In this episode, host Raghu Nandakumara sits down with Gary Barlet, Federal Field CTO at Illumio, to discuss his own personal experience with Zero Trust, top cyber challenges facing federal organizations, and why embracing an “assume breach” approach to cybersecurity matters.
In this episode, host Raghu Nandakumara sits down with Gary Barlet, Federal Field CTO at Illumio, to discuss his own personal experience with Zero Trust, top cyber challenges facing federal organizations, and why embracing an “assume breach” approach to cybersecurity matters.
--------
"You wanna continue to try to do your best, but there's no such thing as perfect. And you have to be ready for the alternative, right? What happens when the art of the perfect fails you, and you have to deal with a breach? And I think that that monumental shift in approach and philosophy is something that I think that modern entities, agencies, and businesses, if they don't make that shift, they're just gonna continue to lose." - Gary Barlet
--------
Time Stamps
* (3:07) Fighting the everyday battle in cyberspace
* (7:16) How to “assume breach”
* (17:53) The US Government’s top cyber challenges
* (28:17) Breach economics
* (35:33) The future of Zero Trust
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com/
--------
Links
[music]
00:09 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I’m your host Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company.
Today, I’m joined by Gary Barlet, Federal Field CTO at Illumio.
At Illumio, Gary is responsible for working with government agencies, contractors and the broader federal ecosystem, to help them meet their Zero Trust security objectives. Previously, Gary was a Federal Chief Information Officer and is also a retired Air Force Cyber Operations Officer, with 29+ years of experience in the military and in government.
Today, Gary joins us to discuss his own personal experience with Zero Trust, top cyber challenges facing federal organizations, and why embracing an “assume breach” approach to cybersecurity matters. Gary, it's an absolute pleasure to have you here today. Thank you so much for joining us.
01:13 Gary Barlet: No, thanks, Raghu. I'm very excited to be here.
01:15 Raghu Nandakumara: Not as excited as I am to have this opportunity to speak to you, Gary. So you've been in the industry for quite a while, and I'm sure you've seen a whole range of different scenarios and experiences. Can you tell us what drew you to cyber security?
01:30 Gary Barlet: Sure. So when I started my Air Force career, it was early on in the world of networks for the Air Force, and I actually spent the first half my career not doing anything to do with networks. I really got heavily invested about the second half of my career. But you have to understand, being in the Air Force, we were a prime target for adversaries, especially nation-state adversaries, very serious adversaries. So you quickly realize critical true network security is true enterprise security, and you realize that, that is not just, "Oh do you have updated any virus on your laptop? Do you have a firewall turned on your laptop? Do you have a good password?" You understand the complexity involved in trying to provide actual true enterprise-level security, and I found that to be fascinating, and I found the challenge of trying to try to outsmart your adversaries and fighting a battle, it was an every day battle. In the military, not everyone finds himself in combat. Different skill sets find themselves more often than not in combat, very seldom. In cyberspace, you're in combat every day, and that's one of the things I've most enjoyed about my time doing this, is you're in a fight and you're doing it every day.
02:46 Raghu Nandakumara: In my spare time, I geek out on infrastructure videos on YouTube. And I was seeing the scale of infrastructure that the Air Force and the Armed Forces deploy. How do you go about securing a network that is that fast and that diverse? How do you even go about designing that?
03:07 Gary Barlet: So it's got its challenges. I'm not gonna lie. It's one thing to think about doing it in small pieces. You have to try to identify where are you gonna focus your resources. That's one thing about being a cybersecurity, you never have enough resources to do everything. You've always got a to-do list that's longer than you could possibly ever hope to accomplish, and you're constantly re-prioritizing that to-do list. So the reality is, you look at things... You do your risk management, what are your highest threats, what's the impact of... If there is a compromise, what's gonna have the highest impact, and you really try to focus your efforts on protecting those things. And trying to lock down the things that you think you can lock down, and the last thing is you spend a lot of sleepless nights. You don't sleep very well most nights as a result of it.
03:52 Raghu Nandakumara: I completely agree. So in your experience, and of course, we haven't even spoken about your experience at the postal service, when did you first come across the term zero trust?
04:03 Gary Barlet: So the first time I came across the term zero trust was probably, I don't know, five years ago. Five, six years ago, maybe. It's been around for a while. But it's interesting. The first time I heard it, I was like, "Oh, here we go. It's another rebranding." You know how the IT world is? We re-brand stuff, what's old again is new again, and we just rebrand things. So when I first heard the term zero trust, I was like, "Here we go." And honestly, part of the reason why I felt that way is some of the very first things that were highlighted in zero trust, they talked about identity and knowing who's accessing what. In the military, we've been talking about that for a long time. So at first, it felt like a re-branding. And then when you really start to delve into what's really at the heart of zero trust, you really start to understand it really is a different way of looking at things in a different mindset, especially when you really get to the heart of it and talk about the mindset of assume breach and assume that you're never gonna completely win the battle of stopping a breach, but what you can do is try to minimize the impact of that breach.
05:01 Raghu Nandakumara: So actually, what you just said, that's something really interesting. I wanna delve into a bit more. So you said that you were one of those people who when you first came across zero trust, you thought, "This is just marketing hype." And in fact, there are probably still people today that say that zero trust is just marketing hype. But then what was interesting was you said you looked into it and you realized that this was... Actually, it wasn't sort of like new clothes on the same problem, it was actually a completely different way of approaching the problem of how we secure enterprise networks and enterprise organizations. What made you see this as a different approach? What was the difference that you saw that it bought?
05:46 Gary Barlet: It was funny. So I had always had conversations just generically, my time in the Air Force, my time as a federal CIO, about the fact that you just can't always win, you're gonna lose, and had always had this idea of, "Okay, what if? What are we gonna do? How are we gonna respond if we lose?" And then like I said, as I started to really understand zero trust a little bit and think about that shift of mindset, it wasn't just a shift of mindset for me, but a shift of mindset for the people that I had working for me, the way that we approach problems. I always had this philosophy of 80% is good enough. And that comes down to any time you try to deploy something or you try to do something, that pursuit of perfection is impossible. And zero trust I think really gets to the heart of, Look, you wanna continue to try to do your best, but there's no such thing as perfect. And you have to be ready for the alternative, what happens when the art of the perfect fails you and you have to deal with the breach. And I think that that's... That monumental shift in approach in philosophy is something that I think that modern entities, agencies and businesses, if they don't make that shift, they're just gonna continue to lose.
06:57 Raghu Nandakumara: Right. And that's such a great way of framing it. Essentially, I think what you're saying is, Don't let perfect be the enemy of good, and take that forward-looking approach, because you also mentioned this term, assume breach. For the listeners, what do you mean by assume breach?
07:16 Gary Barlet: So if you look at... There's been all sorts of reports released recently that... The popular topic today is ransomware. And there's been recent studies released that say something like 76% of organizations have been impacted by some sort of ransomware attack. Well, if our defenses were so great, then why is ransomware even a conversation? Why are we even talking about ransomware? But here's the reality, you look at the antivirus market, for decades, the antivirus market has said, "If you just buy our product, we will stop viruses, and dead in their tracks." Never happens. Constantly getting infected, constantly dealing with that kind of stuff and all sorts of different types of malware. So here's the reality, it's just a ongoing battle that's impossible to stop and win 100% of the time. So the question is, we were able to make... A lot of people were able to make the shift of, "Okay, look, I know I've got updated antivirus, but I need backups. I need to back up my information 'cause if this stuff gets infected, how do I recover from an infection? Oh, I'll restore from backup."
08:17 Gary Barlet: But what do we do about breaches? And that's where I think a lot of agencies are still lagging, is understanding, it's gonna happen. At some point, it's gonna happen. There is a... So, following that mindset, you just have to assume that at some point, something's gonna happen. We're all human. Networks are run by humans. I think that people lose sight of the fact that networks are run by humans. Humans make mistakes, and those mistakes are gonna be capitalized on, and you have to be prepared to deal with what happens when those mistakes are capitalized on.
08:46 Raghu Nandakumara: So I think what you're saying is that it's absolutely okay to take that approach of the assumption that something unexpected is gonna happen. Is that a good way of stating it?
08:58 Gary Barlet: Absolutely. And I will tell you, that is a hard thing, especially for people that have grown up in traditional IT, to make that shift, because basically what you're saying is, "I'm telling you right upfront, at some point, I'm gonna fail. I'm going to fail. I'm gonna fail on the job you've given me, which is to defend the enterprise that you've entrusted me with." At some point, I'm going to fail. And now the question is, What am I gonna do about it when I fail? A lot of people don't want to admit that they're gonna fail. And it's... Again, it's gonna happen. So you might as well accept the fact that it's gonna happen and then have your contingency plans in place of What am I gonna do about it when, not if, when it happens?
09:35 Raghu Nandakumara: And I think that's right. It's like essentially assume the unexpected. And then if you stop with that, then, essentially, what would you do to ensure that that unexpected event has the least negative impact possible.
09:47 Gary Barlet: And that's the key. So some people think about the fact that, Okay, something bad happened, that's the failure. In my mind, it's always been, Something bad has happened? What was the impact? What did it do to my operations? How widespread was the impact? How much did my customers feel? Because quite honestly, if the customers don't feel something and it's just something on the back-end that you're dealing with but the customers don't feel it, that's a win. If the customers don't notice the impact, that's one of the biggest wins you can have, right?
10:16 Raghu Nandakumara: Yeah, absolutely, absolutely. And so let's go from there. So we've understood how you got bought into that concept of zero trust. So can you now tell us a bit about how you then actually put that into practice, maybe some of the projects that you helped pilot and spearhead where you took this approach in the public sector?
10:35 Gary Barlet: I was involved with deploying CAC cards in the military. And the CAC card is the physical card that you have to put in. It was the widespread implementation of two-factor authentication in the military. And that's having that secure identity, so every one of us had a card, had a certificate on it, it was tied to us as an individual, to lock down and try to zero in on that identity piece of it. And then we capitalized on those identity pieces throughout systems throughout the entire military of, Okay, now that we know that this is supposed to be Gary because it's the physical card that's in his hand, he has entered the pin that only he knows, now we have a certificate-based authentication that we can, with some level of a surety, say, "This is Gary." Now we can use that for accessing systems across military.
11:23 Gary Barlet: So that was... In today's world, that's seen as zero trust. Again, it really wasn't called zero trust when we were doing those things, but that kind of approach, I think, is critical when you're thinking about these things. And then projects of migrating to the cloud and trying to adopt the security mechanisms that the cloud can bring to you. And especially when we started getting into things like doing the assessments of where people are logging in from, looking at Comply-to-Connect on laptops. I was involved in a project of deploying Comply-to-Connect, where we looked very hard at what was the state of the device that someone was trying to use to access the enterprise, and then what did we do based on that state event end point. So there's just a couple of examples of projects that... Again, were they necessarily called zero trust at the time? Sometimes, yes, sometimes no, depending on the timing of the project, but from a perspective of trying to implement some of the main tenants of zero trust, we attempted...
12:24 Gary Barlet: I will tell you, we attempted... I was with Niche. We attempted a very large implementation of 802X and dynamic VLANs to try to do segmentation. And I will tell you, it was not very successful. Sometimes you try something and it just doesn't work. That was one of those projects that was not a successful implementation of trying to do a zero trust implementation for me.
12:48 Raghu Nandakumara: Yeah, that's a really interesting thing because I think sometimes the challenge, particularly with something like segmentation, it's not that segmentation and whatever you wanna pre-fix that with, network segmentation, macro, micro, etcetera. That's been something that us as network security professionals have been wanting to do since, I'm gonna say, time immemorial. But just the technology to allow us to do that at the scale of today's enterprise networks has only just essentially become available and truly usable, which is why we still see lots and lots of flat networks, it's because organizations are still catching up. Is that, essentially, the challenge you run into?
13:32 Gary Barlet: Absolutely. I mean, just when you're trying to do something like a segmentation project at scale, you run into a couple of main obstacles, number one is just your volume. If you're really gonna do it properly, you gotta really implement it with every major device that's on your enterprise. And if you've got a large enterprise, that's thousands and thousands and thousands of IP address that you're trying to keep track of. And then just the sheer dynamics of an enterprise, especially if you've gotten into the world of virtual machines and rapidly spinning things up in the cloud and multi-cloud environments, just that complexity that gets involved. So now you magnify your problem of, you're not just trying to keep track of all these instances of things, all these different IPs, but they're in all these different locations.
14:20 Gary Barlet: And how are you supposed to keep track of all that stuff? And then throw on top of that, you've got... Most places have a very limited IT staff for all the work that they've gotta do, just their day-to-day job of trying to keep things running, and then you try to apply something like this on top of them and go, "Hey, I'm gonna pick you. It's your job to make sure any time something new joins the enterprise, you've gotta figure out all the hundreds of places you gotta go update so that that thing connects in the way it's supposed to connect, but doesn't cross boundaries it's not supposed to cross." That's an impossible challenge to give someone.
14:53 Raghu Nandakumara: Yeah, completely. Which is why you then... I think what is the fullback is, " But it's like, "Well, what compensated controls do I have? Or more often than not, am I okay just to accept this risk and move forward?" And that often is what we land on, is that we just add it to the risk register and say, "Yeah, I know about that."
15:15 Gary Barlet: And that's a funny thing. That's what usually ends up happening, is you get people that go, "Okay, what is it gonna take for me to try to mitigate this risk? Oh, well, If I triple the size of my IT staff and I triple my IT budget, then maybe I might be able to mitigate it to some extent." And the decision makers are like, "Yeah, where do I sign? Because I can't... " That's an impossible investment for you to make. "Where do I sign? What's gonna be the impact if I don't do this?" And they... People hymn haul a little bit, and then whoever's responsible says, I'm gonna sign off on this because there is no way, Mr. CIO, I'm gonna triple your staff and triple your budget to do this thing that I, honestly, am struggling to understand anyway, because what I expect you to do is keep my enterprise encircled with this nice layer of defense, and anything inside should be safe. So why am I stroking this cheque for you?"
16:04 Raghu Nandakumara: So do you think that we are now at a place, whether this is in the fed space or in general enterprise, where we've gone too much towards risk acceptance and the importance of risk mitigation has kind of been put to the side?
16:23 Gary Barlet: Yeah, actually, that's an interesting question because I think the answer is yes. I think that we have gotten to a point where... It used to be the opposite problem. We didn't wanna assume any risk. We wanted to mitigate everything. And then as that got beat into people's heads that that's a ridiculous approach, that's an impossible goal to achieve, people started loosening the throttles a little bit, loosening the shackles a little bit, and found themselves, I think, to the point where now there's almost no controls in place. And people are saying, "Hey, as long as it's about getting the job done, yeah, we don't care if you let personal devices into the enterprise, because it's all about keeping the... " You hear a lot about, "Well, how do we attract younger talent?" And younger talent is not used to be in constrain. So we gotta do things to make sure that we're not constraining the talent that we're trying to hire. So now all of a sudden, you gone to, "I'm just gonna accept all the risk and kinda cross my fingers and close my eyes and really hope nothing bad happens."
17:18 Raghu Nandakumara: Yeah, yeah, exactly. And when something bad does happen, what I hope is that they don't go and look at the risk register and say, "Did we really accept this risk?" And why and who, and etcetera. Let's come back to sort of the federal government and security challenges that they face and why they're adopting zero for us. So we've always seen this... This is a big push in the US federal space. Firstly, what are the challenges, what are the security challenges the federal government faces today? And why do they need to adopt zero trust?
17:53 Gary Barlet: Sure. So some of the challenges that they face, number one, and this... A lot of this is similar what you're gonna hear... What you would hear if you ask the same question about private sectors. But in the federal space, money, people, and then flexibility to get things done. So you start with the fact that they're constantly dealing with the federal budgeting cycle, how much money are they being allocated. And oh, by the way, people don't realize how far in advance you're working your budget from a federal perspective. It's not a matter of, "Hey, it's July and the next budget year starts October 1st. Here's how much money I want." Huh, you've made those decisions years ago about how much money you need for a given fiscal year. So you're trying to forecast into the future from a budgetary perspective, and they don't... The federal budget system isn't designed to say, "Oh, well, feel free to ask for a couple of million dollars that you can't explain what you're gonna spend it on. Feel free to just ask for surplus cash just in case something comes up in the future." So that's a...
18:52 Gary Barlet: That whole cycle is a challenge for the federal government, and then just getting the right resources when you look at the landscape around globally, the shortage of IT staff and the shortage of IT expertise, and especially when you start getting to security, that's a smaller piece of the IT problem... How does the federal government compete for those resources if you're a young wiz, at IT security, and you look and go, Where am I gonna go work?
19:19 Gary Barlet: Do I wanna go work at the federal government, I'm gonna be a GS whatever, and it's usually A lower GS, rank rating making 40-50,000 dollars a year. Or, I wanna go work at some company somewhere making 140, 150,000 dollars a year, and the Federal government is gotta figure out a way to try to attract that person to come work in the government and not go work for one of the 10,000 openings in their home state. That's not even worried about Tele work and anywhere in the world. But that is a huge challenge for the federal government and then the kind of the mindset, right. Trying to get hold people accountable. Right, so when you need to make shifts, and you need make changes in the federal government, trying to hold people accountable to make those changes can be a challenge in the government.
20:09 Gary Barlet: It's very hard to fire people. And so if somebody's not doing a good job, you spend a lot of time trying to kinda bring them along before we can get rid of them, and while that process is going on, they're filling a seat, supposed to be full falling on responsibility. And if that happens to be one of the key positions to protect your enterprise and the person is not cutting it, it can take a long time to get rid of that person, and now you're back to the challenge of how do you back fill that seat again?
20:35 Raghu Nandakumara: Yeah, so that then brings me to a question, so obviously there's been a huge push. There's President Bidens executive order last year that sort of really accelerated adoption of zero trust security approach amongst federal agencies. So you kind of talked about essentially a large people problem that the federal agencies face, given that, do you think the adoption of zero trust and actually following through with this EO is gonna be realistic?
21:06 Gary Barlet: I think, I hope it'll eventually be realistic, It's not gonna be realized in a short period of time, so when the executive order came out, here we go, right here comes another mandate from high is telling all these federal agencies, it's something they gotta go do, and there's no money that comes with it to go do it. IPV6 is, a perfect example. I lost track of how long ago the federal government was supposed to be migrated to IPV6, most agencies... Don't even know how to spell IPV6? Much less have they implemented IPV6, and that was a federal mandate ages ago.
21:40 Gary Barlet: Now, I think whereas Zero trust has a better chances success is... I think there's a much more recognized need for implementing the principles of zero trust, then there is a... Again, something like IPV6. So I think there's some of the founding tenets and the core tenets of zero trust, I think resonate with people and they understand going back to that, Hey, you know, I realized that we have probably accepted a little bit too much risk and we've gotta figure out a way to kind of minimize that risk structure that we've got in place here, and I think zero trust brings some of that to the forefront for agencies.
22:14 Raghu Nandakumara: I think just to the IPv6 comment, I think if anyone who's worked in networking or network security of the last 20 years, everyone has their own little funny IPV6 story. In my case, it was at a former employer, I think there was this thing called World IPv6 day, probably about a decade ago, and we were all participating in it and... What did we have to do for that day? Just that for that one day. For that one moment, show that our external facing website could be accessed by IPv6, just for that one moment. And after that, everyone's back on IPv4 everyone. Okay, so you say that zero trust because of the importance of it, to just the sort of the resiliency and the cyber security of federal agencies at large and the criticality of it, this is one that is gonna get the traction, it's not gonna be another sort of IPv6 to say that right?
23:11 Raghu Nandakumara: When I look at the mandate, and on one side as a zero trust practitioner, I'm excited about it is about finally we've got a government agency and that to the US Government mandating the... And this can only be good for both the public sector in other countries globally, but also then they're trickling into the private sector, but on the other side, I kinda look at the timeline that has been laid out, and a part of me thinks that it's not aggressive enough, we're getting to the real risk reduction pieces far too far down the line, and why I can't do deep broad and sooner am I just being kind of just too greedy here and this is a good thing, and we would get on the train and to let that timeline map itself out.
23:54 Gary Barlet: So I think that I would love to wave a magic wand and have it done much faster, having spent so much time in government, I will tell you the timelines that have been laid out are fairly aggressive for the government, and it is right, and again, I go back to, again, the whole budgeting conversation, right, and the fact that your budgeting multi years in advance, the procurement process. And keep in mind, and this is one thing that I think some people lose sight of, federal agencies operate under the laws that have been passed by Congress, so the restrictions that they have, people ask, why does it take the government so long to buy something? Well, I'll tell you why, because there are so many rules in place to ensure fair competition, to ensure that you try to avoid single sourcing and getting vendor lock, so there's all these different things there.
24:41 Gary Barlet: And they all are very justifiable checks and balances to have put in place, but the ramifications of some of those checks and balances makes it very difficult for agencies to do procurement and can really drag out timelines, so it's not a matter of "hey lets just whip out your credit card and go buy something today and pick whoever you want," that doesn't work in the federal government, private entities can for the most part, go buy what they want from whomever they want, whenever they want, the federal government and the DOD, they don't have that kind of luxury, so that end of itself automatically adds a huge amount of time to a timeline to try to implement something, just because of the sheer amount of rules that have to be followed and the checks and balances, and dealing with you know people protesting, right? You do a major award, you get one protest, you may have just increased your procurement timeline by 50 or 100%.
25:33 Raghu Nandakumara: Okay, right. So then, how do you think organized federal agency is gonna be held accountable such that they are tracking against this plan and delivering against... And I understand, right, that this is are government agencies, things take their own time, but like how is that gonna... How is the accountability gonna be enforced?
25:57 Gary Barlet: So the accountability piece is the piece that I worry about the most, because if history is any judge in anything to measure by, accountability is always one of the things that doesn't seem to take effect when these kinds of things come down the pipe, you can see in a different setting, in a private company, if you told somebody, "Raghu I've given you a deadline, I expect you to meet that deadline", and if you don't meet that deadline, there's a pretty good chance we're gonna go... "Thanks for your service. You can leave now, and I'm gonna try to bring somebody in there and the next time I give them a deadline, we'll meet that deadline." In the government, most people don't get fired because they didn't meet a deadline, they didn't meet a mandate, they don't... That's not why they get fired, and it's unfortunate that sometimes some of these... And I'm not saying zero Trust is one of these, but Sometimes mandates come down and it's really just about checking out box, so that somebody can say, "Hey, we did something," and then there's, "Hey, what's the next thing?
26:52 Gary Barlet: What's the next shiny object we're gonna go chase and nobody ever bother to look backwards," that's of all the things that affect zero trust, it's that accountability because really it's gonna be up to the agencies to hold themselves accountable, and probably the closest thing to accountability will be most federal agencies have a Office of Inspector General, this is something close to my heart, since that's where I come from, they'll go in and they write audits and say, "hey, federal agency, you were supposed to do x by this time, we're gonna write you up you haven't done that." Right, and then that'll... That'll get published, that could get observed by noticed by Congress, Congress, may ask the head of the federal agency, "Hey, I've gotta report my hand that says zero trust We the Congress, the President told you to do something by a certain timeline, you didn't do it." What are you gonna do about it? And their answer may be, "we're sorry, we're gonna go do it today, or... Yeah, we'll see what the write-up looks like two years from now when we get re-looked at again".
27:45 Raghu Nandakumara: Yeah, well, who doesn't love an audit or being on c span, I think there's lots that other governments globally can learn from the US sort of approached adopting zero trust, but moving away from the public sector, what do you think the lessons are for the private sector and we don't need to take it as the private sector at large, but maybe specific verticals within the private sector, what can they learn from the sort of the approach that the federal government is taking.
28:17 Gary Barlet: I think that, again, we talked about some of the inefficiencies of the parts of federal government taken, however, that high level widespread focus, so within verticals, when you look at whether it's in the banking vertical, whether it's in the medical vertical, trying to take something to make it become the de facto standard, and Hey, if you're not doing this, you're seriously lagging, and in the private sector, right... You've got competition. So I can see if competition starts going, "Hey, well, we do this and they don't"... My competitors don't do this, but I'm doing this, I've adopted zero trust, I've adopted these security practices I'm protecting your information by but competitors aren't protecting information. Right, I think that adoption of a standard happens faster in the private sector because of the fact that you're competing for dollars, anything you can use as a differentiator is key, so I can imagine a private sector company going, "Hey, the president thought something was so important that he issued his mandate to the government"...
29:18 Gary Barlet: We're already doing that, right? Look how good we are, right. So within different verticals, I could easily see some of these things become a kind of de facto standards, it's no different than when they start trying to compete with each other on, Hey, what benefits do we offer? What capabilities do we offer? I think that that's critical and if you can get that security mindset to say, "Hey, this is another one of those things that we should be comparing ourselves against each other,' that can become that thing that I can point to and say, I do this, you don't... So I would encourage, right in the private sector, think about some of these things and go, How can I use it to my advantage? But you better be doing it, 'cause the last thing you wanna do is pretend like you're doing it and then you know have something happen and have to explain to your customer base why you weren't doing it.
30:00 Raghu Nandakumara: So essentially almost using zero trust for security as differentiator, and as a competitive sort of differentiate between you and your competition... Right.
30:08 Gary Barlet: Absolutely. Its... Because you look right when a private company, and I think you're gonna start slowly, you're seeing this change when a private company gets breached or what happens... It's a big splash in the news. Then they go, okay, usually if the answer is, Oh, we're gonna pay for free credit monitoring for you for a year, in the worst case scenario, maybe somebody files a class action law suit and you get the letter in the mail and then you end up getting a buck 50 as part of the settlement. But I think that you're starting to see companies that are trying to really take hits now, when these things happen, right, because if something as a customer, you start feeling like I can't trust company X with my credit card information.
30:46 Gary Barlet: What are you gonna do? You're gonna stop shopping there, and I think that as the populist becomes more and more savvy about the stuff, and I think there's... We're reaching this tipping point where people are tired of hearing... "Oh, would happen again. And it just happens," right? I really think the public is getting tired of that and they're gonna start holding people accountable, and it maybe you'd just be with their feet and their check books, they're gonna take their dollars somewhere else because they're tired of hearing about, "Oh, here we go again, my stuff got compromised again".
31:13 Raghu Nandakumara: And that's a really interesting point, right? End there, because I think that the general public now has a much better basic understanding of security breaches, they have a much better basic understanding of a ransomware attack, so it's not that organizations can kind of just sort of dust it off under the carpet and forget about it, it's... When it happens, people have very much like a... Oh my God, not yet again, I might save that type reaction now...
31:44 Gary Barlet: Absolutely, I know things have changed. When I get a phone call from my 70-plus-year-old mother who says, "Hey, this happened at this company, I'm pretty upset about this," and my response is, "take your money somewhere else", and she says "it's probably a good idea." When you're to the point where customers are asking those types of questions, I really think that we have crossed a threshold of... And I don't know that we'll go back, and I think people are really just starting to get tired of this, and companies are having to start taking this more and more seriously, because some of these breaches, they've gone past their embarrassing breaches, but they're starting to become really financially impacting breaches because customers are starting to lose confidence in companies.
32:29 Raghu Nandakumara: Absolutely but also I think the concerning thing is that when you unpack the details of what caused those breaches, the root causes are typically always the same, it's kind of like when we are often not learning and I think that's the frustration.
32:48 Gary Barlet: Yeah, that is definitely the frustration, and I can think of the last time there was something that... Again, I'll go back to my mother, we were talking about something that had happened with a company that she was doing business with, and she had enough understanding of the problem to say to me, my understanding was somebody had a weak administrator password. How dumb is that? And that was coming from my mother. If it's got to the level of my mother, who is the most an IT savvy person you wanna meet... Can say something like that and ask a question like that, something has shifted in the environment.
33:24 Raghu Nandakumara: It looks like she should be given a job in cybersecurity... Right, she have the skills, she'd have the awareness for it. So just coming back to sort of zero trust adoption very quickly, do you see difference in approach between how the private sector is gonna adopt zero trust and how the public sector is gonna adopt zero trust.
33:43 Gary Barlet: So first all, I think that the private sector is already much further down the path of zero trust in the public sector is... You can just see that with different entities and some of the things that they've deployed and implemented, the government that you're just now starting to talk about, so I think they're already further down... And I think that they've got a couple of different things. So we talked about this competition thing, right, so take any vertical you want, and there's multiple companies in that vertical, that if I as a customer feel like you're not doing something safely, I will go somewhere else, but now, let's compare that to the public sector.
34:15 Gary Barlet: There's only one Social Security Administration, there's only one IRS, there's only one VA. I can't take my money and go somewhere else because the services I'm being provided... There is only one of those. Right, so there's not as much of driving incentive in the public sector as there is in the private sector, because the customer base is stuck, there's no competition in government, there's nowhere else to go, so they don't necessarily have the same things hanging over their head on the government side, as they do in the private sector, because in the government sector, you know your customer base isn't going anywhere, whereas in a private sector, you have to be flexible and you have to be adaptive because you don't wanna lose your customers and its revenue base and you can't afford to lose customers.
34:58 Gary Barlet: So that's why I think that's one of the other reasons why I think things take a little bit longer in the public, in the government, is because of that, the fact that there is no competition, there's nowhere else for your customers to go...
35:09 Raghu Nandakumara: Yeah. Awesome, no, that's such a great greater observation, sort of the driving factor behind why the private sector is going to take this probably... It's not about taking it more seriously, but it's actually gonna do... Gonna be more aggressive and do something about it, so kind of just to sort of wrap up on this point, what does the future of zero trust look like from your perspective?
35:33 Gary Barlet: So I think that the future of zero trust is gonna be about, again, going back to this whole assume breach, I think trying to get things down to the smallest piece possible, you talk about securing data, at the data element level, you're talking about securing applications at the application level, and at the individual piece, we get into micro-segmentation of the individual pieces of an application, trying to draw that ring of defense as small and as close to the source as possible, as opposed to the traditional, let's just draw big circles and try to prevent anybody from getting through the big circle, right. And doing it in such a way that it's layered, so that it really makes it difficult for advisories to get in. And then the last piece is, is I think as artificial intelligence and machine learning and those types of things really start to get themselves more ingrained in the security world, and having those things be adaptive and not have to have as much involvement, human interaction. I think that that's gonna be critical in really trying to isolate things at a much faster pace, then they're able to be isolated now, and also just deployed...
36:36 Gary Barlet: Right? Just is just set up in the beginning, right? Just looking at How do we deploy these tools in the first place, if you gotta rely on people to do all that work, then by definition it's gonna take a while going back to the limit of resources, but as more and more things become automated, more and more things become with machine learning and artificial intelligence, not just with the implementation, but the deployment of the capability right up front. I really have a lot of high confidence that securities got... Never to go, but up, right? It's always an uphill battle, so it's got nowhere to go but up, and I think that there's a lot of room for growth and improvement when it comes to the deployment of zero trust, and I think as technology adapts, it's just gonna allow security to adapt faster.
37:18 Raghu Nandakumara: So I think like what you're saying here is, is that you're optimistic, you're one of those people who believe that it's like going forward, zero trust, and particularly if I think back to the original formulation of it and those rings that are around sort of continuous monitoring and automation orchestration, start looking forward, we will end up with zero trust architecture, zero trust ecosystems where you do have that sort of secure by design, a continuous feedback loop where data is coming in from your senses, that your policy engine, etcetera, is processing to then adapt that security policy to maintain that least privileged state, and that is something that you see as being realistic in the future... Right.
38:05 Gary Barlet: Absolutely. Yeah, no, I think it's well within... And you're already seeing a little bit of that, right? You see it, you see some of that, it is already in play today, I just think that's gonna become more the norm. The security is gonna be rapidly adaptive, we're gonna get out of the world of waiting for, "Hey, what's the latest signature update, what's the latest update that's coming in," we're gonna get better and better at handling zero-day exploits and taking care of unique situations with our users, I really believe that technology is gonna lead us there.
38:37 Raghu Nandakumara: So just moving off of zero trust for a brief few minutes outside zero trust, what else do you love about cyber security? What are the trends that you follow...
38:47 Gary Barlet: There's a couple of different things, right? Number one is, I just love the ongoing constant never ending challenge, I just love the fact that some people would hate it, the fact that there's no finish line, there's no end on the opposite, I love the fact that it's constantly challenging. I love the fact that it's gonna continuously give you something to do, right, every morning you wake up, you've got something to focus on, and you know that there's a new challenge right around the corner, so I'd love to play chess. Chess is about strategies. Chess is about trying to out think your opponent, trying to look multiple moves ahead, and that's where IT security should be if it isn't for someone, is the fact that it needs to be about anticipation, it needs to be about thinking ahead, and I'm really excited to see I'm worried and excited at the same time to see what advances and things like when you just throughout the increases in capabilities of artificial intelligence and then you start... More and more people are talking about quantum computing, quantum computing could potentially be the greatest boon to IT security ever, or it could also be the greatest threat to IT security ever.
39:53 Gary Barlet: And I think that uncertainty, it's kind of fun, to be honest with... I'm a weird out when it comes to that.
40:00 Raghu Nandakumara: Kind of two... It's always good to take for the CSOs and the CIO, so kind of listening avidly to this, they all wanna hear what is your one nugget of wisdom, so for them, top of mind is cyber resilience these days. If you could give one bit of advice to your fellow CIOs and CSOs and how to build and optimize cyber resilience, what would that be?
40:28 Gary Barlet: Yeah so I would say that looping back to something you talked about earlier is if you are not assuming breach, you must be assuming breach, if you are still in the camp of, I'm gonna stop the breach, your camp is getting smaller and is outdated... You must be in the camp of assume breach and then you need to be looking internally at your enterprises and asking yourself, how do I mitigate the impact of that breach, how do I try to do the best I can to keep services running for my customers, and not be the person that says, "I'm gonna hit the big red button and take the entire network offline." That was one thing I used to fight against some of my less advanced folks that worked for me when I was a CIO in the beginning, when they say, "Oh, we need to take everything offline", no, we're not taking everything offline. We can't do that, we're in the business of providing service, right. So then with that approach, you have to implement things internally, your network, and obviously, I'm a big believer in segmentation and micro-segmentation that you have to have things and turn on your network that allow you to isolate the impact right down to the smallest footprint possible.
41:31 Gary Barlet: So that the rest of your enterprise can continue to function and you don't have to shut everything down just because of a malware, ransomware, something may take a small foot home, but you wanna stop it as close to the source of origination as possible and as quickly as possible, so you can continue operations and then just focus on a very small problem and not have to focus on a larger problem because you allow it to spread out of control.
41:57 Raghu Nandakumara: Yeah, I think... So I love how you phrase that right, 'cause I think it's the key message to security professionals is ladies and gentlemen there are three letters of the AIC triad, and the A stands for Availability, it's just as important. That's integrity and confidentiality. Well, Gary, it's been an absolute pleasure, thank you so much for joining us on the podcast today.
42:33 Gary Barlet: Appreciate it, thank you and I really enjoyed the conversation.