Welcome to the To The Point Cybersecurity podcast brought to you by Forcepoint
Welcome to the To The Point Cybersecurity podcast. On this first episode hosts Eric Trexler from Forcepoint and co-host Arika Pierce give an overview of this new cybersecurity podcast and how and why they plan to keep each episode to 15 minutes or less.
About this podcast
Arika: This is episode one of To the Point Cybersecurity. I’m Arika Pierce and I’m joined by Eric Trexler of Forcepoint. Hi, Eric, so good to see you.
Eric: Hi, Arika. Good morning, it’s great to be with you also.
Arika: Great, so, first, Eric, I just wanted to say thank you for the invitation to join you every week on this podcast. Cybersecurity is such an interesting and hot topic right now, especially in government.
What is the goal for this podcast?
Arika: I first want to ask you: What is the goal that you and your team at Forcepoint have for this podcast?
Eric: What we’d like to do is start a dialogue, start a discussion. We want to get the word out. Cybersecurity is one of the hottest topics of our time, and we want to have that dialogue between government customers, the different stakeholders out there from the integrator channel, from the OEM channel. We want to talk about what’s going on in our industry, specifically around the government.
Arika: Of course, I really like the name To the Point. As you said, Cybersecurity is really a topic that we’re hearing so much about everywhere you go. I think having a theme of … having a dialogue that’s 15 minutes or less where we discuss these issues, I think that’s really important.
Arika: I was actually at a cyber event just last week, and SBA CIO was there and she was asked the question of: What advice would you give to the [inaudible 00:01:44] community, in terms of how to talk to government?
Arika: She said, “Get to the point. We already know our mission, we already know how big we are, we just want you to get to the point and tell us solutions.” I really like if that’s the theme, the name of this podcast.
Eric: If only it were that easy, right?
Arika: Yeah, exactly. Well, we’ll give it a try-
Eric: Yeah, I mean, the goal is … I mean, the goal is to get to the point. We can spend all day talking about things. We should converse, we should come together as a community, but at the end of the day it’s about results.
Our mission: getting results
Eric: We need to drive towards results. To the Point lines up with Forcepoint in our mission, but, really, how do we get to results quickly? How do we do the things we need to do to make the American government a much more secure and safer place for our people?
Arika: With that, let’s get to the point, let’s get to the first question.
Eric: Let’s do it.
A category five hurricane – in cybersecurity
Arika: The Department of Homeland Security, they had the first of its kind Cyber Security Summit this summer, it was about a month ago. At the summit Secretary Nielsen said, “A category five hurricane has been forecast and we must prepare. The next major attack on the U.S. is more likely to come by computers than airplanes.”
Arika: Eric, what is your reaction to that? If you were a CIO of a government agency sitting in the audience and you heard this, what do you do? How do you really properly prepare?
Eric: I agree. I agree with her. I love the hurricane analogy. I think cybersecurity for us is kind of like global warming. We all pretty much have an idea that it’s a problem. We don’t know how big the problem is, we don’t know how or when it’s going to impact us, whether it’s local flooding from something like Hurricane Sandy, or it’s an extra couple cat 5 hurricanes in a given year. Hawaii’s getting hit, we got hit over the weekend as we’re recording this.
Eric: We know it’s a major problem, we know we need to prepare for it, and we know it’s going to impact us. Acknowledgement of those components is probably the first thing we need to do.
Eric: This DHS meeting, I think it was the first one in four or five years. They’ve actually done some things like this before.
Eric: Opening up the dialogue, having that discussion, first step in identifying and acknowledging there’s a problem and working together toward solutions.
What is the government’s state of cybersecurity readiness?
Arika: On that same note, as government is working towards solutions, I think the other thing that we’ve heard a lot about in the news, and this was talked about at the summit, as well, is that government, they don’t have the right type of cybersecurity programs in place.
Arika: There was a recent OMB report that said … They took a look at 96 federal agencies, and they found that 71 of the 96 agencies were deemed “high risk” in terms of their cybersecurity programs. Even though government wants to be prepared, they really aren’t prepared yet.
Arika: What is it? Is it a lack of funding? Is it that there aren’t the right types of solutions to match the right types of risks that are happening right now? Is it just government red tape? Why is government so behind, it feels like, in terms of cyber-preparedness?
Eric: Well, you think, they’ve got a problem of scale. They’ve got a lot of challenges that they need to deal with. What I’d like to reinforce, or what I believe, is the government has the exact same problems that commercial industry across the globe has, that pretty much every other government across the globe has.
Eric: They’re a target, they have something that somebody wants. They’re being attacked by very similar people. Now, we may have a nation/state actor coming after a component of the U.S. Government that wouldn’t hit a Third World government or anything, but they’re the exact same problems, and pretty much the same tools, and capabilities and solutions to fix them.
Is a lack of funding to blame?
Eric: A lack of funding. We spend a ton of money in cybersecurity. Should we spend more? We can have an argument about that. Of course, if we can get more we’d spend more. Not enough solutions or too many to choose from. Last I saw there were over 4,000 companies doing cybersecurity in this space. I would argue we have too many.
Eric: What we don’t have are solution-focused capabilities. We’re not looking at what problem am I trying to solve, and who can bring capabilities to play. We’re not building systems like we do everywhere else in IT. We have a lot of people involved, and then the acquisition process, of course, is always a challenge.
Eric: By the time you can procure a technology or do something, it’s been a year, it’s been two years. You’re probably behind, the adversary has moved on, or the adversary can very quickly evolve and move on. There’s a procurement challenge, also, going back to your comment about the government red tape.
Eric: These are problems that were created by people. They can be solved by people though, we just need to focus on outcomes, as opposed to buying technologies, or it’s too difficult.
Arika: Yeah, I like your term solution-focused capabilities. That’s something good to remember. Eric, you mentioned the commercial space, the private sector. I know Forcepoint works both on the federal side, as well as on the commercial/private side.
How do private solutions match up against government initiatives?
Arika: In your opinion, how does the preparedness match up? Is the private commercial side more prepared? Are they doing different things? How do they match up against government?
Eric: I think it really depends which part of the government and which part of the commercial sector we’re looking at. I mean, if you look at the financial industry, they’ve got the ISAC set up, they’ve got a lot of money, they’ve got a lot of capability, they’re hiring the best and brightest people. There are components in the government that can do the exact same thing.
Eric: They’ve got scale challenges, but they really understand what they’re doing and why they’re trying to do it. There are components of the government that are the exact same. Then you can look at the commercial model if you look at the healthcare industry, if you look at a hospital system, or a private doctor’s office. They probably have a very small IT budget, let alone cybersecurity effort or budget.
Eric: Very similar problem, just some of the smaller agencies. You mentioned Maria Roat, the CIO from SBA, they’re spending a lot of time … It’s a smaller agency, but they’re really consolidating their capability. I think there are a lot of benefits that are coming of their move to the cloud, their standardization across the board. There are a huge number of benefits that are coming from that.
Eric: That doesn’t mean you can be a one-vendor shop where one vendor’s going to do everything you need, but looking at your business and understanding what you have the capability to do and what you don’t. We’re gonna talk about CDM I believe in next week’s episode-
Arika: Yes. Yes, we are.
Eric: CDM is an amazing program on the civilian … the dot.gov side, that basically provides funding in exchange for visibility. That’s great. If agencies take advantage of that I think they have a huge opportunity to get ahead of where their traditional budgets currently have them.
Arika: I was gonna ask you a little bit about CDM on this episode. Why don’t we just jump there very quickly though. It seems like CDM could be a game changer? Yes, no, maybe so?
Eric: You know, personally, we’re putting a lot of effort into it. I think CDM should be a game changer. There are a lot of smart people that are working very hard to bring funding to agencies that need the help, bring capability to these agencies, and all they’re asking for in exchange is really reporting back on the risk status of where the agencies are at a given time.
Arika: Wow, well, hopefully we’ll see agencies take advantage of the opportunity. I mean, it really does sound like its something that could only benefit them from a cyber-preparedness standpoint.
Eric: We hope so. That’s the plan.
New Homeland Security tools for agencies
Arika: Then, the other recent news I saw, in terms of other initiatives, is that Homeland Security is developing a new tool for agencies. It’s a risk radar they’re calling it. The purpose of it is to help the agency executives identify where most of the cybersecurity risks are within their department at a level that’s higher than the operational level.
Arika: Do you think something like this will work, and then, if you had to sort of forecast where the risks are within an agency, Eric, where do you think the most attention should be placed?
Eric: I like the idea in concept. If you think about radar, if you think about a screen where you can look at what’s in front of you, what’s aside of you, what’s going to impact your business, almost as if you’re flying a plane or driving a boat.
Eric: The idea is very sound. The intent, as I understand it, is to address both strategic and systemic risk in these agencies. To give them some visibility that they may not have. If you look … pick an agency, Department of Interior, they’re not necessarily looking at cyber risks from hacktivists, criminal actors, nation states, they’re not categorizing what the hottest trends are to the same level that a DHS might, in working with the intelligence community, private industry, and everything else.
Eric: But getting that on their radar, knowing that ransomware is picking up, and that it’s starting to impact people, gives them some time where they can go back and prepare. They can understand what’s happening.
Eric: It also allows for better visibility across the government, something that CDM is supposed to do. If they get the partnership with industry, the private sector, and the government right, I think there will be some benefit there. I think the idea is absolutely sound.
Eric: Government and industry working side-by-side together to solve hard problems that go cross-sector, that could be really exciting. Time will tell. It’s a good first step.
Arika: Well, and I think there’s been a theme lately coming from … definitely coming from Homeland Security, as well as other departments, in terms of the partnership that’s really needed between industry and government, especially as far as information sharing and data exchanges.
Eric: Absolutely required. Let’s not kid ourselves, right? There’s exponential growth in systems and data. Mobility and cloud are coming to bear, the parameter is basically gone as we know it. These agencies have a need to protect their data and their people, regardless of where it resides. There’s a shortage of talent.
Eric: There’s still user education challenges. Even your best users can be susceptible to a very targeted and tailored phishing attack. Nothing’s perfect. Then there’s an ownership issue. We’re gonna talk about CDM next week, but as we look at who owns the responsibility. This could be a commercial problem, a government problem, an intra-agency problem, who owns that responsibility? They have a lot of challenges that we need to address.
Phishing schemes tailored for Washington DC and the government sector
Arika: Well, it’s interesting that you said the phishing problem, in terms of just users. I read recently that the most common email that often starts the attack, in D.C., many of these federal agencies, are emails that come that are giving away Redskin tickets. They say even the people in IT that are in charge of cyber are still clicking on the email. That’s interesting.
Eric: I learned a long time ago nothing is free.
Arika: Yeah, exactly.
Eric: It seems like that would be applicable in this example.
Arika: Very much so.
Arika: Well, thank you, Eric, so much for our first episode. We’ll be back next week, and we’re gonna take that dive into the CDM program, but this was great, so thanks so much.
Eric: Absolutely. I’m so excited to kick this program off. I am looking forward to the weeks ahead, getting some guests in here, having some spirited debate and dialogue about cybersecurity and the government.
Arika: Absolutely, and we’ll keep it to the point.
Arika: Thanks everyone for listening, and we’ll be back next week.
Eric: I’ll talk to you then, Arika. Thanks.