In this episode, host Raghu Nandakumara and Gerald Caron, Former Chief Information Officer for the Office of the Inspector General at the Department of Health and Human Services, unpack how to manage operational risk, the role of data mapping in any successful Zero Trust strategy, and demonstrating ROI.
In this episode, host Raghu Nandakumara and Gerald Caron, Former Chief Information Officer for the Office of the Inspector General at the US Department of Health and Human Services, unpack how to manage operational risk, the role of data mapping in any successful Zero Trust strategy, and demonstrating ROI.
--------
“Because when you're managing risk, it's not just an IT thing. It's also a mission thing as well. What are the political aspects of the risk and the decisions that you're making? That informs the IT risk as well. But I think it has to be well understood that this is, going back to the ROI, this is why this is a good investment. This is gonna help mitigate this risk… [Zero Trust] is a cultural thing for an organization and it needs to be communicated.” - Gerald Caron
--------
Time Stamps
* (5:00) Understanding your operational risk posture as a CIO
* (9:52) What peanut butter, the cinema and Zero Trust have in common
* (14:10) Demystifying Zero Trust: Driving the adoption of ZT at the OIG
* (18:40) Measuring progress and effectiveness
* (25:53) Aligning Zero Trust with your company’s business strategy
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com/
--------
Links
Connect with Gerald on LinkedIn
0:05 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, head of Industry Solutions at Illumio, a Zero Trust segmentation company. Today, I'm joined by Gerry Caron, Chief Information Officer and assistant Inspector General at the US Department of Health and Human Services. With over 24 years of information technology experience, Gerry began his career in the US Army working in hands-on technical positions. He joined the federal government at the Department of State in 2003 as a systems administrator and has held five different positions at the department over the past two decades. Today, Gerry is joining us to discuss Zero Trust challenges and momentum at the federal level. We'll unpack how to manage operational risk, the role of data mapping in any successful Zero Trust strategy and demonstrating ROI on your Zero Trust investments. So Gerry, how did you end up being the Chief Information Officer at the Office of the Inspector General at the Department of Health and Human Services?
01:12 Gerald Caron: I lost a bet. No, my journey is kind of unique. I'm from Northern Maine up in the Woods. And joined the Army, after seven years in the Army, I got stationed at the Pentagon, and I decided at the time IT was a big thing and what better place to be than in Washington, DC? I ended up becoming a contractor back in 2001 at the Department of State answering telephones on a help desk. From there, I worked my way up through hard work into some management positions and then I became a member of the senior executive service in my last job as, for enterprise network management at Department of State, where basically I was responsible for all the infrastructure: Active Directory, the network overseas, domestically, perimeter security, a lot of things. And I applied to this job here as the CIO for the Office of Inspector General here at HHS, to try to do something different. And so I've been here for a year and a half at this point and been very interesting.
02:10 Gerald Caron: My time at State, I was involved in some events and took on a role of the remediation and infection lead in some of those events, and that led me to be an evangelist many years ago before executive orders and memos came out about it on Zero Trust. So I've been also chairing a few working groups around that area of one I tri-chair with other CIOs and somebody from the National Institute for Science and Technology, up at NIST. And I do a non-profit as well, big believer in Zero Trust and cyber security as well.
02:48 Raghu Nandakumara: And that's exactly why we're so excited to have you here today. So just before we come on to specifically about Zero Trust, you're at state, 110,000 users that you're managing and now you're at HHS which is about 2000 users, so it's like almost, if I do my maths correctly, it's about 2% of what you were doing at State from a user-based perspective. What are the unique security challenges of both of those environments?
03:18 Gerald Caron: Yeah, no, that's a good question. So at State, I ran central infrastructure and things like that, but all the different bureaus, and it's kind of here the same at HHS, there's, I don't wanna say autonomy necessarily, but they have their own unique missions. They have their own IT needs. So while I provided central resources, as far as networking and things like that, I had to accommodate. And in a big federated organization like that, it's hard to get things moving sometimes. Here at the IG, the difference is we do wholly own and run our own network and systems and things like that. We are looking at things as a service, like we're taking advantage of SOC-as-a-Service, because I'm limited in my IT resources, but we're able to be more flexible and agile as a result because I own the responsibility for everything and it's pretty much centralized. Whereas a big organization, sometimes it's hard to get things moving while trying to accommodate all those specific missions. Where here is, we're pretty much centralized, but we're still able to be a good example for scalability in the art of the possible through our implementations and be able to share that with a larger agency or others as well, because we're able to move a little more flexible and agilely. Agilely, is that a word?
04:43 Raghu Nandakumara: It's alright, it's alright. We'll add it to the Oxford English Dictionary next year. No problem. But you talk about of state as being very... Because it's a large behemoth of an organization, it's, as you said, it's a lot of the infrastructure or running it is federated, so how do you ensure consistency of security posture across all of those sort of federated sub-agencies, if that's the right term, or sub-units? Like how is that sort of managed, monitored, governed?
05:15 Gerald Caron: Yeah, one of the things we did, and we actually ran this little tool out of my shop called iPost. So you have a lot of tools, right? Every organization has a lot of tools, but what happens is you'll look at them all in silos and then you say, okay, how am I doing it patching? Alright, what we did and what we're doing here, and it's gonna lead... It's one of our, what do I call, one of our foundational projects that we're gonna be doing here, is integrate that data. So when you're decentralized and people downstream are responsible for the IT security, we kind of brought all that information together, made those relationships between, alright, here's the Active Directory computer object. Alright, here's all the patch data for that, here is all the vulnerability, here's all the scan data, here's the software and the versions, and operating system, is that on the approved list, which is over here? And we built this dashboard for it... So basically...
06:11 Gerald Caron: And we made these groups, could be an office or an embassy or some location or a logical group of people for a system, and we brought all that together and we put this methodology over it, and had this what we call an operational risk corps. You didn't need to know how to use the tools, we didn't have to train people on how to use these tools, we didn't have to give access to these tools, we brought all that data together, presented it in an easy to use fashion and told them, "Alright, come in the morning, you'll look at your site and say, 'Oh, hey, my patch score is way up and it's given me... It's dropped me down to a D this morning when I was a B yesterday. What is it I need to pay attention to? Oh, okay, here's exactly... I need to do this patch on these systems.'"
06:57 Gerald Caron: So we presented that information to them in that way. Now, we're gonna do the same thing here because again, I don't... As a CIO, I need to be able to know what my operational risk posture is, how are we doing overall? So we're bringing those, we're gonna be integrating those data sources that we can leverage, find out where our gaps are, put this scoring methodology over that, and then have this and then create this dashboard to say, "Alright, how are we doing? How are we doing operationally with managing our risk from patching to vulnerabilities to configurations and all that end-of-life equipment and all of that?" So we'll bring in that concept, we're gonna start doing that. Now, why I say that's a foundational project for Zero Trust, think about it. We need to do that more real-time later, so we're gonna need all that telemetry from all those tools to make those decisions in a more real-time. Now, different tools come in different waves, so to speak, like one may be every eight hours, one may be every five minutes, it depends.
07:55 Gerald Caron: So minimally, if Raghu is coming into my network and trying to access this data source, alright, what do I know about him? Alright, he authenticated this way, he's on a managed computer, which I know about, coming in on the VPN, the network that I'm managing 'cause he's in the office. Okay, I have enough information to say it's pretty safe to let him through the front door. He can start his work while... Alright, let me check these secondary things and make decisions off that. So I'm doing a constant check, I'm not just giving you access into the door, but I'm doing a constant real-time check as much as possible and the tools can accommodate. And making decisions based on what my risk thresholds are.
08:39 Raghu Nandakumara: By the way, do you know this is a Zero Trust Podcast? I'm not sure if you're aware.
08:42 Gerald Caron: Oh is it?
08:44 Raghu Nandakumara: You kind of just naturally went to Zero Trust, as like... I think that collation of data that you talked about and providing that consistent view is such an important part of bringing everyone along in that security journey and enacting that culture shift.
09:00 Gerald Caron: And I think going back to your original question about the differences in a decentralized, even in a centralized, I wanna see the pockets, the logical pockets of groups of things. I may have contractors responsible for the system, and I can say how are they doing, based on the contract, 'cause we gotta hold them accountable, so there's a ways to do that too, in the way you group things, coming up with that grouping, I think, and bringing that telemetry together to make those decisions and then... Yeah, just naturally, it falls into... It's a great foundational thing for... As we advance towards Zero Trust, 'cause you're gonna need all that information to make those decisions.
09:35 Raghu Nandakumara: 100% because it's like that complete visibility end to-end is like the foundation on which all of your security decisions are then made, so almost without advertising it as a Zero Trust program, just having that in place is such a great place to start. You have some great analogies for Zero Trust that involve peanut butter, which I love and the cinema, which I kind of like the cinema if it means I've got a bucket of popcorn in front of me. So let's hear your two, your peanut butter and cinema Zero Trust analogies.
10:10 Gerald Caron: Yeah, we historically have done the... Everybody says castle moat, I like to say the Tootsie Roll Pop method of cyber security, hard outer shell and a soft gooey center. And I think the other thing is, we also... It doesn't matter if it's the crown jewels of the baloney sandwich which we always have tried to do that peanut butter spread approach, make sure the peanut butters was spread evenly. The fact of the matter is, if I lose my baloney sandwich, there's plenty of baloney and bread in the world, I'll probably make another one. Am I concerned? Yeah, 'cause it's frustrating, I gotta go make a new one, but my crown jewels, if those are lost, that's it, there's no getting them back, kind of thing.
10:48 Gerald Caron: So thinking about that being data is what's most important and what do we need to concentrate on? So if my baloney sandwich gets stolen, alright, are my crown jewels still protected? I prevented lateral movement. That's what I wanna do. I don't want them to elevate themselves to the crown jewels. Yeah, my baloney sandwich got stolen, I'm concerned. So the analogy about the movie theater is you go to the multiplex movie theater, you buy a ticket online, however, and where...
11:18 Gerald Caron: The example I have in the movie theater I used to go to, I don't go there anymore, 'cause I found a new cool one, but they scanned your ticket in the lobby. So you walk in the front door, they scan your ticket in the lobby, now I'm allowed in the movie theater. I have access to the concessions to get my popcorn, the rest rooms, the general things if you're allowed in the front door of the movie theater to go to, but I was also able to walk into any movie theater. Why? Because nobody was checking my ticket at the doors, there's 20 theaters, there's not 20 people at the doors.
11:48 Gerald Caron: So basically, being a good ethical person, I go to my movie, but of course, you could be there all day and movie hop all you wanted and then sitting in your seat, 'cause there's no ushers checking and everything. So probably if the camera broke down, you'd probably have to get up out of the movie theater and go get somebody to let them know, kind of thing and everything. That's historically the way, the legacy type of security. They have the perimeter, which is front door, get in the lobby and then you're in, and I can move around laterally wherever I want, and the movie itself being that data, right? So I could go in and, "Hey, IMAX is showing in five minutes, I have bought a ticket for the rate. I'm just gonna go in the IMAX version, it's much better."
12:32 Gerald Caron: So with Zero Trust, here's where that becomes different. Still, I'm gonna get my ticket scanned at the lobby to make sure I'm allowed inside the theater, but when I show up at the movies and I still have access to the popcorn and the rest rooms, I'm in that perimeter, that larger perimeter. Now, I am... Get my ticket scanned also when I show up at the movie theater door. Now, if I was trying to walk into the IMAX and I had a regular ticket and they checked it, go back to the ticket booth and upgrade yourself, so do some kind of step-up authentication and then we'll let you in, but alright, I get my ticket scanned at the door. Yes, this is valid. You are allowed in, I'm assigned a seat. And then you have the usher come in and checking constantly. Is the projector working? Is the screen down? Are the lights low? Are the little lights on the walkway, so people don't trip there? Are the exit signs lit? Is everything working?
13:29 Gerald Caron: Checking all these factors constantly, to make sure that the data that I'm trying to consume, being that movie, everything's in its right place. I am who I am, I'm in where I'm supposed to be, and everything's working. And somebody's coming and doing that constant check, and if some threshold is met, the projector goes down or something, boom, automatically, automation is gonna take place and do whatever it needs to do. So that's kind of the analogy I use for it.
13:58 Raghu Nandakumara: Awesome, there you go, that's how we connect peanut butter, films, cinema and Zero Trust. What was the... You're clearly very passionate about Zero Trust and see the value in it, right? So how are you driving the adoption of Zero Trust at the OIG? What is your focus there?
14:18 Gerald Caron: When I first came in, nobody knew about Zero Trust, there's this mystification and no offense to any vendors, but there are so many different definitions now. It's just been overused term where people cringe when they hear it, but in the true essence of Zero Trust, if you learned it from Forrester, or listened to John Kindervag, who's the father of Zero Trust and everything. Go back to those five principles, understand those five principles. So I noticed some ways cyber security was being done and everything, and I introduced it and I actually educated my staff. So brought in some vendors in the art of the possible, and it was like leading the horse to water and they just drank. "Hey, this solves some of our problems if we did something like this," or "Oh man, this is gonna undercover some things. We'll have much more visibility."
15:05 Gerald Caron: And then what we also did is I have this chart stolen from the DoD, and it's in the DoD Zero Trust strategy that they released publicly a few weeks ago, there's a whole bunch of functional capabilities. Under the pillars, there's the five pillars of network data user, but they also have orchestration and analytics, which I also have been using for over a year, and I said, if I did not spend another penny, how are we doing at these things? And they self-rated.
15:34 Gerald Caron: I also gave it to each of the vendors we have already invested in, said, "If I do not spend another penny on your technology, what you have covered... Whether I'm doing it or not, what can I cover?" So then I knew, alright, we're doing these things, we've got something, sure, we could use a little help over on this thing, and... Oh man. We have some gaps. So with that, created five foundational projects. We looked at what I hate, VPNs have been described to me as a malicious, secure way to deliver a malicious payload, I'd like to go VPN-less in a way where I don't wanna rely on my on-premises network, how inefficient is it for you to connect to one of my data centers, just to go back out to where are we putting everything, the cloud and the internet, that's where all of our resources are going. That's so inefficient to do that's boomeranged, so why can't I send you more direct? So we have TIC 3, the Trusted Internet Connection, that again has more flexibility. There's solutions out there that give you that telemetry security-wise that you need, but I'm sending my people more direct. Also data mapping, data mapping, what am I trying to protect at the end of the day with Zero Trust?
16:38 Gerald Caron: I'm trying to protect data. That's the goal. A lot of people will say, talk about identity. And you know what, identity is utterly important, because why, when we talk about Zero Trust, it's the right data, the right people at the right time, but the data has to have its integrity, and if you were a cyber security analyst and I got compromised, I'm gonna guess your first two questions to me are gonna be, "What did I have access to? And is there exfil?" That's not about me, you're asking about the data really, but who has access to that data is very important, but the data is what... So we're gonna do data mapping, and that's not network mapping, this is data, taking an application, what is it connected to, where is it sharing the data, what's sharing data with it? And then you're learning where data resides, lives, and where it's flowing because at the end of the day, I gotta be able to baseline that so I know what normal looks like, and then when abnormal happens, I gotta take an action.
17:36 Gerald Caron: So we're gonna do data mapping, we're also doing integration of those tools, like I already talked about that, so we can get an operational risk profile of the entire environment and mature our identity management, to make sure that we have a true authoritative identity even... Because what happens over there, we get new cloud solutions, we have applications, we have Active Directories, what happens is how many digital IDs do you have? Even in a small agency, there's so many digital IDs because each one of those does have a digital identity, so we gotta pull those together to look like an authoritative identity source, and then put some automation and governance over that, so we're looking to mature that as well. Those are our five foundational projects, which I believe, for our needs, are great stepping stone to those next maturity areas.
18:32 Raghu Nandakumara: That Gerry, is such incredible description of how you have built that plan and the real sort of the detail that goes into it, the overarching strategy, the tactical sort of steps that you are using to execute against that strategy. I guess the only question that I have around that is that how are you measuring progress? How do that you are on the right path or that you need to course correct? How are you incorporating that feedback loop into the execution?
19:00 Gerald Caron: So we have set milestones that we're gonna be tracking against with success criteria at certain stages. And one of the things I'd like to do also is I'm not going for, and this is why I say use the peanut butter spread approach before and I think we abide by FSMA and we have the NIST 800-53, the security controls and things that. And they're very much compliance focused or that's how they're interpreted. Not necessarily meant to be that way but that's how they're interpreted. I like to use the example and it's oversimplified, but it's an example I use is, okay, the control may say you must provide authentication. I can say alright username and password I have provided authentication. I am compliant.
19:42 Raghu Nandakumara: Yeah. Yeah.
19:43 Gerald Caron: But am I effective?
19:46 Raghu Nandakumara: Yes.
19:47 Gerald Caron: No, I'm not. Don't...
19:50 Raghu Nandakumara: I'm saying yes because the question you're asking is right.
19:52 Gerald Caron: Yeah. No. Yeah. No. No. Effectiveness and compliance are two different things. That's been my thing that I've always said.
20:00 Raghu Nandakumara: I concur...
20:00 Gerald Caron: How do you measure effectiveness? I'd to be able to come in and do some kind of pen testing or blue team type or purple team type testing incrementally. Is what I put in place effective? Is it accomplishing, is it meeting those principles kind of thing. So I want to build that in, gotta figure out how to do that resource wise. But I'm hoping the SOC-as-a-Service aspects might be able to help us with that. But I wanna be able to measure that effectiveness periodically. So we have those milestones built in for certain incremental milestones on our journey. And then I want to build in that effectiveness check to make sure that we do that act of testing. All right, did this meet that principle?
20:39 Gerald Caron: Is it right data, the right user at the right time? Are you able to move laterally kind of thing. So we're go... We're hoping to build those things into that incrementally as well. Not wait for the end and say all right let's go back to the beginning 'cause I don't wanna re-engineer. So that was very important in our pillars as well. 'Cause this is an architecture. So some people will talk about alright, we're gonna concentrate solely on the identity pillar and get that done. Alright, now we're gonna move to the next pillar. Me, I get concerned when I hear that because this is an architecture and I always explain enterprise architecture. I'm a big fan of enterprise architecture. Some people scoff at it sometimes. So there's four main areas.
21:19 Gerald Caron: There's the business which is the financials and the mission drives things like that. Then there's the technical which is the implementation. How do you go about doing it? But there's the security, how are you securing and the data. I focus on those four things. And so in doing that, I wanna make sure that yes we may be doing more work on one pillar than the other, but we know what those relationships between the pillar, we're not going back and re-engineering because something didn't work because I got so far on that other pillar kind of thing. So knowing those relationships up front, how those have to interact, what the capabilities need to be between them is something that I'm very cautious about as well.
22:00 Raghu Nandakumara: Yeah. That I think is such an important point because we see so much across the security media, vendor post, vendor marketing about how doing one particular, focusing on one particular control is the most important thing to do when you are adopting Zero Trust. But you rightly said is that you need to really look holistically across your control set and have those things moving together lockstep in parallel. Because the power is the almost the combination of those controls as opposed to one particular thing. Because otherwise you're just over rotating.
22:37 Gerald Caron: Yeah. And when I talk about what my approach towards Zero Trust is, to oversimplify it again is, first of all what am I that I'm trying to protect is data. Alright, so what do I do around data? First I need to know like I said data map. But then I want to build the micro-segment. I wanna micro-segment that even within its own database. All data's not created equal just because it's in its own database. So what can I do around data? And then a lot of people will say, all right devices, we gotta do devices. No, in reality what facilitates access to data? Applications. So what do we do around applications? Now, applications need what to live on. They need a device to live on. They have to live somewhere. Alright, and I'm not gonna manage every device.
23:20 Gerald Caron: I have public websites that may need authentication. I'm not gonna start managing every device. So there's different risk levels to different things within these categories. And then devices need what to talk. They need networks. What do I do around networks? Am I managing it or am I not? What can I do that's within my control? And then of course, the users. Alright, what do I do around identity management to make sure the right users get the access to the right data at the right time? So I kinda work inside out in that fashion when I talk about this. So I start with the data. That's what I'm trying to do at the end of the day and then work my way back through all those.
23:57 Raghu Nandakumara: That really is the right way and the way whether it's sort of John expressing how you drive Zero Trust maturity. That's very much how he is sort of envisioned a Zero Trust strategy being executed as very much a holistic view. Because otherwise what we see is I think just going back right is that it's tainted by vendor marketing saying, this is where you have to do, you must start with this pillar and get that perfect...
24:23 Gerald Caron: Because I want you to buy my thing.
24:25 Raghu Nandakumara: Exactly. Right. Exactly. So I wanna go back. You were talking about sort of enterprise architecture. And you talked...
24:31 Gerald Caron: But I'll say something before you go into that. I will say this. We cannot do it without the vendors though.
24:37 Raghu Nandakumara: Yeah that's true.
24:38 Gerald Caron: They have the technologies, they're building the technologies. But what we're trying to do through the working group through ATAR 'cause we have... We're going into phase two. We gave everybody their platform for their specific thing. But phase two we're saying we want team up and we wanna see it end to end through all the pillars. You team up with whomever you need to. If you're missing that pillar or those functionality, we need to see it. We need to see it work all the way through. Don't show us slides, don't send us sales pitches, we want... Now here's your use cases, show us. So that's what we're trying to drive for now.
25:12 Raghu Nandakumara: But I think that just talking about that sort of what is that complete solution. Carnegie Mellon had that Zero Trust industry day back in early September where again very much sort of academia integrated with government really pushing that integrated approach to Zero Trust. And that was really refreshing to see and I'm excited about sort of the outcomes of that. I wanna go back to something you said about sort of enterprise architecture. And one of the key facets of that being aligning with the mission, aligning with the business objectives. So how, in your role, how have you aligned Zero Trust or the Zero Trust program Zero Trust strategy 2ith the sort of overarching raison d'etre of the OIG.
25:53 Gerald Caron: I'm glad you asked this question because I talk about this as well. So I don't look at Zero Trust as solely a cybersecurity effort or an IT effort. There is the business of the IG and sometimes I'll even remind my engineers that the OIG was not put on this earth to do IT. Yeah. That is not the main mission. It is the enabler. So saying that we actually did a presentation on Zero Trust to all the user community, now, kind of letting them know things are gonna change here's some benefits we're gonna bring you. We're gonna send you more directs. So better performance, better interoperability, single sign on. Some of those things that we're gonna introduce which make the users so much happier. But also what the objective is. The question that we're gonna be asking even more is “how do you want to work?”
26:43 Gerald Caron: “Do you need to be more mobile? Are you missing things? What works well, what doesn't?” Why? Because we can build those requirements in 'cause we're modernizing. In essence, we're bringing new technologies, we're bringing new capabilities, we're modernizing. So by including their requirements, there’s a lot less friction when we implement because we listened, and we're gonna do it. “Also what am I getting out of it? What do you need access to? When do you need access to it?” So now I'm getting validation on my inventory of data sources. I'm building personas 'cause I know how people want to work or how they work, what devices they use most. Are they coming from home and networks I manage, or are they coming in the office? I'm learning about a bunch of stuff. Now we're starting to understand things that we can feed into our Zero Trust as well because this is how they want to work, this is the mission that they have to do, this is the data sources that they rely on.
27:38 Gerald Caron: What are those data sources? They have PII, do they not have PII. Are they available to the public? Are they not available to the public? And really understanding that people in the different offices they mention it sometimes or ask about it. What's that gonna look in a Zero Trust environment kind of thing. And it's good because now we got them thinking yeah it's gonna... Things are gonna change but I'm gonna get access to my stuff. I got some in... I'll have integrity and what I'm accessing these things, I'm working from home. Oh man I don't have to get that VPN hooked up. I'm going straight to my thing. I'm me as a CIO, I'm getting my security telemetry still. We're telling them what the benefits are. And then that communication of what they need, when they need it, how they want to work and build that in and make it more of a modernization effort rather than this bolt on security IT effort.
28:26 Raghu Nandakumara: Yeah, 100%. That's sort of that proactive sort of here is how it's gonna benefit you and how would like to work or what would you to be able to do, those really great questions and enabling that is amazing, but it's also ROI on security investments is one of the great intangibles. And going back to saying, yeah, we could do a let's say a penetration test before and after or we could do a threat model before and after and we can say that, okay, now we have remediated this threat and so on. But when they say okay, I get that but what am I what am I getting back? How do you demonstrate ROI?
29:00 Gerald Caron: We just had that question, [29:02] ____ from my boss as a matter of fact, it's like, all right you're asking for this money, you get this money. Are we making any savings or anything? I hate saying savings. It's always cost avoidance 'cause I'm never gonna ask for a reduced budget as a result of something. I'm gonna spend it someplace else. But I say cost avoidance. That got me thinking. And it was funny because the week or the two weeks before I asked somebody in our security team, "Hey, what is the cost of an incident?" How much does an incident cost? So, yeah, I'm investing in security and it's an investment and I might be shutting down a few things, but I'm still gonna spend it on this new... The new things that I'm implementing. But what we have right now and I gotta put some dollar figures against it is, all right, there's small medium and critical events.
29:50 Gerald Caron: Here's typically what it takes in man hours from the operations team, from the security team to remediate those things. The impact and loss of stop work and things for the mission and things like that. So we're putting together that graphic to show us if something does happen and something will happen at some level whether it be a non-malicious user which could be a small incident or you claiming to call me in the help desk and I give you access to my PC and you start doing whatever or ransomware or anything. Here's the cost of an incident. Now, you're investing... I'm asking to invest this much compared to that where you are not getting anything done. We're not supporting the mission just because we're cleaning up whatever mess came about. We're actually putting that graphic together right now to tell that story because we've been through some incidents and person I'm working with that's in our CISO shop now comes from state as well.
30:49 Gerald Caron: So we kind of have a good idea. The resources it takes, the after effects, the interruption to work, the days, the nights, the people bringing in third parties, specialties, depending on what the technology compromised is, expertise from that. And then there's the residual. That's the event, but what are you doing to prevent it after? So there's always some long-term strategy to, hopefully, you don't just bandaid it, hopefully you put together a strategy. Now there's a cost to doing that. Let's get ahead of that. Invest in this now because it's probably gonna cost you more.
31:24 Raghu Nandakumara: Exactly.
31:25 Gerald Caron: If this event happens and here's the dollar figure against that.
31:29 Raghu Nandakumara: Exactly.
31:30 Gerald Caron: And let's say that's just one. If we don't do this, you might have multiples of these. So kind of thing. So that's what we're putting together actually right now. It's funny you ask.
31:39 Raghu Nandakumara: Yeah. I mean if only it didn't take an incident to act as a forcing function.
31:42 Gerald Caron: Yeah. And unfortunately that's what I've seen in some places. It's like you can warn... It's a little boy that cried wolf kind of thing. The wolf actually shows up and guess what? Oh, yeah, we should do something about that.
31:54 Raghu Nandakumara: Yes. So true. I wanna ask you about just outside the OIG. And we see that let's say the healthcare sector is particularly targeted these days. And too often those, like a healthcare provider is forced to essentially stop serving patients and sometimes stop delivering emergency care, critical care because the attack has essentially taken out access to their critical IT systems. What is gonna force, and just asking you about healthcare because of who you work for, what is gonna force a increased focus on resilience for healthcare providers so that this is not a rinse and repeat.
32:39 Gerald Caron: Yeah. And this is just an opinion. I think there's still some legacy systems that support some of these entities that you're talking about. And I think what it is, it's gotta be embraced by the organization. It can't just be the IT people. It's gotta be something that is understood and whether it's gotta be the IT people that raised this. I've read a lot of articles where in private businesses such as some of the... You're referring to that there's recommendations. The CIO should be sitting on the board or the CISO either or so that they... 'Cause when you're managing risk, it's not just an IT thing, it's also a mission thing as well. What is the political aspects of the risk and the decisions that you're making? And then that informs the IT risk as well. But I think it has to be well understood that this is, going back to the ROI, this is why this is a good investment. This is gonna help mitigate this risk.
33:34 Gerald Caron: So telling that story and making it an organizational priority. And that's the thing about the executive order that came out last year strengthen the nation's IT cybersecurity and Zero Trust was a big aspect of that which then resulted in OMB memo 2209. It was embraced at the highest levels. Now, they're not just making it an IT thing, they're making it the agency's responsibility. You must do these things. So everybody gets on board. Now, it's prioritized at the highest level. That might be a little different in the private sector, how it goes about doing that.
34:11 Gerald Caron: The federal government in this sense being transparent in that way and showing that this is a priority for the federal government. Some are seeing that as well I think and saying, federal government's a little ahead of us on that, but there's some in the financial that are ahead of us technology-wise and things that. But I think it is really, needs to be understood, embraced as not an IT thing. This is a cultural thing for an organization and it needs to be communicated.
34:41 Raghu Nandakumara: And as you say, you reemphasize what is now just a common theme that security needs to be a board level priority. It can't just be the purview of the security organization or the IT organization. And you spoke about the executive order, the OMB memo and those sort of those Zero Trust initiatives that you are very close to. How confident are you that they're gonna deliver the culture change, the posture change and the overall improvement of sort of cyber resilience that at least they hope to?
35:16 Gerald Caron: Yeah, I think... I'm the type of person that's one step forward is better than not taking a step at all. I think in different agencies, offices and things like that, we're all at different things. We all have made different investments of things. We're all at different maturity levels. But I think everybody's grasp onto this. I think people are starting to get an understanding. I think there's still some education, but everybody, I think from what I see, is moving in the right direction based on where they are.
35:44 Gerald Caron: Now, are we all gonna get to the same place at the same time or are we all gonna look the same at the end of the day? No, but to me, it comes down going back to those five principles. Am I addressing those five principles at the end of the day? Doesn't matter how I did it, can I address those five principles and am I being effective at my cybersecurity? Can I prove that. Yes. Yes or no? Now, like I said we're all gonna look different at the end of the day. As long as we're meeting those five principles, I think's very important. Everybody's moving in the right direction. I just think there's some struggles in some areas and there's always gonna be, but I think there's good forward motion and like I said if you're taking taking a baby step forward, that's better than just standing there not doing anything.
36:26 Raghu Nandakumara: Awesome. And so just talking about baby steps or even giant steps what is... What excites you most about the future of Zero Trust and Zero Trust adoption whether it's in the Fed or globally?
36:42 Gerald Caron: What excites me? Well, what scares me is we had a discussion with an analyst the other day on quantum computing. And that's coming sooner than we think. And it's not gonna be implementation for solutions that quantum computing can help enable, but it's also malicious actors leveraging quantum computing and looking at security in this different way than being compliant, doing the check boxes. Not looking at it holistically, not being siloed anymore, looking across, understanding what I actually own, what is most important to me and how I'm protecting that I think is very important. That's what I'm excited about that it's breaking down those barriers. It's a holistic approach. It's approach towards effectiveness like I said and being more effective. Because things like quantum computing scare the heck out of me.
37:41 Gerald Caron: I think we were talking, he was telling us in 10 years, it's gonna be pretty much mainstream in some fashion. And that's scary as heck. Now, there has been I think an executive order that came out on that as well where I think we gotta get off the... We gotta get moving to protect ourselves against that. So we gotta get going on these things that make us more cyber effective.
38:05 Raghu Nandakumara: Awesome. I mean Gerry we've just covered so much today and more than anything I think we've got a really great overview about how you have gone about really driving a Zero Trust program and you go going us through all that detail and the very organized way in which you're approaching it, I think is just gold dust for practitioners out there who are about to sort of embark or may already have started on their Zero Trust journey. So really thank you for your time today. Appreciate taking time out of your busy schedule to spend this time conversing with us. And yeah, thank you.
38:41 Gerald Caron: Yeah, thanks.
38:42 Raghu Nandakumara: Appreciate it.
38:43 Gerald Caron: Thanks for having me and it's great meeting you and I really appreciate the time.
38:51 Raghu Nandakumara: Thanks for tuning in to this week's episode of the Segment. For even more information and Zero Trust resources, check out our website at Illumio.com. You could also connect with us on LinkedIn and Twitter at Illumio. And if you'd like today's conversation you can find our other episodes wherever you get your podcasts. I'm your host Raghu Nandakumara and we'll be back soon.