Who's on First? Government Cybersecurity vs. Commercial Cybersecurity - Ep. 26
This week Forcepoint's Phil D'Angio joins the podcast to give us his take on the trends and challenges on the commercial cybersecurity. We talk about how cybersecurity is prioritized, data security and also dive into why more millennials are not joining the cybersecurity workforce.
Episode Table of Contents
- Government vs. Commercial Cybersecurity
- Risk Component Breakdown
- Millennials in the Cybersecurity Workforce
- Taking Insider Risk Capability
- Thinking Beyond Tech
Episode Introduction: Who's on First? Government Cybersecurity vs. Commercial Cybersecurity
Arika: Hi and welcome back to episode 26 of To the Point Cybersecurity. I am your host Arica Pierce and joined, every week, by Eric Trexler as well. Hi Eric. How you doing?
Eric: Hey Arika, I'm doing great. Sounds like we're over the half year mark, if you count the Christmas holiday.
Arika: We are, we are, we're smooth sailing. So this week we're excited to have a guest. We have Phil Phil D'Angio, hope I'm pronouncing it correctly with trying to have a little bit of an Italian accent there, from Forcepoint and we're kind of going to switch gears this week. We spend a lot of time on the podcast talking about what's going on in the world of government cyber security. But this week we thought we'd focus a little bit more about what's happening on the commercial side because we know government's always looking at what's happening on the private sector and vice versa. So it's good to have that mix. So Phil, thanks for joining us this week to talk about that.
Phil: Awesome. Good to be here.
Government vs. Commercial Cybersecurity
Eric: Yeah Phil, we actually got a few requests asking to have a little more of a commercial flair, I think, from government personnel and others that wanted to be able to compare and contrast the differences.
Phil: Well, commercial flair is my forte, so you have come to the right place.
Arika: Okay, good, good. Well let's just start off at a very high level, Phil. So we know right now, one of the things that we're seeing, and I think it's a very positive thing for the industry, is that we're seeing a shift in terms of how cyber security is prioritized within organizations. So in government we now see the CISOS, the CIO's, they're at a much more elevated place. They're a part of making decisions around how programs are, how funding is done in terms of trying to accomplish the mission of the agency.
Arika: It's not, cyber security is starting to be less of sort of just this offshoot when things go wrong. Are we seeing those same types of things in, on the commercial side, in terms of that priority in terms of the CIO or whoever is really setting the agenda for cyber security within a company? Are they at the seat at the table with the C-suite and helping to make decisions?
CISO's role in cybersecurity
Phil: I don't think there's any question that the CISO role has elevated steadily over the last several years as corporate risk becomes a discussion point or a decision point around investments a company might be making. They probably were not included in all of those discussions five, six, seven years ago, but as far as the way that companies operate in the commercial sector, technology is woven into the fabric of everything that drives growth.
Phil: For most companies it's critical infrastructure for their growth strategy. And so having a point of view and a perspective on the company's ability to execute a new strategy or to drive growth through initiative, securely, is totally linked to its risk profile. And every company or agency or country really, has an acceptable level of risk that they'll take on in their endeavors. And that's why I think it's started to become part and parcel and part of the everyday decision making at the C-level inside companies, for sure.
Risk Component Breakdown
Eric: Phil, break risk component down. When you say they're talking about risk, that's not something we hear on the government side as much as you would think. What do you mean?
Phil: Well, I think the biggest risks to companies are often the biggest opportunities, the people and the data. Your data, your intellectual property at a company, may be your trade secrets. The people who developed that IP are part of your competitive advantage as well. And so on one hand, the threat that creates risk could be arrogance, damage, neglect, abuse, greed, theft, misuse, disgruntlement, that manifests itself out of the people that work at the company. The vulnerabilities that are associated with your data are, it could be false positives that you're flashing, it could be poorly aligned controls to your intellectual property. That combination creates risk in your business.
Eric: But do these businesses, in your experience, actually allocate risk based on application or business unit? I mean, do they understand it at a more granular level?
Phil: Some do at a granular level, but not at scale. It's very hard to understand risk at the application level. However, when you, if you really understand the data and the people, you get past a point where you have to think about applying controls or understanding of risk at a technology level. In fact, that I think if you try to achieve risk mitigation from a technology perspective, it's very challenging.
Model to follow: Human perspective
Phil: That's why I believe that a human perspective is much more tolerable of a model to follow, because you're going to have patterns to follow around humans, creating risk in your working environment. And I think that's true about any organization. It's not a, I don't think that's very commercial versus government centric at all.
Eric: What I've found in the government space is it's very binary. Everything has a very equal risk level and it's, we're looking at this or we have a tool that does this. The tie-back to risk in many cases, I'd even argue most cases, isn't understood. Right? So taking classified information out of it, where you've got separate networks and things like that, a given agency may not protect PII any more than they do common email traffic or something else. They don't look at different risk levels. They don't look at mission data differently, in many cases. In fact, sometimes we see with weapon systems and other data that's collected, it's, there's no security at all, where you would think that would be very sensitive information that would be protected well, email or web traffic is actually scanned more effectively.
Phil: I'm not sure how I feel about that, but it doesn't feel good.
Eric: No, it doesn't.
The blind spots in risk reduction application
Phil: I mean really that's, the challenge of course, is if you try to apply to tech to tech for reduction of risk, you're going to have blind spots. I just think that if you can follow the users or the people in the business, their behavior and the signals that come from their behavior will tell you where the risk is. And to your point there, that you illustrated about a potential, some environment where they don't watch PII, they don't keep tabs on how PII might be utilized by their people. Well, that would be a tremendous indicator of risky behavior, if it's being accessed and being moved in a dramatic fashion.
Phil: Usually there'll be sensors or signals of that new change in the business. And it might not, it might be genuine. It might not be, but it also might be risky either way you look at it. So I just don't think we're going to, I don't think we're going to make a big dent in the security problem if we continue to apply policy at the tech or at the app, I think you used the term application level, or the network level. It just doesn't seem like it's going to get to the granularity and the scale that you'd need.
Eric: I agree with you. I mean, we'll see customers who have, at the end point, they're running a tremendous amount of capability on their servers, their end points, you name it. They move into the cloud and they're not running anything.
Eric: Which is bizarre to me.
Eric: How do you protect one but not the other?
Finding the riskiest data to implement controls
Phil: What I've, this kind of drives me nuts, right? If you have a data protection strategy in, and again it goes back to not, this is not a point of view that I have about government versus commercial, but if you have a data protection strategy that you believe in, then you probably are aware of where the riskiest data is or is going to be and you probably have the ability to implement controls in those legacy environments.
Phil: Then you move or adopt the cloud and you deploy a net, new data protection capability, a tool if you will, but it's not connected to your mainstream data protection tool. So now you have two data protection tools and two operational plans to support data protection initial, and needs in the new modern world of the cloud and the old world of days gone by. All that does, is make you less efficient.
Eric: It's like going to lunch with somebody, but you don't actually sit with them in the same restaurant. You go to different restaurants, you're not talking.
Arika: That's an interesting way to look at it.
Phil: It doesn't work.
Eric: It just came to me Arica, it just came to me.
Changing perspectives on the individual level
Arika: So how do you change that dynamic though? Then how, I mean, what's the message when you're out there talking to some, both commercial or even government? How do you shift that way of, even I guess, that mindset, even?
Phil: Candidly Arica, I've been drawing it on the whiteboard for the last several weeks. In the last couple of weeks, in particular, we just, we spend a lot of time just understanding what a client is doing and would be doing as they adopt Office 365, as an example. I mean, Office 365 or Salesforce, Workday are extremely popular transitionary target apps, right? So we're talking about major adoption, whether it's in the US or in other parts of the commercial world, that's definitely driving a renewed assessment of security controls.
Applying security control
Phil: And I put it on a whiteboard because if you don't visualize the concept of applying a security control in your current environment, at the end point, at the network, at your mail egress points or where the workloads are going to go, then it's hard to frame it, in my mind. But you really do have to frame the discussion as data protection and you get to a point hopefully, well I do, I know I get to a point where I realized that policy had to be applied at the user or at the individual level.
Phil: To appropriately control data or prevent its loss, we cannot live in a world of group policies. Because group policies will generate false positives and false positives put pressure on security practitioners to open up exceptions, exceptions become vulnerabilities to our companies. That's, and that's where I'm so passionate about being able to think about policy application or control down at the individual level, based on the riskiness of that person's behavior.
Investing in the Cloud
Eric: So I want to-
Phil: There's a lot there. I apologize.
Eric: No, I think there was, that was very comprehensive. Let's switch gears for a second, Phil. Commercially, where our customers investing their efforts?
Phil: I think a lot of it is in this cloud category. I also think-
Eric: So the move to the cloud?
Phil: Yeah. Understanding the cloud is, learning what's ahead in the cloud, is definitely an area where they're investing. I also see our commercial clients continuing to address and invest in the talent issue. Talent continues to be a major challenge for security teams. It's not just the transient nature of talent. It's also just the diversity angle.
Millennials in the Cybersecurity Workforce
Phil: I'm, I have to tell you, I'm really excited to say that last week when I was out in the field, I saw a lot of examples of diversity being embraced. But I know if I ask that question to a number of our clients, where they feel they may have underperformed against their goals, is really millennials. Finding millennials that can come in to the security team to share their perspective and bring that point of view from their perspective, into the security operations. I know there's investment in that area to do some training, but also investing in recruiting the right talent.
Eric: Yeah Arica, you actually-
Arika: Oh, go ahead, Eric.
Eric: You wrote the book on millennials. Literally, you wrote a book.
Arika: Well, I wrote a book for millennials about adulting. And so actually, that's one of my questions, is we know millennials love technology, right? And so there's obviously the connection between technology and cyber security. So why are they not interested in a world, in the industry.
Phil: I don't know.
Arika: It seems exciting.
Phil: I really don't know.
Cybersecurity going to the commercial world
Eric: See now, the government answer is they are, they're just going to the commercial world.
Arika: Well, that's what I'm thinking.
Eric: Where they pay more, right Arica? I mean, we hear that week after week when we talk to people.
Arika: Right, right.
Eric: They pay more. They're going to the commercial world. Phil, what you're saying is, you're not seeing them.
Phil: Well, I'm not seeing them on the client side. I'm seeing them come into our work, as an example, coming and working in companies that are software companies. But if I look at the financial, the health care manufacturing verticals, and I'm just going from my personal experience, outside the bay area? I'm not seeing it, I'm just not.
Eric: New York City?
Arika: Well and what I think will be fascinating-
Eric: Where are they going?
Recruiting Gen Z
Arika: Too, is we see the internet of things and those types of technologies increase and the need to make sure we have cyber security safeguards in those new technologies, I wonder if that will be more encouraging in terms of seeing more millennials moving to that area. If not, then I guess you got to start recruiting Gen Z. They're coming up right behind them.
Eric: Time for a new book.
Phil: Gen Z-
Eric: So we're hearing a lot, I mean-
Phil: I've learned something.
Taking Insider Risk Capability
Eric: We're hearing the move to the cloud. We're hearing about talent challenges. I mean, some of these are the, these are the exact same challenges that government customers are struggling with today. I think the biggest differential is the government thinks that commercial industry has all of the people and they're not there.
Phil: Well, that's an interesting point of view to hit on as well. Now, this is really recent for me. I see a ton of our government employees moving to the commercial sector and then maybe, that's who's taking all the jobs, Arica, is the millennials. They're beating the millennials to the punch, so to speak. I have seen a significant shift in that migration from government to commercial. And it's definitely been, I'd say in the last 18 to 24 months, if I just reflect on the number of clients I know that are recruiting for that insider risk knowledge that they lack. Frankly, in the commercial sector, there's a lack of knowledge on how programs addressing insider risk are put together, how they're run, how to position them.
Phil: Like we talked about internally, earlier, we talked about internally positioning the security apparatus as one that drives growth for the company. How do you take an insider risk capability and position it for the company's growth? In order to do that, a little bit of subject matter expertise coming from the team members who've been doing it for many, many years and have been, probably been successful in detecting abuse, neglect or other forms of harm inside of a large organization.
Moving insider threat capability from government to commercial
Phil: You do see it, by the way, Eric and Arica, you do see it as, it's something that's happening in our largest companies. It's really the largest companies who are starting to bring these team members on. And my suspicion is that, it's just that it's a moment in time here, where the government teams have achieved a lot of their goals and are handing that baton over to another team. And that gives that person or that team an opportunity to go into the commercial sector and do something fruitful in that phase of their career. And I think it's a good thing. I think is a really good thing for our companies.
Eric: Well and that is an area where the government is rather proficient. The insider threat capability, there are some really strong capabilities that the government has. It's good to see it going to commercial industry. The government is looking at, I mean, it's been very public. If you look at the Wall Street Journal and some of the other publications out there, where the defense industrial base and companies that are being contracted or subcontracted out via the government are some of the weakest links, in their mind.
Eric: So it's good to see that happening.
Commercial and government partnership
Phil: Well and if you think about commercial government partnership, that's one of the places where I've seen it come together more and more. As you see, well you have relationships, right? I mean, let's just be human about it. There are relationships that are coming together because you've got ex government folks that still talk to their government colleagues, that are still doing the work in the government, now on the commercial side. That's bringing us together a lot more frequently, in this category of insider risk, which to your point Eric, it's not something that's done as a small area of a security operation now. It's a major focus. Data protection and insider risk are major focuses now, in most major companies.
Diversity in the cybersecurity workforce
Eric: It's good to hear. So Arica, as we wrap up, we need some Gen Z, millennial advice from the expert.
Arika: Well, as I always say, one of the things about adulting is to be open. And so what I think what's great, is that there are efforts right now to encourage those to look into areas such as cyber security, in terms of the workforce. I know, department of energy actually does a great cyber competition. We've had one of the guests on our show. At the college level, they're actually giving them a scenario. They go out to the labs and they get to have a really cool hands on experience to solve a cyber security issue.
Arika: So hopefully we'll see more of that. And I know companies like Forcepoint too, you guys are great at, just in terms of being inclusive of the workforce and also, wanting to see more diversity in terms of age, race, all ethnicities, all of those. So it's just being open. Just because you started off on one track, doesn't mean, you might not end up on the other. Did you guys want to be cyber security professionals when you grew up?
Phil: I just wanted to be like Eric and have cool headphones. I mean, Eric, you got like a Star Wars thing going on there.
Eric: We are recording Phil, but go on.
Arika: Yes, yes.
Phil: Oh, no, no.
Thinking Beyond Tech
Arika: No, no, but I was just saying because all our listeners can't see, but we all can see each other. So we like to give him a little behind the scenes. So yes, Eric does, he has-
Eric: I mean, I think when we were growing up, cyber security really didn't exist. It wasn't popularized. You didn't know about it, even as a field and now we have millions of people in cyber security, right? It's a growing space. My hope would be, as Dicky said a couple of weeks ago, Dicky George from Johns Hopkins, some of these millennials, some of these Gen Z, these kids, as I think he called them, will come up and really help us make some progress in this area.
Phil: Yeah, I think the thing that drew me into security was that it was, it was hard to understand when I got into it and I knew it was, it just took a lot of thinking and perspective beyond tech. You had to have a perspective, like just the fundamentals of, why would somebody steal something from me?
Phil: From a company perspective-
Eric: 'Cause when we started, it was all about the architecture and how do you make something bigger or faster?
Phil: Yes, yes.
Eric: Not protecting, right?
A good technology problem to solve
Eric: It was, how do we do, how do we get more streams? How do we do this workload? It was a really good technology problem to solve and then all of a sudden, a couple decades, decade, decade and a half ago, all of a sudden, you had to worry about what, wait a minute. We have to prevent people from taking what we're doing.
Eric: Or stopping what we're doing, right? An outage. But I think for Phil and I, from our generation, it's really, it started in technology.
Arika: Well, it'll be interesting to see what happens, but I do think as we see more things such as AI and the intersection of that with cyber security, perhaps that could be a new draw. So as I always say, if you watch enough Black Mirror, it's fascinating to see.
Phil: I decided to stop watching that because it was so scary.
Arika: It gets a little dark.
Eric: I'd love to see an AI based on Phil Diango.
Arika: Yeah, there you go.
Phil: Oh, come on.
Arika: Well, thanks Phil, for being on the podcast this week. Definitely your perspective, it's interesting. As I said, we spend a lot of time just focused on government, so it's great to have that commercial insight as well.
Eric: Yeah. Thank you so much, Phil.
Phil: Happy to be here anytime. Thank you.