Embracing the Security Mission with John Zangardi
This week John Zangardi, President and CEO of Redhorse Corporation joins us on the podcast to talk about his remarkable career starting with his time in the Navy as a Naval Flight Officer, his many years on the frontlines of security mission - including his favorite professional role in government as Department of Homeland Security CIO – and shares perspective on bridging the security talent gap in government as well as the many talents veterans bring to the security industry.
Embracing the Security Mission with John Zangardi
[00:51] At the Frontlines of the Security Mission
Rachael: I am excited to welcome today a fabulous guest. We have joining us, John Zangardi, he's president and CEO of Red Horse Corporation. I want to say you've been on the podcast before.
You have such a wonderful career and background.
I would love for our listeners to get a refresher on how long you've been on the front lines of security, in the trenches, and really had a front-row seat to what's going on in government and defense and elsewhere.
John: It's really the personification of the Peter principle. You stumble up enough if you survive. I've been around for a long time and if you look at a career it takes a lot of different tracks. Way back when I majored in accounting in college, whoever thought I'd be flying P3s and chasing Soviet subs around the Pacific.
How would I ever have predicted that I would've gone from working the naval aviation budget when I was on active duty to being an SCS working the IT budget.
That transition wasn't really based upon any IT experience. Clearly, you have a technical skill and maybe later we could talk about veterans getting into cybersecurity. But it was really based upon my budgetary expertise and I became in charge of the IT and meteorological and oceanographic and space and all those kinds of budgets for the Navy.
Then rolled up to be the head of acquisition for those areas. I did time as the Navy CIO, then fleeted up to be the principal deputy DoD CIO and acting CIO before converting over to DHS to be their CIO is political.
Journey to the Frontlines
John: Things happen if you work hard and you persevere, things come your way. People give you a break and then it's up to you to go in there and make the difference and make them feel good about why they picked you. So I think a lot of it was just being in the right place at the right time and being open to new challenges. I mean I'll be honest with you, do you really think I knew anything about IT coming from naval aviation?
Maybe a little but not a lot. And that's part of what I think separates weed from chaff is that willingness and discipline to learn.
Rachael: 100% yes. Of all the rules you've had, was there one that just got you the most excited? Or when you look back, that was the one that marked a really great milestone in your career. They all sound like milestone opportunities though. How could you choose one?
John: Yes, they were all fun and I enjoyed them all and I would tell you and you won't like this answer, maybe my favorite was being a lieutenant in a squadron and part of an order. But to really answer your question, I think the most interesting, most compelling was DHS CIO. And let me explain why.
DoD is this huge organization. Navy is a huge organization in and of itself. The roles when you become that senior, you really don't have your hands on the levers. Trying to make progress really requires moving a lot of senior people and their staff to a new area. And that takes a lot of effort and it's different than when I got to DHS CIO.
It's smaller, it's not the same size network, but they're organized differently.
The Tip of the Spear
John: I came to appreciate as the CIO, you have people, cyber, operations, policy, money, you're doing it all. The only thing you don't have is contracting. But still you have your hands on the lever and you can make things happen much more quickly than you can in DoD or the Navy or any of the services.
Not that I'm trying to discourage people from taking those roles because those roles are essential. It just requires more effort to move the ball down the field.
It's harder. When I was the Navy CIO or even running Navy acquisition in IT, the number of three-star staff you have to coordinate with to do anything.
It takes a lot of effort and that's just part of the game. But that's what made DHS CIO rewarding. You make an action and in a short period of time you go, "Huh, wow, I could see the results. That's cool." It's very unusual coming from DoD to have that kind of response and feeling.
Petko: You like being the tip of the spear.
John: I love doing security mission stuff. For people who leave government and I talk to a lot of my friends, the one thing we truly miss is mission and right tip of the spear. The one thing we truly don't miss is the number of meetings and bureaucracy. I guess that's two things.
When I look at my schedule being out here in the commercial, they have time to think. Being in the government world, it's just like you start meetings at 7:00 and you finish up meetings around 5:00. That's a long day. I applaud and really thank everyone who is in government pulling those shifts for what they do. I know rowing that boat ain't easy.
[06:26] The Zero Trust Security Mission
Petko: DoD just released something really interesting. They released their zero trust strategy for DoD. I'd love to get your perspective. I mean, you were like you said, tip of the spear doing everywhere from cyber technology to cloud computing identity and telecom. I'd love to get your perspective on the DoD's recent strategy for zero trust.
John: So first off, I think it's important to note that the threat environment from when I was in say DoD or Navy has really changed. I mean, we went through COVID and COVID brought with us a proliferation of endpoints and people working from wherever.
Probably places we don't want them to work for. We have the Russian invasion of Ukraine, which is a complexity and China and how they view Taiwan. All that's going on in the world with these threats.
I really think it's a more complicated and dangerous world from when I was there in terms of cybersecurity and all of that stuff. Really to me, it points to the need, the necessity to move to zero trust. I applaud the Biden administration and their EO on Zero Trust putting it out there, the work that CISO is doing and also the work that DoD CIO is doing.
Randy Resnick, John Sherman have gone out of their way to take this boulder called zero trust and roll it up figurative hill to get a strategy out on the street. For those of you who've never been in government, you can imagine all the people that had to coordinate with inside of government.
I know they did outreach to industry, the cloud service providers or CSPs for example that's a lot, man. That's a lot to carry up a hill. It isn't a light lift.
Realizing the Asset
John: The world is heading towards a zero trust kind of view. The fact that they're doing, is really getting on board with where the administration's going and where the industry is probably going at a rapid pace.
The NSTAC, National Security Telecommunications Advisory Committee, put out a report in February 22. The strategic emphasis that is put on the move to zero trust aligns with that. And the recognition of industry best practices, they picked up on that. They recognize that what they have to put in place has to be enduring. That the risk is that, it'll be incomplete because it is a 2027 effort. But getting something enduring is important.
They talk about culture and institutionalizing it. One thing I did with the Navy budget is, convey to people who look at IT who are warfighters, who are used to planes and ships and missiles, that there's something here you need to look at differently. That it's not a completely fungible asset.
In the Navy there’s a slash plan for the ship building plan that covers the fitter. Another for procuring aircraft, missiles, weapons, and all that stuff. I created a slash plan four, two, and six information dominance. It's just small things like saying, "In this fiscal year we plan on procuring X number of cane systems, consolidate afloat network enterprise systems for ships."
Give people a sense that if you reduce the budget, you're going to lose some of these things. That means there will be less modernized information technology in place out there.
That’s something difficult to convey to people. IT is hard to put your arms around if you haven't dealt with it your whole career. It's much easier to go, I know what a plane looks like. And I can understand what it does and if you take that plane away I can do less of whatever it is.
An Actual Security Mission Implication
Petko: I want to step back on the zero trust piece. I'd love to get your perspective how the DoD zero trust is the same or different from your perspective on what you view as zero trust.
John: Interesting question. The challenge that DoD has is there's 4.5 million users on their network. The other challenge they have is legacy weapon systems. When I was a DHS, I didn't have to really deal with legacy weapon systems. How you implement that to ensure that things like JADC2 joint all domain command and control can be done is a big difference from what anyone in the industry has to do.
The magnitude, the scale.
Let me try to break this down. I'm trying to convey a sense of complexity, that most people in industry would never have to face. In a network that big, run by so many different organizations with weapon systems that have to interconnect and a focus on mission.
As you move forward, I'm putting in place a zero trust. How do you make sure that as you put in an identity-based perimeter in place, you ensure that workflows are not compromised or locked out where people can't get into things?
That might have an actual mission implication or an implication in terms of how you move things forward with different programs and stuff in the building. So that will create confusion, that could also engender negative feelings about zero trust if it's not done right in a very complex environment.
From a technical point of view, I think it's important to make sure they get that right, so productivity can continue.
Also, because this is a big difference from when I was in government, we were moving to the cloud and we were moving smartly.
The Complexities of the Security Mission
John: I was one of the signatures on FedRAMP. I really understand that piece. But the amount of data and information that is moved out to commercial cloud service providers is more than when I was in government. And I know DoD CISO is going to work very closely with the CSPs and industry. But that's a major dependency that we have to get right.
That's a huge complexity given the scale of what they have to deal with. Make sure there's connections secure and that the data and information that's in that CSP is managed properly. But more importantly they have to make sure they get to something that I consider or maybe you would consider cloud agnostic.
So you just don't want to have something that's so proprietary that it ties their hands in the future.
The other complexity here is, we've got this thing called the defense industrial base. How do we bring them along? Not the easiest thing. I think if you were to look at a lot of Chinese military hardware, you might go, “Wow, that looks just like pick your US high-tech war-fighting machine.” And bingo, you got it.
But there's also our NATO and coalition partners.
Having served as a representative to NATO on their C3 Board, the US is well funded compared to a lot of our NATO partners. But we have to work with our NATO partners in a time of conflict. And how do we ensure that we're not rushing ahead of those countries, but we're bringing those countries along? And again, another major complexity.
[14:12] Understanding Zero Trust
John: DoD also has something called legacy systems. I'm sure industry and others have legacy systems, but there's a scale out there. Some of those are embedded in weapon systems. How do you deal with that in the future? To read the strategy, there’s a waiver process in place in the strategy. It's essential, we got to have a waiver process to allow things to move forward. But two or three years from now, if the culture on zero trust is not embedded, how will the decision on fixing or upgrading or modernizing a legacy system be balanced against not?
That's really going to be a key thing two, three years from now where, hey, this is going to be measured against. But the culture piece is really important. We talked a little bit in an earlier answer about how warfighters are more accustomed or more comfortable in understanding the purchase of major weapons system, plane, ships, and all that. How will they understand zero trust?
And one thing I need to applaud DoD CIO is they've worked with DAU, the Acquisition University to start building, I guess I'll call it 101. Because I haven't seen the course material. But information on zero trust and why it's important is part of the training of future acquisition professions. If you're a PM, you make trade-offs all the time about cost, schedule, performance. And not really understanding zero trust, not having a firm grasp on it might lead a program manager to make a decision that is an optimal.
So to me, those are some of the major questions that I think have to be answered as they move forward.
And Petko to your point, I think that's how it differs from anything in industry.
The Future of Zero Trust
Petko: You've been part of government for a while and I've been part of it. I remember before cyber, it used to be called IT security and other things and eventually everything just became cyber. Is everything just going to be rebudgeted as just zero trust or is this going to be real zero trust?
John: That's a great question and the fact is I don't think everything will be rebranded as zero trust. But there will be people who exhibit opportunistic behavior and rebrand whatever it is they're doing as zero trust to protect it. And that comes back to that knowledge base. I think that has to be built where people can recognize when they query a program or effort or something, "
Hey, is that really zero trust or is that just something that might be information assurance based?"
Whatever that you're rebranding is zero trust. That's a danger and a risk that people will always do. I've seen the behavior, rebranding is a way to protect my money so I can keep moving this thing forward, whatever it is. So yes, I guess like you, to say, I've never done that. My career would be a lie.
But the fact is enterprise behavior and that's really what we're talking about here is getting everyone aligned to where the enterprise is going. So I think DoD CIO has set the goals within all that with their strategic vision. But getting that into people's minds and hearts is important. And let me give you an example from back when I was in the Navy working acquisition. DoD CIO wanted to move the Navy to DEE, DISA Enterprise Email. Well, we were under the NMCI contract, and I know I've seen the NMCI (Navy Marine Court Internet) sucks, bumper stickers.
John: The rates for our email system were substantially less than the rates for DISA Enterprise Email. And the argument came down to, okay, so if we pay these X millions of dollars more, what do we get for it? Well, there were mitigations that would allow us to still exercise our gal. Everything just like DoD wanted us to do.
There was some loss capability, but at the end of the day, you could very easily make the case that I cannot buy one trainer jet. And that argument was really simple and compelling.
It gets back to the numbers’ case. Hey, you could do about 85%, 90% of the mission that they're demanding. And well, to get to 100% it's going to cost you a trader debt. Is that worth it? Now that's a decision that executives can make and should make, but that gives you a sense of the complexity of these things.
By the way, we didn't go to DISA Enterprise Email, we bought the plane.
These are challenging decisions and that's why I'm always very careful when we talk about these things. I recognize that there are great people working in government who are faced with some really challenging scenarios, whether it's complying with law, competing priorities on how to support a different mission. These are hard decisions and I think they make them as best they can.
And I hope that when I was there I made them as well as I could too.
[20:11] Culture Change
Petko: Having read the Zero Trust strategy and even talked to Gartner and other analysts, there's definitely a lot of elements of technology that need to be connected in a different way. If you have a government individual that’s forward seeing and can say, “The things I have today do make sense.” We just have to add 10% change.
It's not that zero trust requires a massive change to infrastructure. It’s just a culture change of how we connect everything.
John: I agree. I forget if it was 2016 or '17, I started talking about Zero Trust. That's when I started looking into it and learning it. I moved to DHS and after getting my feet on the ground, I had my CTO set up. “Let's do some pilots. Let's figure out what this can do for us.” And you're right, the first thing we tackled was ensuring that our budget process, the spreadsheets that CFO have worked on, we knew we wanted to implement zero trust around.
This is to protect your predecisional budgets, which everyone would love to get their hands on, I'm sure in industry. But I would, too.
Taking time to do that, the recognition was, I don't have to buy anything new. We really didn't have to. All we had to do was work on those workflows, understand those. Then implement the right things for folks to have access, who needed access, and folks who didn't need access to not have access.
There's complexity there and it took some time. Each one of these is not going to be fast. The timeline in the strategy of 2027 seems like a very long time, it is. But across a 4.5 million person network with all the pieces and parts, I can't imagine them going much faster.
Forces Working Together Towards Similar Security Mission
Petko: I'm curious. You were in DHS and DoD. Zero Trust for Duty is when they got released. How do you see DHS leveraging it or creating their own in terms of zero trust or they're already doing zero trust just a little bit differently?
John: Yes, they're doing some elements there. What's interesting, I found that DHS is that there's a great connection between DoD and DHS. In fact, I don't know if you know this, but the CISO at DHS, Ken Bible used to be in the Marine Corps as their deputy C4. That connection's tight and I think it will be maintained.
In fact, a lot of people have migrated back and forth over the years. The acting under Secretary for Management is a retired two-star marine. So those are the connections. By the way, in fact when I was there, Chip Fulghum was the CFO in USM. He was an Air Force officer.
Claire Grady was the USM. She came out of DPAP. I'm forgetting Elaine Duke was there as a deputy secretary. So those connections I think are there and they're well placed. And if you look around DHS, you see all of that throughout the organization.
Folks from DHS have moved over to DoD without getting into all the names, but I think there is a good cross pollination. And to take it to another level, when you look at FedRAMP and the JAB. It's called the Joint Authorization Board.
I signed off on a lot of FedRAMP approvals while I was there. But there are three signatures required. GSA CIO, DoD CIO, and the DHS CIO. And that forces you to work together on FedRAMP authorizations, which starts aligning naturally security and how you look at different things.
The Fundamentals of Zero Trust in the Security Mission
Petko: I'm glad to hear there's alignment potential. DoD zero trust capabilities could be overlapped and shown by DHS. We'll see cross-pollination back and forth. Do we need to do any additional education on the workforce to make this real across government?
John: I think you do, I hinted at that. It's great that DAU's picking that up. I think it needs to go a bit deeper into the organizations. If you’re customs and border protection law enforcement officer working on the border, you might go, “Why?” I think it's important they understand that there are some things that will change how they do business, what they have access to and all that.
There's an education piece that has to percolate down further. You could take that example and apply it to a Navy sailor, an Air Force airmen or whatever. I don't think they have to have a full and complete understanding of zero trust.
They should understand why it's there, what it does, and why there are some limitations placed on you.
The fundamental of zero trust is, “I don't trust you.” How does that sound for an organization that war fighters?
They're a team, they collaborate, but I still don't trust you with IT. There’s a little cognitive dissonance there that might strike some people as odd, but I think it's very explainable.
I think as people are exposed to it and given the right approach, they go, “Oh yeah, I understand this. I'm not going to push back.” It makes sense. They bump into walls where they can't get the data they need, they have to have a very clear understanding of, "Hey, how do I get access to that data if I really think I need it?" Those pathways have to be created too.
An Equation for Trust
Petko: When you think about trust, we make it a people connection. When we first meet someone, we take time to vet them. In IT, trust is weakness. Having trust on the bios, hardware, you automatically assume it's going to work. If there's something you trust, automatically that becomes a weakness that someone can exploit.
I think zero trust is about making assumptions, not to trust and we have to verify afterwards. It's about reducing weaknesses in government and in IT systems.
John: I agree. I'm creating a case here where it could sound like that. Let me trend and regress all the way back to my dissertation. I spent time working with a concept called spontaneous ordering. It requires understanding of things like prisoners and dilemmas. If you’re to create an equation for trust, it comes down to the probability of defection.
If I believe that you're going to defect and when, I know not to trust you. But trust is really based upon, I don't think you'll ever defect.
That's all you're establishing with zero trust. I've verified your identity. I've given you the things you have access to and the probability of that being a wrong choice is very low. Trust is established. I'm making a stretch there. You can shoot a couple of bullets and put that puppy down.
Petko: I'm a math geek, I love the dilemma and I'd have to think about that. I don't have a strong opinion either way. I was just thinking from the standpoint of IT systems and everything. We're all dependent on each other in this global economy. I think it's about understanding where our IT systems are, what they're using, and controlling who has access to it, when, and where.
John: Eventually zero trust comes down to people.
[28:15] Security Mission Obstacles: Shortage of Cyber Professionals
Petko: There's currently 3.4 million in terms of shortage in cyber alone. I don't know if that's in the US or global, but I imagine just in government you've got shortages there. What should we be doing regarding that shortage? As you've been in government and industry, is there something industry and government should be doing regarding the IT shortage or cyber professionals?
John: Yes I think there's some things they should be doing. Let's start on the one end where people leave government to go to industry. So you ingest someone, that person may be qualified, minimally qualified or not qualified, and you get them a security clearance.
You maybe get them a couple of certifications. You train a person, you give them years of experience, that's really valuable. Maybe they get a promotion, but at the end of the day, they're underpaid compared to their industry counterparts.
I remember my last year in DHS, I lost three good people out of our CISO shop, the industry. I talked to each of them for what it's worth, they really didn't want to go. They came back to what I said earlier in the interview, that mission piece is so compelling and people love it. But it was the salary.
They go, "How do I go home to my spouse and say, there's a lot of money here. How do I turn it down?" We're not talking $1,000 or $2,000 here. We're talking significant amounts of money that can make a sizable difference in their life.
Maybe sending their kids to a private school, buying a car, paying off student loan debt, or a house. And we lost these people for that and they took significant raises.
Security Mission Obstacles: Compensation
John: I hope someday they will go back into government and take some of that industry experience and bring it in there. So that's one side of the equation. I think congress and government have to do something to raise compensation for people and skillsets that we think are fundamentally important to the security mission.
Cybersecurity of our nation. And that would create inequities across, hey, this HR person or this finance person is making so much less than this cyber thing.
That's an unusual mindset for government, but more on the ingest side. There's so many veterans out there that should be brought into cybersecurity. And I am not speaking for myself here because my wife would say I am not trainable. And she has a couple of decades of experience there. But the average military veteran is they have a strong desire to learn.
They have a great work ethic, they have discipline, they understand how to solve problems, they have a mission focus. They really have that desire to serve.
I mean, I think they handle stress well in general. So when you look at those factors, they become really compelling. And they may even have a security clearance. Oh, maybe they even have some technical skills that I can leverage that they can bridge into it.
So those factors really make it important. So having the training programs and stuff to bring them in is important.
Security Mission Obstacles: Making the Transition
John: I think there's another piece to it. It's very easy for a person who say maybe majored in history or psychology to go to even get them to look at cybersecurity for them to understand that they could make that transition. My CISO, I said my second CISO at DHS is college major with psychology. He was great.
That wasn't a detriment to it. He had the traits I was talking about, work ethic, desire to learn. And he had the ability to solve problems that were complicated. He understood the threat and he could analyze it. So he was focused on the mission.
So having a non-technical college degree should not be a barrier. Not having a strong math background should not necessarily be a barrier to getting into a cybersecurity position. If you really get down to it, the math hurdle, in my view is low for a lot of the positions.
It might require looking at graphs or some data analysis. But the soft skills that people get in the military in terms of policy development, security awareness, governance, all of those things really play to this thing. So I think some of it is getting out the message that, hey, any of you guys could do it or gals.
Then giving them the path that helps them there is great. Look, like I said at the beginning of this, my wife would tell you I'm not trainable, but clearly I am at some minimal level to get into it. So even anyone could do this if they have the right background and want desire to succeed in it.
[33:08] Be the Problem Solver
Petko: I will tell you, having got an engineering degree, the one thing I learned is how to solve problems. And that doesn't always have to be, you don't need a math degree. You don't need an engineering degree to do it if you're a person who likes to solve problems.
ohn: Let me put a little different spin on that. So when I was in Navy acquisition, I was on a lot of boards to select program managers and deputy program managers and all those sorts of people. And what I saw over the course of time was that some of the better PMs and DPMs did not have an engineering degree.
Petko: You know what? They're better at the money. We just count the widgets. We overanalyze. I think that's the dilemma you have sometimes being in engineering is you overanalyze. Paralysis by analysis right now.
I think what you're pointing out, John, is we need a diverse workforce in cyber. If we hire just people who know how to use a hammer, they're going to go in there assuming everything needs to be hammered. And sometimes the solution is we need a soft touch. We need someone that looks at solving the problem differently.
Again, if we have a shortage of that many people, we do need to be looking outside. We need to be looking at training them. We need to look at different ways of testing that's not technical.
Learn and Adapt to Change
John: Let me try to make a little different point on that. So I did a 25 year in the military flying P3s, and when I started flying P3s, the threat was the Soviets. And we had to learn how to track Soviet subs, learning oceanographics, acoustics. We had to get a different technical skill under our belt. How does sound transmit through water? Okay.
As I went through my career, the mission of the P3 changed and it started focusing more on intelligence and surveillance and reconnaissance. I learned that too. We put in ISAR, inverse synthetic aperture radars. We upgraded our electro optics, different skillset, different technical stuff, but people can learn.
Petko: Yes. Definitely, I think that people can learn is an important thing. We've got to stop saying there's a shortage and just saying people can learn. Move them into those roles and give them opportunities in order to help implement the DoD zero trust capabilities roadmap by 2027.
Well, I'm thinking about when you're acting CIO, it was 2017. We had a lot of change in government. I mean, I feel like we're just beginning and there's going to even more change. And the only thing constant in government, the only thing constant in industry, the only thing constant in cyber is change.
Petko: We've talked a lot about the beauty of Zero Trust and people. I'd love to get your take on, what are you reading now? What book?
John: Well, I askew anything that has to deal with management training, I won't read anything. They say the same thing over and over and over. And I think you actually get better leadership training thoughts from things that have nothing to do with it. I don't read fiction. I'm a non-fiction guy.
I'm finishing up a book called Cobble Stones. It's about Italian immigrants and going back to the old country. So it's a generational thing and it applies to all immigrant stories, even my family, because we are Italian. But in this particular book, it's about the story of this man and his wife who live in a small leave town called Cansano in the Abruzzo region of Italy.
How they came to America and how they didn't speak English or even have beyond a fifth-grade education and how he turned into a multimillionaire. But during his journey, his son was writing the book, his son was getting all this wisdom from his dad growing up.
And I recall all of those things from my dad. But it wasn't until he got to his 50s that he truly understand the wisdom of his dad. And it really boils down to really simple things that I capture from the book.
Hey, you could do anything. If you put your mind to it, you can succeed.
Don't be afraid of taking that risk and doing it.
John: I'm also reading a book from Eric Metaxas, he's one of my favorite authors. I finished it up about a week ago, Letters to American Churches. And before that I finished up Confidence Man, which was really a well-researched detailed book. So those are the three most recent books that I'm reading. All good reads, really good reads.
Petko: Any movies you should check out, John, while we're getting book reviews?
John: An easy one, you got to go see Devotion Man. It's got all the right elements, Naval Aviators, action, and heart. How can you beat that?
Rachael: Well, this has been wonderful, John. I really appreciate your time and sharing all these wonderful insights. And from your time, I mean literally in the belly of the beast, and it's such an interesting dynamic path ahead for us. I'm always curious as we kind of look to close our time today, but do you have optimism for the cyber path ahead?
Are we going to ever get ahead of this threat? Or you at least even get neck and neck with it? Or what do you see in the next, I don't know, 5, 10, 20 years?
John: Well, I've never been good at prognosticating that far into the future, but your question is, am I optimistic? Yes. I think we're seeing the right actions out of the Biden administration, out of DoD, out of CICO, out of the CIOs and what they're talking about. We're seeing the right actions ministry. There's a lot out there that I think people need to pull in to their mindset.
You Can’t Completely Eradicate Risk
John: I want to make one quick statement. I serve on a couple of boards. We established on one company's board a cybersecurity subcommittee and the willingness of that company to set up that cybersecurity subcommittee. Which I think is the right place to put it under audited risk because it's all about risk.
Really starts going to the fact that people are beginning to internalize this risk and how critical it is for their business to understand that risk and put in place the right things to mitigate that risk.
And what's interesting is I watched this evolution as leaders where I'm involved at least seem to understand that you can't completely eradicate risk. That risk will always be there. But what have you done to mitigate it? And do you understand the probability of it occurring and the consequence of it happening? What does it do?
And people are beginning to take that on in a way that's really important. When I was in DHS and DoD, we had to talk about a particular vulnerability or whatever. It was really about expressing it in mission terms. If you start talking IT jargon, you lose people immediately. But if you start talking about, well, if this system goes down the airport in LaGuardia is going to shut down and the TSA lines are going to go out the door.
You'll be on national media. So understanding risk in terms of that mission piece really gets people to understand it better. Thumb optimistic.
Rachael: I love it. Well, to all of our listeners, thanks again for joining us. Another great, great discussion with John Zangardi. Thank you so much, John, for coming back to talk to us again. This has been really a pleasure.
About Our Guest
John Zangardi joined Redhorse in June of 2020 taking on the day to day operations responsibilities as President. Prior to joining Redhorse, he most recently served as Senior Vice President of business initiatives and strategic partnerships with Leidos Civil Group.
Prior to joining Leidos, he enjoyed a distinguished career in government service spanning more than thirty years, concluding with his role as Chief Information Officer (CIO) for the Department of Homeland Security (DHS), a presidential appointment. At DHS his responsibilities encompassed information technology and associated management and security.
His work for DHS garnered recognition by Federal Computer Week for his work in transforming DHS into, “one of the federal government’s top IT performers.” John led multiple initiatives at DHS including implementation of advanced cybersecurity technology, cloud computing and data analytics, identity management and telecommunications.
He transitioned to DHS from the Department of Defense (DoD) where he served as Acting Chief Information Officer. A position he assumed from his role as Principal Deputy Chief Information Officer. He previously served as the Deputy Assistant Secretary of the Navy for Command, Control, Communications, Computers, Intelligence, Information Operations, and Space (DASN C4I, IO, and Space), and as the Acting Department of the Navy Chief Information Officer (DON CIO).
Listen and subscribe on your favorite platform