New Innovations in Cybersecurity with Forcepoint's CTO Nico Fischbach - Ep. 13
This week, Forcepoint’s Global Chief Technology Officer joins Eric and Arika to talk about the range of new innovations he is seeing in cybersecurity and give his honest advice on how government can upgrade its cybersecurity systems by first upgrading its cybersecurity mindset.
Conversation About Innovations in Cybersecurity
Arika: So, this week we have an interesting guest. We have Nico who is the owner of X Labs, which is the innovation component of Forcepoint and he's also Forcepoint's global CTO, and coming to us from New Zealand, correct? Am I right about that, Nico?
Nico: Oh, yeah. Roughly, yeah. New Zealand and Switzerland, it's very close. It's a neighboring country. I'm actually based in Zurich in Switzerland.
Arika: Oh, okay. Got you, got you. Sorry about that.
Eric: You're in Zurich today, Nico?
Nico: I am, I am.
Eric: I know you travel all the time.
Arika: Nico, we want to talk to you today about really innovation in cybersecurity, and especially since that's what you're focused on with X Labs, my first question to you is:
How do you decide which ideas have merit? Which ideas to bring to merit? And where are you seeing in innovation in terms of where you decide it's worth the investment?
Nico: Yeah, actually we have two groups inside Forcepoint and I think everybody mixes the two because both of them are called labs. We have Innovation Labs. Innovation Labs is where we do time box prototyping where you want a very fast, very cheap and various business investments. That's why I want to talk about.
The other piece here you mention is X Labs. X Labs, that's the home of security research, data science, machine learning, everything that drives security efficacy in our products. So actually we've got two labs, with two different roles. Even though they work with each other, I think today we've got to touch on both.
Where to Invest Strategically
What we look at is where does it make sense to invest strategically speaking. A lot of people come of with an assortment of ideas, so we got the X Lab Teams voting for the ideas, and then we do prototyping for usually two to three months. Then depending on the outcome of the prototypes, which can be a technology prototype, a business prototype, some evaluations, some proof of concepts, we decide to either put it on the shelf, put it in the bin, or actually pass it to the product team for implementation. So that's what this group does.
Eric: Where do the ideas come from?
Nico: They come from customers, partners, employees, or different sources. So I think this year, 2018, we had something close to like 500 ideas generated - and that's a lot, and usually you can say like one in ten, or so, makes it to a prototype, and then again for each prototype one out of ten usually makes it into a product. So you look at a very big pipeline that gets down selected to like a 10th of the pipeline, and then usually the outcome is one product or one major feature.
Innovations for Advancing Cybersecurity
Eric: And being a large company, does that change the way you perceive the benefit from the ideas? Or which ideas you pursue?
Nico: We have to be at the same time very selective, because you can get easily distracted because of the number of products we have. What we want to make sure is that whatever we decide to investigate, look into, is something that helps us advance the key areas for us. In our case, innovations in cybersecurity that are human centric, and how can we advance the research on human behavior and intent. How can we advance data research on all IT environments. We try to keep it close, adjacent to the core strategies and initiatives we have at Forcepoint.
Arika: And so, Nico, can you share with us anything that in terms of innovations in cybersecurity that you've seen. I actually binge-watched Black Mirror this weekend on Netflix which I don't know if either one of you have seen that, but when I'm watching, and I'm always like "wow, this is what the future is going to look like as far as things like AI." So just wondering:
Are there any really interesting things that you're seeing, specifically in cybersecurity in terms of what that looks like in the future.
Will we have a chip in our head that would then send something to some IT person so that they can see what we're thinking as if they were going to try to do a hack before we do the hack or something like that?
Not the Creepy Factor
Nico: Well I don't think anyone wants a chip in your body to do that, thinking of Black Mirror. Hopefully Black Mirror is only going to be the next 1984 but if you look at what we're doing at Forcepoint in terms of researching human behavior and deriving behaviors sentiments to see what people might want to do with company data, it's kind of close but it's not the creepy side of Black Mirror. You look at what's happening and the source is currently China, and what's happened with some of the big scandals lately like Facebook and Cambridge. We don't go there, you need to make sure the creepy factor doesn't enter the companies sphere or the employee privacy of the employees.
Eric: And how do you do that while guaranteeing ease of use and capabilities and all the benefits.
Nico: Yeah! I mean there's many techniques that relate to the privacy domain so it is easy to secure the data and make sure the privacy is maintained and who has access the data to make sure the records are protected and if something happens only the right people can unlock it; or, if someone does it, you can actually track it. So, there's been a lot of changes in terms of technology and progress that space, but it is key. I think privacy is very central to any cybersecurity technology right now.
Government and Private Industry
Eric: So we're a government podcast or we focus a lot on the government, who do you trust more, the government or private industry with that type of information?
Nico: This question comes up quite often and I don't think there's an answer. It really depends on your government. I don't think there's one government for sure. You look at some companies they take a privacy trust stance. For example, take a look at what Apple is doing and in terms of privacy first. I don't think there's one answer. People will get breached. Some people will abuse the data you give them and trust them. I don't think there's a real answer to that one. This is a recurring question for the last 10 years.
Arika: And where do you see the industry going? I mean what do you think? What's next?
Nico: Well I think there's a lot of things, that's a very big question. It's not an easy one. I think the biggest problem is that cybersecurity is, was, and will continue to be very symmetric. So where to invest in innovations in cybersecurity and how you make sure that this is an ongoing game, because it's actually sort of a game you're never going to lose it. Right? So it's tough.
Cybersecurity: Is it about Winning or Losing
Eric: Wait a minute, you're never going to lose, or you're never going to win?
Nico: I mean, actually not losing is actually winning. You're buying time, that's the thing. It's one of those games where every move could actually make you, or the lack of making a move could make you lose, right? So I don't think it's a game that you could ever win.
Eric: So if you were in the customer's shoes, what's the one thing you would do differently that they do today to not lose as you put it?
Nico: I think the big change is you have to look at it from a risk management point of view. I use to work for a Telco for almost 18 years and a service provider environment is very flat. They are all here to provide connectivity and reduce security friction. So I think those are the decisions you have to make as a series driven by risk management and making sure your provide a frictionless space for your employees while maintaining security and that's a big, big change.
Shifting the Paradigm
Arika: We actually talked about that just last week. Eric and I were talking about an article that was written by Brian Crabs and he was talking about how the type of organization is shifting the paradigm in terms how cybersecurity was involved in the organization as opposed to it being off to the side and now being someone who's reporting straight up to the executive office or in government, up to the secretary and involved in everything from day one, cybersecurity not being in the silo that it was once was.
Nico: Exactly! I mean that's an exactly what companies do, move away from the silo approach but also move away from the water flow where security comes in last. Security needs to be a part of any project, from the get-go and I think you can recede a companies or government sectors, teams, offices that has changed that approach and it was a win-win. They were actually a part of it, they were a part of the decision making and they delivered a better outcome for the customer.
Time to Upgrade
Arika: And so, couple other questions for you Nico:
If you could tell your customers one thing just in terms of their approach or how they're moving forward, especially those that are government focused about cybersecurity innovation, you can say it without any repercussions, what would that be?Eric: It's like you have one wish Nico
Nico: I think one wish would actually be teleportation but that's a different question, I think. I think one thing we should tell any customer, either in the government or in the commercial sector is "it's about eff'n time you upgrade." Upgrade not just to the latest release but really upgrade to a new approach where security as we just mentioned is about new business partnership. It's about business enablement, it's about measuring time to value. So I mean, the government quite often then is tough. It's very old time, old releases and so on; looking at sorting at on point problems. How do you leap frog from that?
The leap frog upgrade process
So it's not just time to upgrade, it's actually time to leap frog to something more recent, more agile. It's time to upgrade and that's just from patch management point of view.
Eric: It's interesting in the States, FedRAMP, CDM, the Modern Immunization Act, a lot of them can be interpellated as the government giving them the money, the funding to upgrade away from the legacy equipment, the legacy hardware and software solutions they've been using. So it's interesting to hear that that would be your one wish behind teleportation.
Nico: Yeah, I think it's important and you have you as an example but having traveled the world quite a lot this year, I think it's actually true in the larger countries where the government wants to push for this type of organization.
Eric: You're saying the governments of the world do want to?
Nico: Most of them! The ones that are economically viable, that want to push the boundaries, yes! They realize that they need to also be an enabler there and head up with the transition from this maybe legacy old way of thinking to this new one. You see that quite a lot across the board, western Europe, Asia-Pac, it's pretty common nowadays.
Eric: And are governments behind or ahead of commercial industry?
Nico: I think in general, behind. Some of them are tracking closely. Some of them have 20/20 study plans to ramp up and catch up but thinking general, adoption, with maybe a few exceptions like a few very specific areas. In general, they're behind. They're catching up, they're like I see your name FedRAMP, I think Goldmans is using quite often regulations and compliance to drive adoption. Right? It's not the biggest problem, it's actually the regulation that drives the decision making more.
Arika: I know I've been to quite a few cyber security conferences, government cyber security conferences the past few months and I think most of the CSOs and the CIOs at the agencies would definitely agree with you, it's time to upgrade. It's usually a resource issue funding and just having all the right tools to move forward, but I think everyone said it's just the practically of doing it sometimes, it's the challenge.
Eric: Arika, I love the fact that Nico leads with upgrade, but upgrade your thinking.
Arika: Yes! Yes!
Eric: That doesn't cost you a whole lot.
Arika: That's true! That's free!
Building a decision making network
Nico: It's free but it takes the most energy, right, switching to influencing, convincing people, building your decision making network. I mean it's a very different approach, also internally. You need to make that part of the business processes. It's pretty significant, it takes less resources from a technical point of view but it takes many more fewer resources such as partnering with the DPO, CIO and CFO and HR and so on to make it happen.
Eric: A lot of times, government can also tend to be risk adverse and their policies, their procedures, their laws, their legacy, not just equipment, software/hardware but there's a legacy mindset that really does make that upgrade - your thinking being difficult. Even when doing it, how do you get your whole team of teams to think that way?
Nico: Yes, I think you seen it also in some industries in the commercial space, where they very much dream this way. Then something happens. A big, big cooperation acquires a very small, biotech company in Silicon Valley which was cloud only and sometimes it just needs a seed, and then it grows from there. Quite often, some, not to make labels, but some companies in Germany and in France try some of this different thinking. They started this journey 5-10 years ago, and they are seeing the things that happen now, but it takes a long time.
New Partnerships and Collaborations
Eric: Government is an acquiring nimble, quick thinking start-ups though. It really isn't a part of the way they work. Where do they get that innovation from?
Is it now coming from commercial industry, is it coming from other governments, is it just coming out of need and necessity, what do you think?
Nico: I think it's probably the first two you mentioned. I think there's a lot of collaboration in between the various governments. Also their hiring young talent; and those kids coming out of school, some of them they want to work with the government and some governments make it attractive. I'll tell you the example in France NSI because I know them pretty well. They've hired top talents, they actually poach talent away from the commercial side and put it into governments and that's where there's drive inside the government, by taking people from the commercial sector and young grads out of school that have different mindsets to make that happen, but it takes time.
The Israel example
Eric: I believe Israel is a similar example, you have military service. It's really built the cyberindustry in Israel but I think they still give back to the government.
Nico: Exactly, in some countries it's actually opposite. I agree they give back. There's a lot of talent in terms of security start ups in Tel Aviv and Israel.
Arika: And I'm going to plug our next episode because I do see small shifts in the US government outreach to start-ups, having industry days specifically targeted at start-ups to bring the innovation in. On our next podcast we actually have the winners from a recent department of energy cyber competition where they bring in college teams, give them a cybersecurity scenario and allow them to work through it and they award a winner, a national winner. So we actually have the winner, the team caption of the team from University of Central Florida on our next podcast. I think efforts like that trying to get that younger talent interested, involved in cybersecurity, bring them in early and then hopefully they want to be a part of this new shifted mindset that we will need in order to advance from a technology and innovation stand point.
Nico: Sounds great!
Enjoying the Sushi Knife
Arika: So one last question. I heard Nico that you were an amazing cook, so I'm wondering, how do you compare cooking to cybersecurity? What is it that you like about them both, but again how do they compare against each other for you?
Nico: So first of all, I actually know who leaked that to you, it's Aldri, whose going to pay for it, but no it's true. I love to cook, I'm a foodie and quite often my friends tell me "you should actually quit the industry and open a restaurant." I worked crazy when I was at Forcepoint. I think we all do because we actually enjoy it very much but I think the life of being a chef in a restaurant is even crazier.
So I think what actually cooking gives me is balance. You're actually able to kind of shut down, focus on something else because if you have your Japanese sushi knife, you actually better concentrate on what you're doing. So to me, cooking, I enjoy it a lot. It's actually was my way to balance between if you have to walk the crazy work side and the crazy travel, was being home and actually cooking something enjoyable for my family and friends to enjoy.
Eric: Very interesting!
Nico: Now you are interested, you want an invite!
Arika: That was my next thing. If we're ever in your part of the world, then would love to experience one of your meals so ...
Nico: I'll put you on the list
Eric: You heard it here!
Wrapping up this Episode
Arika: Thank you so much, Nico this was a very interesting conversation in terms of the advancements, what's next in terms of innovations in cybersecurity. Thank you for joining us this week, we appreciate it.
Nico: My pleasure and I got so much more to say, so I'm pretty sure Eric and you will invite me again.
Arika: We're happy to have you! And to all of our listeners out there, thank you again for joining us this week. Please be sure to subscribe to the podcast to send us a review and a comment. We'd love to hear from those of you who are out their listening. So until next week, thank you.