What is Resiliency? - Ep. 103
Resiliency is a word that has been kicked around government for years, but what does it really mean? Former Chief Security Strategist for DoD / Intelligence Community and current Forcepoint Commercial Products CTO Petko Stoyanov shares his perspectives.
Episode Table of Contents
- [02:00] How Do We Ensure Resiliency
- [05:57] Cyber Is Not the Solution
- [11:25] Building Castles and Moats With Lots of Security
- [15:47] Focus on Resiliency
- [23:26] Know Thy Enemy
- About Our Guest
How Do We Ensure Resiliency
Carolyn: Today, we have Petko Stoyanov. He's Forcepoint Global Government Commercial Product's CTO. Good morning, Petko.
Petko: Good morning Carolyn and Eric. Thanks for having me, I appreciate it. To your audience, make sure you smash that like button.
Eric: It's always nice to see you in your personal bunker, Petko.
Carolyn: I'd like to start by having you tell us about yourself. Give us a little bit of your background.
Petko: I just recently joined the Forcepoint, coming from McAfee. Part of McAfee, I spent almost like two decades at this point, working across the DoD across civilians. Across the teller's committee, just helping our CIOs and CISOs really implement technology to fix the challenges they're having. During that, I kind of joked around that I got into cyber backwards.
What I mean by that is I started building weapons systems overseas UAVs, unmanned aircraft, radar systems. As we're doing this, we have to start worrying about how we protect this technology.
Petko: Especially when it's in areas we don't trust, if it's in countries, we don't trust. How do we ensure resiliency in those systems? How do we protect the data? Eventually, that kind of got me into the cybersecurity run as one of the capabilities that we had to look at. So going from high-performance computing, UAVs to cyber.
The Battlefield Is Also on the Networks
Petko: When you get into cyber, you realize, this isn't really much different from what I was already doing. Just meeting mission requirements, making sure our users can use the system they have while they're fighting every single day. They're on the battlefield and the battlefield is not always in uncontested lands overseas. The battlefield is also on the networks, on the internet, at home where we're all remote.
Eric: In fact more and more so these days. Petko, I heard you say, 10 plus years ago, you were thinking about building cyber resiliency. Cyber protections into commercial kinetic type products that were being sold to the government.
Petko: Excellent point. When you're working with the US government, I always use the example of, do you buy, build or partner? Do you go buy the technology you need and bring it in? Or do you partner with the systems integrators to get what you need, or you just build it in-house internally? We've seen lots of us over the years where we have GOTS that's created just for GOTS.
Petko: You have GOTS and modified to become modified GOTS. The maturity of those products, the resiliency of them varies based on what was actually implemented. I've found depending on the program, depending on the mission, some of the software's more resilient than others. Resiliency is everything from the ability to withstand an attack from a number of vulnerabilities to be able to scale.
Petko: So when a claim system is trying to process unemployment records, for example, can you do a 100? Can you do 100,000 claims per minute? That's a huge difference. When COVID hit, there’s one of the areas that we talked about with the state's CIOs.
More Than Just Cyber Resiliency
Petko: How do we process all the massive unemployment claims that are going to come in? Some of the state's CIOs were still bare metal. We still have a lot of legacy workflow systems that literally can only do 50 a day. You've got a million coming. How are you going to scale that? Some of them migrated and monetized their architecture quickly. They did it over a month or two. Others, the ones that are further along were able to withstand that tsunami of needs that was coming.
Petko: I define resiliency of much more than just cyber resiliency. Rather, how are we resilient in terms of our daily operation and meeting the mission needs? Mission could be an agency doing its business, mission could be a system that has to operate overseas. We need to make sure that we don't have downtime and we have more time on mission.
Eric: It's interesting. We had Dave McDonald a couple of months ago, talking about the CIO being the chief resilience officer. You and I have spoken about resiliency. We know that in the industry, both on the vendor side and the customer side. Resiliency means different things to different people.
Carolyn: I was talking to some colleagues last week and this word resiliency has been tossed around for years. As long as I've been with the government, we won't say how long that is. Even some guys that have been in the industry like me for years and years, some of them decades. They said to me, what does that mean? Why do you keep saying resiliency and what does it mean? I've seen it associated with, like FEMA says, continuity of operations.
Cyber Is Not the Solution
Carolyn: I like what you just said that it's a lot more than cyber. So, let's unpack that a little bit more.
Petko: Cyber is there to really just protect the mission needs, the workflow, the people. The guardrail is the way to look at it. Cyber is not the solution, cyber just tends to be part of that problem. The Defense and Justice Agency defines they have four pillars for resiliency and it's kind of interesting. They look at it from the human side, they look at the mental, the physical, the social and spiritual.
Petko: Think about all the active shooters we've had over the years. How do we protect the people, making sure they're in the right state of mind? Making sure they're not being coerced externally by others. In a large organizational agency, their main goal is the mission itself. An Individual's mental health, physical, spiritual, social is part of that.
Petko: That whole workflow that tends to happen in order to meet the mission needs a mix of a cliche thing. People, process, technology, if you will. Are the people resilient, is the technology resilient, and is the process resilient? They’re three different things we need to look at. From a technology standpoint, we've had some great inroads with cloud services and be able to scale and adapt.
Petko: With people, we really don't focus on the resiliency of people enough. From the process standpoint, if you have the right people, the right technology, they'll figure out the process. It is definitely true, but what happens if those people leave? I'll give you an interesting statistic. I read somewhere that recently 800,000 women left the workforce.
The Ability for the Business to Continue the Mission
Petko: Because of distance learning, some of them said, I'm going to take a couple months off. Just make sure things are stable and mental and the kids are safe at home. What happens when those people leave and the process is never documented? The technology wasn't working without the people in the process.
Petko: Organizations and agencies and enterprises are now revisiting resiliency. What happens if a certain part of my workforce leaves, what if we lose that knowledge gap? Or what if we have situations where it's not an external issue? Instead, it's an internal issue where people literally leave. It takes data.
Eric: Do we define resiliency as really the ability for the business to continue the mission?
Petko: Spot on Eric.
Eric: It could be internal factors or external factors that really impact our ability to continue the mission.
Petko: What I love about resiliency is it's much more than just government focused. We've seen a lot of government agencies and a lot of even enterprises adopt Zero Trust. Zero Trust is definitely big because now we have to figure how to grant them access from home to the data. Resiliency is going to be the next thing they start looking at.
Petko: It’s what happens when we've been able to have access to their data. Then we realized those people are no longer there like we used to have. We have to constantly adapt. That resiliency is going to be a big thing next year, as a focus for the US government and also smaller enterprises globally. They realize Zero Trust's a technology solution, we don't sell the people in the process solution.
A Buzzword of the Day
Eric: I hear when I talk to customers, it's almost like lily pads, we leapfrog from one to another. It's SASE or it's Zero Trust or ZTNA or Next Gen Firewall if you want to go back or Sandboxing. Resiliency is one of those topics in machine learning and AI. They're also rapid, but resiliency is one of those concepts that's ill-defined. It keeps coming up and it's a buzzword of the day.
Eric: Carolyn, what would you do if you were a CIO and your boss came to you. He says, I want to ensure resilience across this business, where do you start? I get it. People process technology, but where do you start?
Carolyn: Going back to our episode with General McChrystal a couple of weeks ago, he talked about resiliency. He talked about it as far as information goes and it fits right into what you said, Petko. It’s about making our people resilient. He was talking about making sure that information was getting out to the edges. It wasn't just a command and control.
Carolyn: It makes us resilient when we start to function like the cardiovascular system. We're pumping that information out to the edges, to everyone, then we become resilient. I need to add something very important. It’s not just sending the information out, but empowering our people, everyone to act. Not just empowering but also expecting them to act. That kind of goes to the personal that you were just talking about Petko.
Eric: I like where you're going with that Carolyn.
Petko: I 100% agree it's about the data, it's about the information. It reminds me early on right when COVID hit.
Building Castles and Moats With Lots of Security
Petko: I remember talking to certain customers in certain departments. I'm not going to name, but one of the challenges they had is they sent everyone home. They didn't have laptops. How do you get them access to the data if they don't have company agency laptops? Do you expect them to use their personal devices?
Petko: That personal device, let's say a cell phone become in-scoped for any future investigations. That'd become a target now. In the case of most who had laptops, they went home. A lot of governments, agencies have built these castles and moats where you built lots of security in it. What happens when all the furniture leaves that building?
Petko: When all the furniture leaves the castle and you still have to protect the furniture. Your moat's not there. You don't. What ends up happening then is to get more VPNs. That's just the old way of looking at it, let's bring all the data back in. I remember talking to a CIO who literally said I need 500,000 VPNs. I’ve only had enough for 10% of my population. Wow, only 10% of your people can log in and do work.
Eric: That's a problem if they have a system.
Carolyn: What about the systems? Let's say they don't even use their home devices to connect. They're using their work devices and their four-year-old's working on their work device. That just opens up a whole new can of worms.
Petko: Back to resilience, we've got to look at it more of a holistic way. Some of the areas that I've seen, like some of the tech companies like Google and others.
Getting Things Done on the Mission Side
Petko: They've started looking at individuals. If the people are happy, if they’re able to work and function, they’ll be able to support the mission. That's extremely important. They will find ways to be productive. They’ll find ways as long as they're incentivized and part of that mission. They need that mental, physical focus to say, let's get this done on the mission side.
Carolyn: We all know that security will get thrown out the window. If they need to complete the mission, security loses.
Eric: That's a multi-level problem.
Petko: We know for a fact tons of Shadow IT has happened. I remember talking to certain individuals who didn't have laptops at home, literally. There were no resources on certain networks on the low side, but what do they do? They use Zoom, they use Slack, they use Facebook just to get it out to the workforce. Can you imagine a general saying, I need you to talk to your employees. I don't know how they don't have a cellphone.
Petko: I can talk to them. But how do I get the emails and data I'll send to their personal Gmail? Is that the right thing? Or let's set up a separate Zoom. Let's set up a Facebook or Slack channel just to put the data out. All of a sudden, you have all these little buckets of information everywhere, thousands of them. It's almost like a Shadow IT problem. All that data was being uploaded because certain folks were trying just to do work.
Eric: They were trying to get the mission done. I know you've got a deep background in the government and defense and IC where mission trumps everything.
People, Process, and Technology
Eric: You said people, process, and technology when we're talking resiliency. It reminds me, back in the day, if we have the right people, if we fundamentally start with the right people, does that allow them to employ the right process and technology to accomplish the mission?
Eric: You could have all the technology in the world. If you don't have the right people who can adapt and overcome going back to General McChrystal, does it matter? This is really the question, are people the most critical piece? Are they the fundamental underpinning to resiliency?
Petko: They're the most adaptable because without people we don't have the right process. We don't have the right technology.
Eric: Which, on its own, it can't adapt.
Petko: I heard on an earlier podcast you had, there's a war on talent out there. There's a war-making sure we can get the right people, not just any people. And if you have the right people, they can figure out the process with the right technology. But the key is making sure that people are able to give that feedback loop to that process. How many times in a larger organization you're like, well, this is the process.
Petko: We've been doing this for 50 years like this, that's the first problem. You're doing it too long, you have to change. You have to put a forced change in there sometimes. Where you force folks to look at the process and improve it, let the people make the changes. Without that, you're never going to be able to transform the technology. You're never going to transform the people. You’ll never transform your process to support your future needs for your mission.
Focus on Resiliency
Eric: Carolyn's a new CIO. Her director comes to her and says, I need assured resiliency. I need you to focus on resiliency. What I'm hearing you say is focus on people. Don't go out and buy a whole bunch of technology, don't set up 15 data centers right now. Focus on your people first and the rest will flow.
Petko: Most CIOs I've talked to will start first with infrastructure. Can my systems even stay up? Once they got past that, they started saying, well, how do we do business? Well, this is the process. The question should not be about the process, but how do people do business? How do they communicate? Are they being effective?
Petko: Once you have a stable base infrastructure, focus on the people. Let them update that infrastructure to what their needs are. Are there working groups that CIOs have set up? There are tons of COVID working groups. How many of them are set up for how we can work better in the work environment after COVID? How do we work next year?
Petko: In the government, they have lots of classifications, different levels of clearances. Are we able to work from home while being able to access secret equipment or top secret? Is there a way to access that data where we can protect the data? Bring the people to the data or the data to the people. Maybe there's a way we can just bring the pixels to the people and not have them touch the data.
Carolyn: That's a good point. If the infrastructure, if the heart's not beating, then you're dead before you begin. It seems like that infrastructure, you can really get mired down in that.
Base Internet for Communication
Eric: It's not quick to change it either.
Petko: It depends on how mature your organization is. We've seen lots of CIOs get stuck on, are you using the tools or is the tool using you? Are you stuck there trying to maintain that tool? I remember talking to a cybersecurity group. I’ve found that 80% of their people were just trying to maintain the tools, not even use it. It's a common thing.
Petko: That's why I keep saying you need some base interest for communication. I didn't say all infrastructure, I just said communication. Once we do that, we've got to find a way for the people to do what they need to do. We're seeing that in the federal civilian space. We've seen them communicate over Office 365 very effectively.
Petko: Others, in certain elements, they are rethinking how to protect the data when it's outside the skiff, outside the base? We're going to start looking at resiliency as not just the people, the process technology. Rather, how do we enable the next level where it's distributed computing, distributed remote work? That's going to make us really resilient long term.
Carolyn: That's a really good point. You didn't say all the infrastructure, which is what I heard. You clarified and said, you just gotta make sure communication can happen first. Give us the top three for this new Cisco, or any company that's trying to become resilient.
Petko: The first step is understanding what your technology is. I cannot tell you how many teams I've talked to who have literally no idea what's on their network. They know they have lots of technology, lots of vendors. If you say, give me what that technology looks like, they can't give you a map.
Looking at Things at a Holistic Standpoint
Petko: The second is, how do your people influence that? My background is system engineering. I have a habit of looking at things at a holistic standpoint. Everyone's a stakeholder, the people are the stakeholder, the system's a stakeholder. Even vendors are stakeholders in this because you'd be amazed if we partnered with vendors and share what our challenges are.
Petko: They're more open to supporting that mission and aligning your expectations with them. Sometimes, as a CIOs, we tend to keep technology vendors outside and just try to solve it internally. There needs to be a holistic working group or just openness. Here are the challenges we're having, how do we do X?
Eric: It's amazing, it's so hard to get what problem you are trying to solve. It is so difficult to get that out of a customer or a prospect.
Petko: From a technology standpoint, we figure out how people are using that technology. We can easily figure out the process and update it afterwards.
There are behavioral tools out there that actually can identify what people are doing, how they're doing it. What order they're doing it when they're working, how many emails are sending.
Petko: Who's getting those emails, who's seeing them externally from your agency. What communication paths are important there? You truly find not just Shadow IT, but rather the supply chain shadow. I call it supply chain shadow, that happens and all those other things. You'd be amazed at how much collaboration happens outside government systems and comes back in.
Eric: It is not your Shadow IT, sometimes it's friction. It's just a non-optimized workstream or something like that.
Whose Job Is Resiliency
Petko: If they find more about, imagine how the CISO and the CIO can now understand what their employees need to do business. The CEO's job is an enabler for the mission and for the employees. CISO's job is to protect the data and a lot of times do compliance and implement other systems.
Eric: So whose job is resiliency?
Carolyn: You started with the human side of it being resiliency. If it's not the CISO that's protecting the human part of it or nurturing the human part of it. Those four pillars that you talked about, whose pillars are those?
Petko: The CIO ultimately kind of owns the mission. Look at the mission of the agency, you have to say, what do I need to accomplish that mission? It's not always focused on that individual. CIOs tend to get stuck with technology as we all know, the care and feeding, maintaining it. They're trying to align to the mission needs.
Petko: The CIO ultimately owns the information that is owned by the individuals and to accomplish the mission. CISO is a stakeholder in ensuring that the right security is wrapped. Around that information communication infrastructure and getting the mission done.
Carolyn: We've got your top three. We first catalog your technology, understand what you have. Understand how your people are using it and then update processes. That's really hard in government because we like to do things the way we've always done things. In general human nature, we, from the government, really like our processes. Updating those processes has got to be hard.
Eric: Not if you have the right people. People who can think out of the box.
Know Thy Enemy
Eric: Look at how General McChrystal and Team of Teams took great people. They changed the way they went to battle, the way they ran operations. You can do the same thing. Whether you're running a school and need to get laptops out and internet connectivity because of COVID hit. You're a government operation, whatever it may be. If you have the right people, going back to the people side, they can think about and overcome these challenges.
Petko: I'll sum it up with this. Sun Tzu wrote The Art of War. He gets usually quoted for "know thy enemy". As a lot of government agencies, we tend to focus so much on what's happening outside the agency. How many of them actually look inside the agency? The full quote from Sun Tzu is really about, "know thy enemy and know thyself".
Petko: We tend to forget the know thyself. If you only know one of those pieces, it's not enough. We got to know ourselves in terms of our agencies, our people, our process. Know what's happening outside. What's really happening in industry that could affect our mission could affect us. We need to apply more of know thyself, instead of know thy enemy.
Carolyn: The “know thyself”, that's hard. We don't want to look, we don't want to admit all the flaws, then make those changes, but so important.
Eric: How do you define resiliency in your personal lives?
Petko: It's kind of funny on a personal level. My wife's taking a little bit of time off and trying to balance the whole distance learning with the kids. I mentioned earlier those 800,000 women that took time off to school distance learning. I've got three young kids, they're elementary age.
Applying Resiliency Starts With Mental Health
Petko: The whole distance learning has really been challenging, at least for my kids. Do I want to sit in from a laptop for six hours a day? Mind you they're six years old, five years old, is that really effective? Is that really what they need or is something better? I remember getting emails from certain teachers saying they're not in this class or that class. Well yes, because they're outside playing.
Petko: I'd rather have them do that and make sure they're physical outside, not physical in front of a screen during Zoom. That's not conducive. Applying resiliency, we started with mental health, making sure our kids are mentally sound. We kind of see this year as it's kind of a wash in a lot of ways.
Petko: My wife and I were both augmenting our kids' mental health with some school classes. My son loves to learn so we literally got him a first grade book.
He'd just been going through it line by line himself, doing his math and everything else, it's amazing. We found just a little bit of homeschool if you will come of age.
Petko: They're still doing the active public school system. We're augmenting it with homeschool where it makes sense, making sure they're mentally sound. It's actually bringing us closer together and we're really understanding the people. Understand the process and use technology to get to make that kind of come across.
Carolyn: I love what you said. It's actually bringing you closer together and I found that in my personal life. I've formed bonds, even with my friends that would not have happened without this disruption.
Our Most Important Asset
Carolyn: Back to your point of we have to nurture and our talent, our people, they're our most important asset. As a mother, if my kid's in distress, nothing else matters. I don't have resiliency for anything else. So it's so important that we hold space, sorry, I'm also a yoga teacher. That was that new-agey phrase just came in, but that we hold space for that. We're patient with one another. What about you, Eric?
Eric: You actually brought up a comment that I hear from somebody I spend a lot of time with. He says, are you willing to take this onboard? To your point, Carolyn, what he's really asking is do you have the space? To your point Petko, where are you spending your time? From a resilience perspective, do you have time to take this onboard? Work comes secondary. We're personal here right now. Work is secondary to family, to survivability so I think it all comes together.
Carolyn: That's one of the reasons that I'm in cyber. Cyber is so interwoven into our lives that if it's not safe, then my kid's not safe. The people that I love are not safe and that's where I find a little bit of a lot of purpose.
Eric: I was in the army in the infantry and your job is to be on the front lines and fighting for the country. One of the things that the US military does really well is, it really tries to take care of your family on the homefront. You can be solely focused on doing what you need to do, which is fighting the battle. You're not worried about your husband or your wife or your kids. Are they going to eat and will someone take care of them?
Dealing With a Global Pandemic
Eric: You see that a lot. With cyber though, it makes it very personal as you articulated Petko. Your wife is taking time off to be with the kids. Right now we've got challenges on the homefront.
Eric: Now they're not cyber. We're dealing with a global pandemic. Cyber attack, cyber resiliency means we have to take care of ourselves on the homefront too. It becomes a lot more personal, it comes and touches us in our homes, in our communities.
Carolyn: Thanks so much for getting a little personal. I really appreciate it.
Eric: That's the yoga instructor and you coming out, but that's okay, it's good.
Carolyn: I know which speaking of I'm going to go teach yoga now. So we'll end here.
To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 & 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast email@example.com
About Our Guest
Petko Stoyanov, is the Forcepoint Commercial Products CTO, and an experienced Cyber Security Leader. He specializes in establishing Information Security Programs and driving security maturity in technology. His experience specialized in aerospace, technology, and cloud.
He’s had prior experience as an Information Security Manager and Security Architect. He is leading and designing secure tamper-resistant security systems and advanced multi-level security systems. His specialties are Anti-Tamper, Cross Domain Solutions(CDS), Enterprise Security Engineering and Encryption
Particular interest in emerging disruptive trends such as Machine Learning, Threat Intelligence, Streamlining Incident Response, Cloud Incident Response, and Enterprise Encryption and Key Management.