids were connecting all of this stuff and so when there's a security incident in the near term and into the future. I think it's no longer just about a loss of you know personal org sensitive information or or maybe not being able to get to some. It system like a banking website because it's got a distributed denial of service. I mean that's as bad as that is bad. That's just an inconvenience. now what we're doing by connecting all of these things the national security economic viability and even public safety could be put at risk and I. I don't think it's hyperbole to say that in the future her as a result of cyber insecurity. people could lose their lives. I mean I think that that is a possibility and something I really worry about my sense and looking around all the organizations both public and private sector that I advise and assist the recognition of this I think it's growing in in leaders in both the public and private sector that this realization that this is going to be our new reality but I think it's very Anita Eh the the realization is uneven. It's more mature in some areas in. It's much less mature and other areas. part of my job is to educate people equal education leadership on why this is this is so important to consider you know both sides of the equation the opportunity promise alongside the Boehner abilities the risks and the threats until people realize a personal impact in a meaningful way something very serious then. I think the average consumer is they. They know cyber is something spooky and mysterious but I think the public in general is is behind in its understanding as opposed to leadership for both uplink and private sector organizations. Yeah it's so interesting that you had such a long career in the military and can apply a lot of the principles of that a to cybersecurity. I mean I think for me as someone who talks to a lot of several security leaders and as someone who you know was was in the army and at West Point for a decade. I really feel the same way where there's just a lot of kind of general spooky nece you know. I I feel like a lot of people are scared of the unknown How much do you think of the unknown like should become. I'm known how much of a of the unknown can be more transparent or clarified so that people like understand the threat levels in how this all fits into their lives is I think most of it can be known like I said that I consider that part of my job when it comes to leadership in public and private sector and when I get the opportunity to do it and for the general public forums tried to do that as well but you have to. You can't speak in in technical terms you have to put it in meaningful terms to people who don't may not have a technical background and so. I think very possible to explain you know based on my military military background most of it was an airborne ranger infantry assignments and special operations organizations but the last decade Gade was in cyber assignments and so as a result of that one of the things that I have a deep appreciation for is understanding how well cyber threats operate and I think that you have to be able to explain that to people in a meaningful way you know how they actually operate in order for people to understand what to do in order to prevent most of what we're seeing happening around the world today and I do believe the vast majority Ed is totally preventable if you do if you use them simple things right and if you leverage some innovation that's occurred and in the course of the last decade as well so I think as I mentioned this is going to become increasingly important for all of us to understand the the threats the risks associated with with not preventing what's going on where you wait too. You're too late when you've done something wrong like clicked on the wrong blink and allowed some threat organization or actor to come in and encrypt your files for ransom now. You're playing catch up now. You gotTA figure out what you'RE GONNA do to clean up the mess. I think a the prevention mindset it helps you get ahead of that problem in order to understand how to prevent as that goes back to a deeper understanding of what a cyber threats are actually doing and how they're doing so it gives you a chance in order to implement a preventative mindset. Do you think that like how much responsibilities on the organization versus the individual vigil well. That's I mean I guess it would depend on the type of organization and what the business model is. What the role of the people in the organization is. It's I can tell you just use the defense department as an example so everybody's got a role to play and there they are. They're basic standards discipline that everybody should be adhering to in order to reduce the likelihood that there's going to be a problem but that's not going to keep everything out a determined threat a nation states red for example it has the means will figure figure out a way to get in so now you're challenges is not everybody as a user of that environment is really now and involves the you know the cybersecurity related organizations in that organization to ensure that even if something gets in it ends up being stopped before successful restful attack and by that. I mean you know all threat actors. They used this process to attack even doesn't matter if your nation state or criminal organization his ation or a hacker or a terrorist espionage military it doesn't matter the same process is used in generally not not not always in this sequence but generally in the secrets. There's reconnaissance probing then there's a development of a delivery mechanism to get to a target or victim then there's the weaponization process then there's exploitation of some type of vulnerability the in the target environment and that can be a human vulnerability as in the case of spearfishing then there's the installation of malicious code then there has to be the establishment of a control channel because usually wherever a threat enters into a network environment is not where they need to be in order to successfully do whatever their steal sensitive information crypt files for ransom or destroyed denied degrade to see if your military organization expose embarrassing the information if you're just the inactive but that last step you got to go through all of these other things that control channel leads to you know escalating privileged privileged access and then usually there's lateral movements of when she established a control channel you moved to that part of the network that you need to be in order to accomplish what I call. The successful attack the end goal regardless of what type of threat actor you are well that process takes time and so when we did it cyber command might take months. If you WANNA be stealthy nowadays I think you know threats are using advanced capabilities automation automation machine learning advanced tool and file sharing. The threats are getting better. They're getting faster by leveraging the this these new new innovative techniques but still it takes time and so once a threat actor gifts through the basics which I think keeps nearly everything out about eighty to ninety percent of everything out if they do get in now your challenge is the St and stopped at one of those steps along the path towards a successful attack and the cybersecurity teams have to be able to do that. They have to be able to see and visibility and stop have GROBIAN security controls in that enterprise environment now. You know what what happens here. If you're able to do what I just said now anybody who's attacking is guided be right at every step along the way in order to be successful and the defender only has to see in stopped him at one point along that path in order to be successful aspel it preventing them from accomplishing their objecting so that changes the whole dynamic. It actually gives you know it gives organizations the a real ability ability to to go after that remaining ten to twenty percent of sophisticated attack sequences that basic standards discipline hygiene by every user in the organization can keep out if they just do those things right and I'm talking about being suspicious of of emails males. You know like you would be suspicious. Anybody who shows up front door before you let him and scream the same way updating patches making sure you have strong passwords making sure you're using multi factor authentication. There's a there are a lot of things that every single person regardless of whether you're in a military organization or in a business or just at home a lot of things that everybody can do just to really prevent most of most of everything that we're seeing yet. I'm curious. Who are the folks that you're talking to news organizations. Are you talking to CEOS CEOS. He sows. CTO's like what what are those types of folks and then on the federal side what are the types of of stakeholders so you see they're all of the above. I call it C. Suite so normally it's the CIO CISCO crowd but it also includes foods CFO's CEO's. It also includes people in the in the in the sock sock analysts yeah in the military they may not have those exact same titles but they basically have the leaders in in the same type of role that you would find in in the businesses so commanders and you know operations officers and the cybersecurity teams those are the types of people that I talk so when you're talking to you know CIO's or Seaso's what are their fears. What are some of the things that that keep them up at night that they're worried about as you know the digital age kind of continues to evolve and get more complex. There's a long list that that that they are worried about especially the scissors and the CIO's it's a pretty stressful job being assist so some of the common the things that I hear are that yeah fighting for budget in order to be able to get the resources that you need to put the people the amount amount of people you need with the right skill sets the right technology in place having the right procedures processes for an organization a lot of them spend a lot of their time a working on that trying trying to ensure that you know the basic people processes and technology enabled them to be successful accessible. some of them worry about you know the worst case situation and how to how to measure risk a increasingly we're finding that boards when they're making decisions about you know giving you resources they don't want to hear the techniques speak about cyber threats and they want you to put put this into the language of risk management just like a board manages every other kind of risk they are expecting since Os and Seaso's and CIO's. I -as to talk to them in plain English about how you know what is the actual risk. What level of risk are we willing to accept. Give me options. I don't WANNA on her off type of thing what options of levels of Bris just like I make decisions on everything else and then how do I know what are the the metrics and the measurements. How do I know that what we're doing is resulting in you know a successful outcome being able to answer those questions questions and and do everything that I just said that's. It's not exactly easy to do for a A. CFO CIO says these days so I think a a lot of them are on this journey to figure out how to do that in meaningful ways so that they can explain things rationally to board members and the resources that they need to be success. Is there any things that you know we. We talk a lot about the modern. Cio and like what this means right now now and in this moment in time where every sale has differ roles responsibilities it has fundamentally changed whether or or not you own security or not whether you own product development or not whether or not you spent half of your time with customers. I'm curious curious like how do you see security in the organizations. that you talk to is it something that is squarely falls under you know a singular person. Is it something that you know the SEASO's reporting up to the CIO. Obviously you know each organizations different but I'm curious. If there's any trends that you've seen over the last four years that have changed with regards to how companies organize themselves around Cybersecurity cyber-security Suri and yeah I see a lot of change and I see a lot of different bottles. I think is probably still the most usual model model is a scissor reporting to cio but I've seen where the you know the information security role falls under the chief financial officer the chief risk officer he asked some cases directly under the CEO it all depends I think on bone depends on a lot of things including personalities for a long time it might be at least in my experience in the military this idea of operate the networks versus defend the networks were were at polar opposites. One was about delivering capability the other one was about managing risk and when one was pulling one way or the other one was you know trying to resist assist and and vice versa and the military that became you know over time. The security of networks was the little brother other underneath the big sister of operate networks. The APP additionally security works for the people whose job it was to make things happen to connect things. Make things things happening. Get the job done and security was an afterthought. It was bolted on after the state. That's changing because you know some of the things we've already talked about. The the risk is is different. The the risk of serious consequences now I would even say in some cases existentialist going to get existential the United States government. The intelligence community of the United States government has named cyber as the number one threat of the future over all other threats so now I think that's caused a relook at well. How how do we balance these better because we need both obviously but you need a better better balance and you need to bake in security rather than bolted on afterwards two things one is the big trend in the industry right now out. Is something called devops. You know the development capabilities in the operation of them melded together so that it's a continuous cycle. It's not you know go through this long development process and get a you know a final product after a longer period of time and then put it to use and then start looking again ended the future now. It's much shorter cycle so you get something that's good enough to move out you move out and operate and you figure out what's wrong and you go through that development element cycle and it's much more agile and dynamic process than it used to be. The big thing now is where to security ball in and there's this thing uncalled deb set up so baking the security function right in there along with the development of the capabilities as well as the operations of them and that's. That's what that's what's happening in industry. That's the way industry is looking to find the common ground between the requirements of all three elements and and find a better balance at a much more dynamic and agile way than we previously done. If you look at a my second point was about the military military example of this and you know back in two thousand and eight we had a very serious and I was a one star was the leader of a joint task force that had the responsibility to direct the operations and defense of all these networks very difficult difficult some would say I would say impossible job and about a month into that assignment or maybe a little more. I get a phone call from a friend at the national security already agency. This is no longer classified by the way this is now unclassified but caused me as I recall on a weekend says you need to get on a secure line because we got a problem. I knew this. This was gonna be the start of a very bad weekend yeah. That's it was a bad start of a weekend. Yeah we had a we had malicious code and some of our most serious networks concluding in combat zones so this started a process. It's called Operation Buckshot Yankee we were U. N. In two thousand eight Yes yes we'll I was. I was a junior at west point okay. Well you know I was I'd put a caught up in my office in slept out out of it for Lord only knows how long and we had daily video teleconferences with the very senior leadership with military explaining where we were in the process process of identifying this infection getting it under control and making sure that nothing from our sensitive networks got outside of those closed networks into back to the Internet and it was a very long and traumatic process but as a result of that it was a near catastrophe extra fee for the military and in my view that was the event that is kind of like the straw that broke the camel's back in the decio create. US Cyber Eber Command yeah though instead and so that was two thousand eight the decision was made to stand up cyber command in two thousand nine and in two thousand and ten and in May of two thousand and ten. I got to be the very first director of current operations at Cyber Command so now my responsibility was to direct the operations nations defense and defensive duties networks as well as directing offensive operations when authorized so what happened here was as a result of the near catastrophe senior leadership realized the consequence of the failed organizational structure and model that we had in two thousand and eight and made the decision to bring together the people who operate the network the people who defend that work intelligence that supports them Kim as well as the ability to provide cyber capabilities to integrate offensively along with other every other military capability air maritime land capabilities. That was a pretty big life altering example to me of what you're talking about this. You know realization that we'd better get our act together because you know what happened. Was We put the integrity of our classified networks at risk which would have caused the beer national security garrity consequences so near. That's a military example of of what I think. I see happening as I mentioned in a very uneven way unfortunately the same type of things that are happening out in industry where you know. CEO's are they realized they can be fired for these large breaches and same thing for versus. Os and CIO's and see us so that's changed. This is serious business now and as part of the reason why I continue to do this because I feel like it's it's a mission for me. It's it's mission yeah and I WANNA get into some of the the cyber command piece of this because I think that that that response is truly creating a best in class organization which is hard to do from the ground up but but back to the story and thank you for sharing. I think you're exactly right. It does speak to the moment in time of every organization when you know it's the classic Adage there's only two types chiefs of companies those that have been hacked and those that don't know they've been hacked and I think that you know. I think that there's there's truth in jest there because I think that whatever you know whether or not you knew your vulnerability and this was an organization where you know I had a secret computer I had. I had four computers on my a desk. Afghanistan all with with varying levels. This is an organization that you know I would say at the time. We probably felt like we you were the most secure and to have that not be the case. I think it's the same way that a lot of CEOS whether it's you know we saw from the Sony hacks where we've seen you know different sorts of things over the past few years the feeling of security and then when that stuff ends up being catastrophic offic now luckily you're able to get in front of it and I'm curious like what were some of those lessons that you take with you that when you go to talk about Change Change Management when you go talk to to CEO's and senior leaders at at these you know fortune five hundred global two thousand companies that you bring with view and say hey listen. This is what I walked into. I've sat in your in your seat and you really need to take seriously yeah well. I usually tell them usually tell them that story. I just told you for one thing because they all love to hear real world war stories and that's usually a pretty good one to get everybody's attention but then I try to I guess I would. I would bucket things in terms of best best practices. I would bucket them in four categories. one the first one basics matter you know going back to this idea of every every person's responsibility a strong passwords and multi factor authentication patching keeping you know your stuff updated your APPs updated being suspicious always being suspicious of what's coming in your you know virtual front door there in the case of the Operation Operation Buckshot Yankee we did that to ourselves yeah that was US infecting our own networks and systems with done drugs moving between unclassified and classified systems moving malware between those two and and letting it get into a classified networks in my experience last decade worth of the cyber experience in the military people human mistakes or human malice where some of the worst the things that we had to deal with like Buckshot Yankee and the thumb drives or like insider threats like wikileaks and and the snowden disclosures so basic matter and in my view and I really believe this if you design a security regime around the expectations that people will do everything right. You'll fail but if you get people to understand the basics I think you can prevent eighty to ninety percent of what we're seeing happening around the world today. You know once you we do that. The threat's GONNA advance. It's going to get more sophisticated but I think that a put a pretty big dent in and what we're seeing the second piece the second bucket would be mindset and it gets back to this idea of prevention. I think for the longest time we've lived in a model of detect detect and respond after the fact you know you hear organizations say some in the cybersecurity industry say you know is not a matter of if win win. There's no way to keep everything out. You just have to assume breach. I think there is a way to keep a lot of it out but the mindset that you know you focus on prevention so that you reduce the amount of work that you're security teams have to do when something does get in. Thou you're into detection and Response Response before it successful attack before the the end goal of that process. I talked about occurs and I think if you focus on that that's one of the ways that mindset is one of the ways that you get after that ten to twenty percent that the basics are not. GonNa stop another way that you get after that ten to twenty eight percent is the third book and that's what I would say you know. We've been fighting machines with humans in cybersecurity. We've been fighting software with human you know manual actions the threat has gotten very good at leveraging automation and software based advanced analytics and we need to as a as a community of defenders We need to levers at two. We need to fight software. Website software need to fight machines with machines and there is a lot of innovation that is occurring now in the cybersecurity industry that that makes that possible. This is not a futuristic concept. This is available now. Leveraging software based advanced analytics like machine learning learning like big data analytics like a a I think for me is a a little bit of more futuristic concept. I mean we're we're. We're GONNA get there. He says of it or in place but what's really emplaced. Today is machine learning machine. Learning is basically alerts to Kaiser's. There's one is you you tell the algorithms what to look for and they do it. The other is if you got enough of the right kind of data then you don't even have to tell it what to look for learns on its own but you have to have really at tremendous volumes of data from all the different elements of of an enterprise environment fireman you know on premises data centers physical virtual cloud of all types. Sas In points even Iot devices you you had to have the right data from all of that in order to be able to leverage a unsupervised or unstructured machine earning where the the algorithms is will figure out and determined good and bad on their own with a very high degree of accuracy so this is a way to leverage you know automation and software. We're based advance analytics to see and stop with threat once penetrating what's his in your environment to see and stop it before it gets to the end of that. Lockheed eight Martin calls if the chain the end of that attack process so and then the fourth bucket I would say gets back to you really have to understand how threats operate operate you know. This is the kill chain. This is the attack process and I'll go back to my experience in when when that terrible incident so then occurred during Operation Buckshot Yankee in two thousand and eight and we brought together the offense the defense the operations of the network and the intelligence now we were able to much better job of the offense informing the defense and vice versa so we could really as defenders we could really understand Dan this attack process and and the different types of techniques that could be used the move along that chain of events end up with a successful attack Jack and create an advantage for the defender really and then of course the the defenders could help inform the attackers and we were authorized price to do certain things we would that would make them even more effective and better by understanding how to how to get around certain defenses but I will say say one other thing even even with all those four buckets that I just mentioned. It used to be about a decade ago. Maybe a little bit more. The Enterprise Him and buyer environment was fairly the was fairly simple you had perimeter you had data center you had device and pretty pretty clear boundaries between them and everything we're usually most things were physical. They were a fixed and they were on Proun- that makes it pretty easy to do what I just described with. Those four things what's happened over the last decade or so is everything's moving from physical the virtual. Everything's moving from fixed to mobile. Even you know Internet of things you know connecting operational devices to to that work everything's moved off the the Kremlin is rapidly moving from on Prem to cloud public cloud private cloud hybrid cloud multi cloud and even even you know SAS software as a as a service in the cloud so and the perimeter has all but disappeared so now rather than you know a boundaries between the Predator data centers and and devices were users now it's really about the boundary or or defending around users applications content and the devices that they're done and making sure that only authorized users are allowed to do authorize functions nations using authorized applications authorized content from authorized devices and anything else is automatically stopped you know by default unless unless you create an an exception you know so. I guess there's a maybe not a fifth bucket but you have to kind of wrap this this thing in an overall context the text of consistent and continuous visibility and security controls across all those pieces of the environment if it's not the same not consistent assistant security and stability then you're looking through a soda. Straw at different parts of your enterprise environment you're trying to piece all that together her and that usually overwhelms security teams that are trying to figure out what's going on in their environment if you take the approach of consistent and continuous Biz ability and security controls across all those different parts of them very complex environment these days then you're able to a more consistently assistant us those buckets that I just talked about especially the the second one third one and the fourth one so it gives you the opportunity to to catch a a breach before before it successful. That's best case worst case. You're able to limit the impact of a breach even if it begins to you know be successful yet. You know it's funny. I hear in the story of of Buckshot Yankee reminds me of of all of the user centric rules that we put in place that kind of rolled down to my level. I remember it was a for any officer. It was a Gohmert general offer letter reprimand for using for using a thumb drive like automatically you had you know which essentially at that point in time was like a career render we enough Ghanistan. We saw people you know a handful of people in the process that stuff you know put their phone into do you know into a super computer into the USB drive like all sorts of stuff like that and I remember watching with delight as the as the six they blowtorch in our talk and they would blow towards the person's phone in front of them but I I think it's emblematic in this kind of idea that I mean I couldn't imagine and what people this was like the very very first days of of those devices being able to be used in kind of that way through is no so you know bring your own device to work there was no you know work being done on personal devices other than kind of you know text messaging here and they're out imagine. The military today is completely different. with how many devices are being used and I would say that our technology stack back then when I got out you know in two thousand thirteen was extremely limited compared to what I've heard. You know it is today. I'm curious like what's the state of of the military technology orgeon for structure now. Well I think ever since two thousand eight the military has been on this journey has taken this very seriously as invested tremendous amounts of resources has trained a cyber mission force to do by the way the cyber mission four hundred thirty three teams only thirty three of those are offense offensive the others the rest are either strategic defense tactical defense our support team so if cyber command was created out of a defensive. Is it purpose most people think it was to attack things it really that was a part of it but his a smallest part of it so I think the military because of this you know this whole evolution this started out of a near catastrophe has really changed the organizational structure the training the skill set the capability development and taken this very seriously and I and as a result of that I think the military is in pretty good shape. I mean are are there. Are there places where it can be better sure we are in the military is is a client of ours and we are has clients that we serve and of course we try to help them do that but but there's this this notion I think and this I won't just say this is the military I think a lot of organizations have the same mindset and this is a legacy mindset and I think this is holding some of us back. It's the mindset that I've got to have a tool for every single thing every single every single part of that attack process there's probably hundreds of different companies that build tools purdue that one one little thing and that enterprise environment you know antivirus or are sandbox or there's there's thousands of examples you go to our. SAS Convention every year in San Francisco and you see you know I forget how many thousands of of vendors there are out there but they're losing individual tools. It's over over two thousand yeah yeah so so what happens as a result of that. When you got a legacy mindset that says well I gotTa have one of everything and I can't put all lags in one basket you end up with overwhelming the security teams that you have because they got figure out how to make all this stuff work together and and that's another thing getting back to an earlier question that I hear from a lot of you know security executives. Is there in insecurity security tool overload to make them all work together. It is just overwhelming and so some organizations military is one that has hundreds hundreds of tools individual tools and for every tool they baton environment it takes a person to test it takes a person to operate it takes a person to read the information that comes off of it and it's just an ever increasing need for people and there's a better way to do this. You know organizations like mine. We see this as the trend is happening. Now is really good. CYBERSECURITY organizations figure out how to do all that for you so that you come in with an integrated platform an integrated suite of products that are all designed from the beginning to to connect with and inform and work with one another rather than relying on the security team to go figure out how to do all that orchestration was determined just for some unreason had a block against but that's called orchestration and and security lingo at is extremely complex complex undertaking and it just it wears out security organizations so I tell people when I go around and I said you know this legacy. Mindset is like like you know if cybersecurity were like buying an automobile. This'll be like you sending your security teams out two hundred different auto parts stores buying a bunch of parts and bringing them back to your organization and trying to figure out how to build a car. That's exactly what it's like. I love that so cybersecurity organizations of the future this is happening now need to become more like dealerships and maybe you don't put all your eggs in one basket maybe ABC decide you need a you need a high end model for some type of making model in the need another one and maybe have two or three but not hundreds hundreds and so I think to me this is this is a trend the future this is a way to simplify all of that confusion all of that complexity that exists in most organizations today and complexity is your number one enemy because he if you have so much complexity and you're looking thanks for soda straws in different parts of your enterprise environment. You'RE NOT GONNA see in stop threats before they're successful. That's why he gets back to that consistent and in continuous that have visibility and security controls across the whole set of complex portions of your environment. It reminds me of a could general McChrystal had this notion in by think he started it in Iraq but but migrated to both Iraq and Afghanistan and it was called you know the intelligence systems all these different intelligence systems would be responsible for one specific part of you know detecting being in and determining you know an insurgency or terrorist organization but they would they would fumble the handoff between from one to the other from you know signals goes intelligence to human intelligence. It was just chaotic you he was looking through soda straws in different parts of a very serious threat environment and he called for what he called the the unblinking eye so that was the consistent and continuous melding integration of all these capabilities to focus in in an area and figure out the terrorist network associated with that in order to conduct operations security officials in today's organizations need that unblinking. I approach to cyber threats. I love that and that will that car now. It's great are listed in the lightning round. Thanks to our friends lighting platform by salesforce go to salesforce dot com slash employee experience to learn more about employee experience on the world's number one serum lightning round questions fast. Ask sneezy John. Are you ready. Hope so number one what apper using on your phone. That's the most fun. Oh Jeez I would have to say. I don't know it's the most fun but it's it's a very useful one. It does automatic capture a business card so I don't have to keep stacks of cards. It scans it in and automatically populates a database that the catalogue of everybody that I might get a business card from that's a good one would about a favorite book or podcast broadcast that you've read or listened to recently awhile favorite book I read a fascinating book by Max Tag Mark Professor Tag market. Mit It's called life three point. Oh it's a look at the far future and we're we're all headed as a human race well as a human ed slash hybrid race because if you look you know lifelong point was essentially the single cell organism. We're life two point. Oh a life three point. Oh is GonNa the some version of turning into a hybrid machines because it's the only way we're going to survive in exploding sun in the end so it's the human race is that survive. This is a path that we need to be on and brings up all kinds of questions about our ability and and the future but I would recommend it fascinating reading reading that is fascinating. What about Why did you get into technology in the first place for you interested as as a kid. How did that come about you know. I wanted to be a soldier. my version of technology was a Texas instruments calculator hanging off of my hip a we didn't have computers. I took computer science than at West Point and it was Fortran and cobol and I hated it. Most of my career was like I mentioned in Airborne Ranger special ops assignments but then I got involved in information warfare in the mid nineties to late nineties they the army came out with a an information officer career field. I became one of the first I found it fascinating. I was the information warfare chief for Jason Joint Special Operations Command and then later on for US Special Operations Command so calm and and cyber. We didn't even call call it cyber back. Then we called it computer network operations. It was a part of information warfare and so that's what got me into into the last decade gate of my career in cyber related assignments was this evolution from doing information warfare and special operations in that community a back into the you know what developed as the cyber community for the military. What about what do you do for fun all right now. I'm waiting on back surgery so not much now but a ruptured a disk but that's a long story I like to work out. I like to run. I still keep up with good a workout regimen in terms of weightlifting and running a had to put that on hold of the past S. couple of weeks. I love reading. I like to play golf when my back's not bad but most of all I think besides spending time with my family which I really really enjoy you know the sacrificed at you and your family go through when you're in the military so after I've retired. I've had a chance to you know spend more quality time with my family and go on some trips and and that's been really nice. What's your best advice for a first time. Cio Or C. so I would go back to those four buckets. I talked about but but I guess if I had to put it into one sends son's it would be learned to speak the language of business and risk management and that'll be key to success for you rather than the DHA language technology. That's you have to know it. I'm not belittling that and you definitely have to you have to have your your skill set there but in getting what you need from the people who make decisions about money a you need to speak the language of business and and that would be my number one advice. What question do you never ever get asked that. You wish you were asked more often a that's a tough one. I get asked a lot of questions and say do. I wish I was asked. Let me think about that one. Let me come back to that one yeah. We'll do all it over where you're asking the rest. That's it that's all. That's all we got. What about anything. I guess we should do like what's what's the future for for Palo Alto networks. What are you excited about going forward. I'm very excited. I said I consider this a calling emission. I think that it's something that is of great importance to the to the world and so I believe I believe in what I'm doing. I believe that the culture and values of the company that I I've joined our top of the line that makes it a very very very exciting to go to work every day. It makes you look forward to doing what you're doing and I get to help people in now I get to help people and organizations of all types so so if every day is safer than the day before if I've had any part in making that from a cybersecurity perspective. That's a good day for me. I love it had an answer for you to eat. Never get asked yeah. Let's do it. How do I stay this good looking at my age. What's sure what's your two mile time about these days. Do you think you can still get a three hundred on the P. T. Tests that's my question I don't I now. I don't think I get a three hundred. I I didn't get a three hundred and my during my career but I'm probably at about a fifteen minute two mile right now and that's. I don't think that would give me three eight hundred fifty minute that should be it should be Max. I think I don't know what was your fastest time. I think my fastest time was right around eleven quick Guy John. This has been awesome. We really appreciate it. We got to have you back. There's more stories our listeners would love to hear so excited to hear about the work in Palo Alto networks and and just thanks for thanks for sharing. Thanks a lot I enjoyed it. Mission daily and Oliver PODCASTS are created with love by our team at Michigan Dot Org we own and operate a network of podcasts and a brand in story studio designed to accelerate learning our clients include companies like salesforce their customer times five zero and Capterra who worked with us because we produce results to learn more and get our case studies checkout mission dot org slash studios if you're tired of media and news that promotes fear uncertainty and doubt and if you want an antidote to all that chaos you're at the right place subscribe here into our daily newsletter at mission dot Org each morning. You'll get a newsletter that will help you. Start Your morning in your day off right

Coming up next