Former EPA CISO Sean Kelley joins the podcast this this week to discuss the challenges government security officials face in protecting its networks and whether government’s cyber strategy is heading in the right direction.

… and don’t forget to sign up for upcoming episode alerts!

How to Listen

Transcript: Introducing Sean Kelley

Arika: Hi, and welcome back to To the Point Cyber Security. I am one of your hosts, Arika Pierce, and of course joined by my co-host, Eric Trexler. Hi, Eric. How's it going?

Eric: It's going great. Good afternoon, Arika.

Arika: Good, good. Well, we have a really interesting guest this week, named Sean Kelley. Many of you have probably heard his name or listened to his podcast, which is on the Federal News Network and it's called Cyber Chat. So thanks Sean, so much, for joining us this week on our podcast.

Sean: Thank you so much for having me.

Deputy CIO at the VA, also a CISO at the EPA

Arika: Excellent, so Sean, one of the things that is very interesting about you, so beyond being a host now, you have a background in government. You were Deputy CIO at the VA, also a CISO at the EPA, did a lot of work there and I'm sure had a lot of great, interesting experiences. We just want to dive into that. We have a lot of listeners who work within government, who work for government. When you were in those positions, what sort of things kept you up at night? Let's start there.

Sean: Everything. I think it was pretty easy ... You know, I think that our CISOs and our security people in the government have a pretty hard job. The reason is, is they don't control their own destiny. I think that when you look at it, you have environments that are just kind of thrown together at the operational level and then we ask the security folks to secure it. That's not always easy to happen. When you try to bring automation into an environment, if the environment isn't standardized, configured properly and aligned, then you're just going to break things faster. So it's really hard. It's also a resource. Security isn't one of those things that you look at and say, "Hey, I'm going to spend this and I'm going to give you this."

When you're talking to the board or you're talking to the leadership, the political appointees, you're asking them to make an investment into something that's not going to gain them a lot of capital on the other side.

A cost or tax to the organization

Sean: Now, on the other side, if you get hit-

Eric: It's a cost.

Sean: Yep. What's that?

Eric: It's a cost to the organization more than anything.

Sean: It's a tax, yeah. It's a tax that takes away from one of their niches. And when we're in these political environments, you have four years of administration. Maybe eight, but they live four years at a time, because they're not guaranteed to get re-election. So you're asking them to dedicate millions of dollars towards technology, infrastructure, processes, people that aren't going to give them a win, so to speak, if you look at it that way. Us in security look at it, "No, no, no, we made you secure. We kept you from getting hit. We stopped all that." But that's not things that are sexy when you really look at them.

Spending time on the "why"

Eric: How do you bridge the gap?

Sean: You got to spend the time educating really quick and really upfront and you have to establish yourself as someone credible, but also someone who's a good steward. You're not just coming and you're not just asking to spend money, spend money, spend money. You have to spend the time educating them on what they're going to get and what could happen if you don't. But at the same time, you don't want to be the guy or girl that is pulling the fire alarm every five seconds and crying fire.

Eric: What I call spending time on the why. This is why we need to do this.

Sean: Absolutely.

Changing tides

Arika: Sean, do you think that the tide is changing any? For example, there's legislation right now, in Congress, it's been introduced before, that would elevate the role of the CISOs and the CIOs within each agency. Do you feel as though we're starting to, or departments in the government are starting to, realize that this can't be an afterthought. Security is important. It's part of the mission. We can't complete the mission unless we have security at the table and being a part of what we have to spend our resources and focus on?

Sean: I had Congressman Hurd on my show, who was a sponsor of that bill, and we talked about it. Here's the problem. You got people like Congressman Hurd that get it. The good thing about it is, cybersecurity is a bipartisan effort. It's not going to be a whole political fight in it. But I think it's in pockets. When an Equifax happens, yeah, we all think security's important. When Sony happens, we all think security's in happen. When OPN happened-

Eric: But we only think it for a few weeks or days.

Sean: Agree, agree, agree. Then we resort back to behavior that got us there in the first place. It takes really strong leadership to stay the focus.

What do government security officials have to do to be successful?

Eric: What does that leadership have to do? The cost is spread out across so many entities, so many people. What does leadership have to do to be successful? How do we get out of this loop we're in?

Sean: Well, I think we got to grow them. I think the first and foremost part is that we don't have the comprehensive leaders. I mean, leaders that can be political that can be great communicators that can be great educators, that can be great technologists, that can be great business people, don't grow on trees. Think about our generation. We didn't grow up with iPhones and ... Well, I'll even go back.

Reaching the next generation

We didn't grow up with Palm Pilots in our hands and iPhones and computers. A lot of us maybe had an Apple in our elementary school, some computers in our high school, but then we didn't ... Now, I mean, my son has a laptop at home. He's had a laptop pretty much since he could speak. He's had an iPhone since he was about seven. So that generation, what are we doing to get them, Eric, is really the key.

Eric: But does your son think, and I know we've spoken about this, but does he think about security literally?

Sean: No.

Eric: He just wants the latest plug-in for Fortnite.

Sean: Now, lookit. I have to make sure he doesn't have admin rights, or that computer'll be destroyed within a day. Because he'll download whatever.

Arika: Right.

Eric: So he's not quite ready to be a CISO?

Sean: He's not.

Eric: But he's got some of the background, is what you're saying.

Sean: I think this new generation will be a lot more equipped for it than we will. It's like anything, as you train, you become more with what you're trying to do.

Solving the short term problems

But that doesn't solve the short-term problem. The short-term problem is, is that we have to clean up our environments. We have to make sure that we can bring in the right technology. Because I think the technology's getting there. I think we're almost there, where the point is technology can fix this problem.

But it's like this. If I ask my son where his homework is and he spends half an hour going through his book bag looking for it, well guess what, he's not very efficient and he's probably not going to work and I couldn't automate that process. But if we clean up our environments, then we can start to employ some of these great tools that we have out there.

Bringing on CDM (Continuous Diagnostics and Mitigation)

Arika: And so do you think programs such as CDM, for example, I mean, they're looking to obviously when ... The phases, what's on the network, those types of efforts. Are those going in the right direction? Are they happening fast enough? Is there enough priority on them?

Sean: I think from a theme standpoint, they're the right thing. I've talked a lot, when I was a CISO, we were bringing on CDM. I think from a theme of knowing what you got, knowing who's on it and those kind of things, they're all great things. But how comprehensive is that? Those organizations, we're into what phase of CDM, and we're still seeing infiltrations and we're still seeing ransomware attacks and we're still seeing a great deal of success come across these networks. So what are we really stopping at this point?

Eric: But are we heading in the right direction?

Sean: I think we're having the right conversations. I think we're discussing the right things.

Arika: That was a great political answer...

Eric: I don't think that is political. I think that is the status of where we are, right? You've got to have the conversation before you can make progress, before you understand the problem. These are difficult problems, as Sean is articulating.

An example from the Veterans Administration

Sean: It's very complex. You take the VA. That's a very complex environment. We're talking about an organization that has almost a half a million employees. The IT budget, you'd think it's huge at four point plus something billion dollars, but it just doesn't fix all the problems they have. I think when I was there, and this is a couple years now, they had over seven million ... seven billion dollars in requests. That environment almost has to start new. So with these big, complex organizations, and then we got to talk about the small ones.

The small ones take what the big ones are actually doing, and that's not a complete fit. You have these very under-resourced organizations in the small agencies, that, they've got to try to bring a lot of this onboard, and they may not have the personnel or the skill level to do it.

Eric: What do we do?

Sean: Shoot, if I knew the answer to that, we'd both be millionaires.

Eric: Arika would say, we have to do more than talk.

Sean: Well, we do. Go ahead, Arika.

Keeping up with the evolution of threats

Arika: Well, I was just going to say, I think certainly having the conversations and really thinking about how to ... being thoughtful about how to move forward. But at the same time, there has to be some action with that piece. So it feels sometimes like, I think it's just the nature of government, there's lots of discussions and conversations, but not as much action, as fast enough. And I think we just live in a time where the threats are getting more and more sophisticated and it's almost in a place where the security obviously can't keep up with the way the threats are happening. How do we get in front of that?

Sean: I don't know if the threats are becoming more sophisticated or if they're becoming more widespread. The skill level that's needed to launch attacks today are much less than they were ten years ago. There's now kits online, they have video tutorials on how to launch them, they press a couple buttons and they're off and running. The really, really, really good hackers, we don't even hear about, because they make sure you never hear about them. They erase their tracks, you never even knew you got hit.

Continuity between administrations

Sean: In the government, so let's just focus on the government right now, is we don't, and every administration's guilty of it, Democratic, Republican, so this is a non-political answer, there's no advantage to setting up the next guy.

Eric: You mean setting up your replacement, the next person coming in, the next organization.

Sean: The next president or political appointee.

Eric: The next administration.

Sean: Right, and the next administration is ... If this administration, just because they're here, said, "You know what, we're going to build the foundation that will build them for greatness for the future," okay? "We ain't going to accomplish one thing that's tangible, except for building a foundation."

Eric: So that our future generations can benefit.

Sean: That can benefit. That would fall flat. That would fall completely flat, because that's not making things faster or better or easier or whatever. Because then the next guy comes in, maybe Republican, maybe Democrat, and all of a sudden if they were able to build on that platform and they can claim all these successes that they've been built, but really it was the guy before that really built it.

The impact of partisanship on continuity

That's because of the environment we live in, in this very partisan environment. If we were in a commercial, take Forcepoint, take the parent company, Raytheon, if Raytheon's going to make a huge investment in technology, it's going to be over a long period of time. And it may bridge different CEOs, but the board of directors are there as the constants. And they keep it going. They understand this capital investment is going to pay off in x amount of years. That's where we have to get. If you want to talk about what we have to do, we have to start treating this more like a business, in capital investments, improving our infrastructure, building that foundation and then we can worry about actually preparing this country for the next step.

Eric: Almost like a capital works project or something, where ... Like the Eisenhower administration invested in the infrastructure of the roads.

Sean: Agree.

Eric: We've all benefited to date.

It takes long term capital investments

Sean: Agree, agree. And those kind of capital investments are going to pay off if they're done right and we let people do them, we don't clamp on. See, a lot of things, like I did a television show this week on government matters and we talked about the VA and their legacy IT. One point I made was, every administration comes in with their initiative and clamps something on.

So you end up with a bunch of different Lego sets with a bunch of clamped on buildings and it looks nothing like the picture on the box, because it's not what was designed. That's what you end up with these legacy IT systems and then I say to you, "Eric, secure it." And you're like, "What you talking about, Shaggy?" It's unsecurable, because each system is different. It's been designed in a different decade by a different set of programmers and a different set of IT architects.

Arika: It's interesting. So even though, just kind of going back to what you were saying a few seconds ago, even though cyber security is obviously, it's a bipartisan issue, there's wide agreement that we want to have secure networks, one of the reasons that we're not progressing and moving forward though, is due to somewhat political reasons and not wanting to bridge that gap for the next administration.

The private sector also has its issues

Sean: Well, yeah. And that's a real easy thing for me to say, because that's the government problem. But let's be very honest. There's a multi-billion dollar hotel chain that just got crushed. That has nothing to do with politics.

Eric: Has nothing to do with the government.

Sean: Agree. I started with a government problem, but I think as we look at it, we've got to start, and I've been preaching this for a long time, we have to clean up our environments so that we can use the technology. We are handcuffing ourselves because of these environments that we can't employ technologies to its fullest capability.

Adversaries have a first mover advantage

Eric: I think, in all fairness to the good people and everybody who's trying, the adversary has some unique advantages. They have first mover advantage. They get to choose when and where to strike. They only have to be right-

Sean: Once

Eric: ... one time

Sean: Once.

Eric: Those two concepts make it extremely difficult for anybody to protect their infrastructure, to protect data, to protect people.

Data centric approaches are more easily implemented

Sean: It is, but I think as we're moving, and back to Arika's point, we're moving towards a data centric approach, not a perimeter approach. If we have our data ... And that's a much easier cleanup than cleaning up an entire environment.

So if you had your data classified, you had it categorized, and you know that Eric should be able to access this data, but not this data, then no matter what they do, they should not be able to get, if it's identity and credentialed and classified data, okay? If we get to that point, but then again, I still say, I'll still go back to, we still hamstring ourselves with the technologies out there that could solve these problems. I believe the technologies are here. It's just we're hamstringing ourselves to be able to fully implement them.

Consolidation and standardization

Eric: Would consolidation ... I mean I know that's tough, the government has an incredible amount of legacy systems out there-

Sean: Agree.

Eric: ... a number of legacy systems. Would some level of standardization help? Do we go to one shared IT organization that works to build security in from the beginning, or is that ... that's not customized enough?

Sean: It's hard. The easy answer is, "Of course." But then, you get down to the practicality of it, and each organization, even if they have a similar mission ... Look at Defense Health and Veterans Affairs. Pretty similar missions. But let me say this to you, we're going to see in the next few years how hard it is for a consolidated or single EHR. They won't be the same. They'll be customized enough that they're different enough. And then you take other organizations that kind of touch, there's just enough differences in what we do that there's going to be some level of customization and that could be a problem.

Arika: Makes sense.

What's the best a CISO can do?

Eric: What do we do as a CISO? We have this wall. What are the moves? Let's get to the point. What's the best you can hope to do then, as a CISO in an organization?

Sean: The funny answer is, don't get hacked.

Arika: Right.

Sean: Right, and keep your tenure to a period of time that you can survive.

Eric: I don't like that one.

Sean: The serious answer is, you have to have a great relationship with operations and you have to understand every entry point and every exit point into your network, into your environments, physical and virtual. Once you have that, then you could start to come up with some game plans, because ... But that's a perimeter defense. Then you want to understand what, back to Arika's first question is, then you want to know who's on it and what's on it. What do you really need to protect? But you got to get users to roll back and stop saying, "I need everything." No, no, no, what is really going to be intellectual capital.

Arika: Necessary.

Eric: You need to understand risk and you need to be able to prioritize.

A "one year" email policy example

Sean: Agree, agree. There's just not enough money. We have a lot of fruitless conversations because of the fact that it's really just hard to have it. "I need everything." "No, you don't. You haven't touched that file in ten years. Why does that need to be protected?"

Eric: Why do you even have it?

Sean: Exactly.

Arika: Right, that's usually the question.

Sean: I had a security organization I worked for, years ago. They had a one-year email policy. In one year, your email came off the network.

Eric: It was deleted, wiped-

Arika: Wow.

Arika: I've never heard of that before. I love that concept, though.

Eric: It's great from a legal discovery perspective.

Arika: Yes.

Sean: Exactly, that's exactly why, it reduced the risk to the organization. And think about this, if every file, and you only had a certain amount of space to put files that were exempt from this policy, were allowed to stay on the network, think about how much more efficient we'd be, and how much easier it would be to make decisions on where to apply our resources. The other problem I think is, in organizations, is that we're trying to protect everything and that's not the key.

Being a CISO is a challenging job

Eric: So really, what I'm hearing you say as a CISO, it's a tough gig.

Sean: It's terribly tough.

Eric: What you can do though, is focus. You can address risk. You can go after high priority systems, high priority data and you can focus on what matters. And you can make progress or accomplish things if you do that.

Sean: I think if, as a CISO, and this is the way I always approached it, if someone came and looked at my tenure and said, "He was infiltrated, but let me look what he did along the steps." And along the steps, they came out, a group of individuals looked at it, a group of CISOs looked and said, "You know what, based on his budget, based on what he presented, based on what he did with those resources and everything, Sean did his due diligence." And that's the key, did my due diligence, did everything I could to protect this organization, used every cent that I had to protect them the best I could. That's what we got to expect out of our CISOs.

Better sleep after CISO

Arika: So I have a final question. Are you getting more sleep now? Because you're now on the other side. It sounds like it was a tough job and so how is it to be on the other side now, now watching what's going on within government?

Sean: So you miss it, right, because you have ... If you're in the government service, you want to serve. I left after a short period of time because I realized I couldn't do what I needed to do. That was the reason I departed, the pattern. When you know, and what I told them would happen happened within the first year, which was they would get attacked from the regions, because that was where the open doors were. Yeah, I sleep better. I love my new company. It's a great company. We're going to build a cybersecurity unit to hopefully go back and help those individuals. It's a data centric company, so obviously, I believe in protecting the data at the data level.

Eric: As do we here at Forcepoint, I mean, that's our focus, is on the data.

Sean: Agree, agreed, yep. And that's where I think the key is right now. Someone said something to me a long time ago, and it really makes sense. There's waves that happen in the federal space. There's waves that you can do more from the inside, as an employee. And there's waves that you can do more from the outside, as industry. I think we're clearly in the phase of you can do more from the outside as industry. So here I am.

Eric: Working with the inside.

A radio show to serve and shape the conversion

Sean: That's part of why I started the radio show. I wanted to start the radio show. I like shaping the direction of the industry, I like shaping the conversations and I knew once I stepped out of government, no one wanted to hear what Sean Kelley had to say anymore. So I started the radio show so that I could talk to the decision makers but also shape the conversation. And I think we're having success doing that.

Here's where to find Sean's show:

• If you're in the Washington D.C. area, every Friday at 10:30 and 2:30, we're on 1500 AM, Federal News Radio, part of the Federal News Network.
• CyberchatNews.com
• Cyberchat on iTunes
• Cyberchat on the Federal News Network
• Cyberchat on Podcast 1

Arika: And your shows are great, so definitely check Sean out. So thanks Sean. We really appreciate this conversation. And thanks, everyone, for listening this week. Please be sure to tune in next week to the show and please leave us a comment and also give us a rating on iTunes. We appreciate all the feedback and we look forward to continuing to get to the point.