Carolyn Ford [: 00:00:20

Hi, welcome to Tech Transforms. I'm Carolyn Ford. And today, I am pleased to welcome Travis Rosiek. He's the Public Sector CTO at Rubrik. And I had the opportunity of hearing Travis speak on a panel at Billington Cybersecurity Summit, just this past September. And I wanted to hear more from him after that panel. He's had a fantastic career.

Carolyn Ford [: 00:00:49

He started at DISA before he moved to industry as he continues to assist government through the private sector. Travis has a unique opportunity to provide us insights in the ever-evolving relationship between government agencies and providers, which, I mean, now it's not just a lip service kinda thing. Like, partnership between industry and government is crucial. And it really is, I think, the only way forward. So Travis having this experience is, it's unique. So he's gonna talk to us today about how agencies and providers are approaching cybersecurity, compliance, and data protection. So with that, welcome to Tech Transforms, Travis.

Travis Rosiek [: 00:01:42

Hi, Carolyn. A pleasure to be with you today. Very flattered, and thanks for the kind introduction.

Carolyn Ford [: 00:01:47

Yeah. Well, it's I we're like I said, I'm excited to have you. The comments that you made on the zero trust panel were, like, perfect sound bites. The stuff that you said during that panel, I'm furiously jotting it down during the panel. And, so I'm counting on you to give me some more sound bites today, Travis.

Travis Rosiek [: 00:02:09

No pressure. I'll do my best.

Carolyn Ford [: 00:02:11

So like I said, your career, I mean, it has spanned, decades. I'm not gonna date you. But you started on the Red Team at DISA, and then you moved to growing cybersecurity companies and leading large cybersecurity programs within the DOD. So I wanna start off with how have you seen, the relationship between government agencies and cloud providers, and industry for that matter, how have you seen it evolve over your career?

Travis Rosiek [: 00:02:46

Wow. I would say Yeah. I would say quite a bit over the years. So, I think, you know, starting out in the early days, you know, fielding capabilities, testing them, going through that process, You know, the government, you know, DOD STIG, for example, the certification accreditation process. Commercial technology vendors didn't understand it. You know, it was, you know, acronym soup, the details, getting exposure and understanding of what the tests were for. So trying to help vendors, understand, you know, what some of the compliance requirements were, getting through, the DOD STIG process, explaining to them that process, which was definitely in the early days. The government wrote STIGS back then, so they were kind of the ones doing the authorship.

Travis Rosiek [: 00:03:43

Now the vendors have some of the responsibility to create those kind of guidance on how to harden the platforms. They have much more understanding of, you know, secure software development, some of the assessment methodologies.

Carolyn Ford [: 00:03:56

Wait. So DISA takes, STIGS from industry and writes it in? They're okay.

Travis Rosiek [: 00:04:04

Yeah. So originally, DISA would create all of the STIGS. I actually helped write some back in past lives. But now some of the vendors have to, produce guidance on the STIGs because they understand their underlying technology better than the government. So how is actually written and comes together. So the devil's in those details on what really exposed. Some of it's a little bit of trust and transparency as well. Like, are they, are they are they doing it the right way? But it has to go through a vetting process and different types of assessments and accreditation boards and stuff.

Travis Rosiek [: 00:04:37

So it's it's quite a lengthy process. But in the old ways, the government was a hindrance. Like, they couldn't keep pace with all of the the you know, the technology just exploding, so they couldn't keep pace with that.

Carolyn Ford [: 00:04:49

That was we still kind of see that. Right? That the technology and industry is outpacing, the ability to keep up with or or the certifications. Actually, we're gonna we're gonna come to that. We're gonna talk a little bit about FedRAMP so keep keep going.

Travis Rosiek [: 00:05:05

Yeah So not a new problem, just a different different perspective. So Mhmm. Yeah. So the vendors you know, that that public private partnership on trying to collaborate hardened transforms. You know, obviously, there's regulation and other things that have been kind of, peppered in there over the years. But yeah.

Travis Rosiek [: 00:05:23

It's it's been a really, a lot more focused collaboration on building, these secure solutions. Obviously, being on the, you know, red team background. Yeah. Obviously, you know, there's more that can be done, I believe. So, like, I've been on the, you know, kind of the bleeding edge kind of pushing to do more, and harden you know, building more cyber resiliency in. I think fundamentally, compliance requirements and it's really about mitigating risk or minimizing risk. So compliance requirements, don't change as fast as, cyber threat actors and their, tactic, techniques, and procedures. So they can evolve much faster than any of the cyber defenders, the companies, etcetera.

Travis Rosiek [: 00:06:05

So, you know, I think, you know, being able to up do software updates. You know, if there is a vulnerability that's found in software, how do you patch it and how do you get it pushed out to your customer base quickly? And then, obviously, the last couple years have been, another challenge or another evolution of cyber threat actors is that whole, the supply chain attacks. Right? So cybersecurity supply chain supply chain in general is another big attack vector and another, critical area that the government's really been focused on how to mitigate some of those threats.

Carolyn Ford [: 00:06:39

So I heard you say there's more collaboration. I mean, it seems like back in the day, the main competitor for industry was GOTS, government technology. Is that still the case, or has it become really more of a partnership and there's governments more ready to embrace what industry has to offer. Was is that fair?

Travis Rosiek [: 00:07:10

So yeah. So, one of the old DISA directors, General Charlie Croom, when I was at DISA, he was kind of a transformative leader, and he had the ABCs. And that was kind of the DISA strategy, adopt, buy, and create. So leveraging commercial technology, the advancement there, integrating, operationalizing it was top of top of mind. Leveraging things were already acquired or in use, by other services and then buying capabilities and then building them was like last resort. So I think depending on the niche or the focus area, that that that aspect is always, you know, kind of, up for, you know, argument about what's the best path. But I think system integrators and others, you know, some of these technologies have been around 20, 30 years. So different types of systems.

Travis Rosiek [: 00:07:57

It's it's really hard to get a commercial company to go create something that only fits 1 use case or 1 customer. So I think sometimes it makes sense for the GOTS approach or it's so specialized or uber sensitive from a national security perspective, you know, where supply chain security components, everything is tightly controlled. Those solutions don't scale well. Like, you couldn't mass produce it, but for certain use cases, it comes at a premium to build to build it well and build it right. You know, competing priorities a little bit. So outsourcing everything and then you're kind of, you know, at the whim of either the GOTS capabilities or if you outsource all of your services to service providers, you know, it's kind of 1 in the same. They just have different you know, one is more of replicating things that are in the commercial world at scale or things that are very, specifically built. So

Carolyn Ford [: 00:08:46

Yeah. I mean, that's a really good point. Right? Industry's objectives often don't completely align with the governments, especially when it comes to the defense side. The mission is different. And so there's there's just enough nuance that the very least, there has to be some adaptation, right, for those specific use cases that you mentioned. So..

Travis Rosiek [: 00:09:14

Yeah. And to that point, I would say, like, my experience from being different sides of the fence, fielding capabilities, assessing them, operationalizing them, or trying to build them and sell them in the commercial and government customer spaces, the government, you know, it's not profit-driven. Right? So Right. You know, in some ways, people scratch their head and, you know, you have to spend money or you lose it kind of thing when it comes to end of the fiscal year. But what the advantage is, the government is unique in that it can actually study these hard problems and kinda look over the horizon. So, you know, identifying risk and driving, innovation in the industry by identifying a problem in the future and then getting commercial companies to go address that problem. So I think from that perspective, if the government, you know, didn't have those resources to study those problems, raise awareness, you know, in the future and driving that innovation, like, that that's where that comes from.

Travis Rosiek [: 00:10:12

On the commercial side of things, you know, commercial companies, they don't they don't study these problems. Right? They're kind of, I think, you know, depending on the role in the organization or regulation, primarily focus on achieving compliance and, you know, pro you know, being profitable. So I think maybe there's an overdrive to be profitable over some of the shortsightedness that that leads to. So they're not really looking that far into the future for certain things because, you know, it's it's only going to cost them money. So the government is great about identifying and studying problems. Industry is great about solving problems, you know, driving that, you know, capitalism type of culture, building capabilities, selling solutions. And they're more they're quicker to implement, adapt, and deploy capabilities where the government is very slow in implementation of these you know, they can figure out the problem.

Travis Rosiek [: 00:10:59

They're they're very slow and, challenged to actually implement the solution. The industry builds a solution, the government identifies the problem, and that's kind of trying to short circuit that, dynamic. It's kind of where we run into a lot of nontechnical challenges, like acquisition laws and processes.

Carolyn Ford [: 00:11:17

Right. And everything you just described is why its important for industry and government to have a really tight partnership they come at things from a little bit from a different perspective, a lot from a different perspective. It's like yin and yang. Right?

Travis Rosiek [: 00:11:35

Yeah. A 100%. Yeah. That's that's a great analogy.

Carolyn Ford [: 00:11:38

So let's talk about some of the best practices that you've discovered when it comes to having shared cybersecurity models between agencies, and let's get specific cloud providers. You mentioned something before we started recording. I'm gonna let you say it about moving to the cloud and security.

Travis Rosiek [: 00:11:58

Yeah. Just over the years kind of looking at, you know, in the early days of cloud and kind of, the exploration of that back I was still on the DOD days kind of looking at that in security, in risks. You know, there's a lot of things to consider, but I think the rapid move to the cloud in the past was really driven not by the security folks. It was driven more by, you know, the IT transformation and, you know, CFO kind of business driven. I think the myth around like it's going to be cheaper to move to the cloud and it's going to be secure or or it's going to alleviate the need for security.

Carolyn Ford [: 00:12:30

We can just hand it all over. Somebody else will take care of it.

Travis Rosiek [: 00:12:33

Exactly. And we'll save money in the process. Yeah. Yeah. You know, there there's no free lunch in life. Right? There's always there's always implications and costs. So in some use cases, moving to the cloud definitely is cheaper, depending on what you're using it for in the application.

Carolyn Ford [: 00:12:48

Well, would you say maybe in the long run? Like, this is a long-end game here. This moving to the cloud is a marathon. It is not a quick hit save money by moving to the cloud. But eventually, you're gonna be more secure. You will well, I don't know. Will you save money in the long run?

Travis Rosiek [: 00:13:08

Well, it's all case-by-case dependent. So, you know, the government over the last several years had a cloud first initiative.

Carolyn Ford [: 00:13:15

Mhmm.

Travis Rosiek [: 00:13:15

So I don't know if it was a driver more to sponsor the use in leveraging the cloud and building the maturity on it. But now they've kind of transitioned to a cloud smart approach. So where you don't have to mandate, I you know, your applications and stuff to go to the cloud first. It's more of a smart approach. So which cloud provider? They offer different capabilities, feature functionality, cost models, you know, expertise. Some things are better to have on premise or in your own environment. Cyber resiliency is another big thing and connectivity. So I think I think cloud smart is definitely the right approach because, you know, not every you know, all not one size fits all.

Travis Rosiek [: 00:13:52

Right? So you kinda have to and, really, the devil's in the details in all of this. So I think in the beginning, people didn't really understand the implications, the technical, nontechnical components. You know, there is a shared responsibility model. So when when you pass something into a cloud service provider, you know, you don't have you know, you not resolved all the cyber risk and all the responsibilities there. So I think having that understanding, and then over the years, you know, when when there is an issue with a cloud service provider or the customer has to fix things and data is exposed, your entire security operations chain. Like, the the, the processes have to evolve and adapt with your IT transformation. And I think the IT teams, security teams usually don't get along. They're different contract vehicles, different organizations.

Travis Rosiek [: 00:14:38

So in some ways, they kinda have competing priorities. They're they don't you know, the right hand doesn't always know what the left hand is doing. So I think, you know, we've seen some of those growing pains over the years, commercial industry and in government, where, you know, even, you know, we talk about collaboration between, you know, public-private sectors. I think even internal to the, different teams within within an organization, whether it be private or public sector. But yeah. So if your data is in this, multi-cloud hybrid environment, how do you conduct instant response, you know, red teaming assessment, cyber risk? I mean, it's it's a much different, more complex environment that requires different types of skill sets. And I think one of the challenges the public sector has is, recruiting and retaining those skill sets because they're, you know, limited based on the GS Scale.

Travis Rosiek [: 00:15:30

Right? So there's certain career fields in the government that pay more comparable to commercial industry. But, obviously, in this space, I think CISA and some other places are trying to create more of a cyber career field where they can offer competitive pay with respect to commercial industry. But when there's 800,000, you know, job openings in cybersecurity, that's that's still a very difficult challenge.

Carolyn Ford [: 00:15:56

Right. So I think I heard you say, as far as best practices for a cybersecurity practice and partnering with your cloud provider, it's not a, we don't need a security team. We don't need security practices anymore. It's a we're we have a cloud provider. They have their security. Oh, look. This is one more layer in our security practices. And not only that, are the security practices, the security posture that we have had, some of it will still apply, and we're gonna have to adapt to this new environment.

Travis Rosiek [: 00:16:36

100%. Yes. It's the complexity level definitely has gone up. Like, the demands and requirements for that complexity, that expertise has increased. So, yeah. Again, going back to studying the problem, understanding it, and making sure you have, you know, in the government, the DOD DOTMLPF. Right? So understanding soup to nuts, you know, from policy and doctrine all the way to the resourcing and staffing side of things, what has to be in place. So tabletop exercises, red team type exercises, bringing all the stakeholders together and kind of wargaming certain worst case scenarios, is how I like to plan.

Carolyn Ford [: 00:17:14

Yeah.

Travis Rosiek [: 00:17:15

Mitigate risk, what's the worst possible thing that can happen, and then, work backwards. So I think those things are really important for an organization to kinda look at. You know, it's you know, from, you know, cloud service providers, I mean, they're not saying we do everything either. Right? So they they'll they'll, you know, they'll come out and bluntly say, like, you know, you're still responsible for protecting the data or what's in the cloud. You know, we're gonna protect the infrastructure or the underlying platform. But what happens up there is, you know, you're responsible for doing the monitoring. And then historically, you know, my experience is, you know, contractors you know, a lot of the work is outsourced and contracts are written for certain skill sets. And it takes time for those contracts to be re-competed or, get plussed up for money to add more expertise or diverse skill sets.

Travis Rosiek [: 00:18:03

So, you know, it's it's, it's a very complicated environment in the government space to be successful and, you know, kind of that forward looking process. You know, planning ahead definitely helps a lot, but, you know, the way technology evolves, it evolves quicker than, you know, what the palm cycle is or what the, you know, 3 to 5 year planning is with government, budgets. So I think I think that's kind of where part of the dynamic is, where commercial industry, you know, if they need a critical, item, they can move funding around or or prioritize funding and make those investments much quicker.

Carolyn Ford [: 00:18:38

So you keep bringing up how complex the cloud has made things. So how does AI fit into this? Is AI a problem solver to some of this complexity?

Travis Rosiek [: 00:18:49

So yeah. I so I think I mean, so moving to clouds and SaaS applications alleviates, you know, some of the resource constraints and expertise. So there's only a limited number of, you know, technologists in America, in the U.S. that have clearances, etcetera. So basically, when you outsource and leverage the expertise for, various solution providers in a SaaS application, then that that kind of frees up your own resources to do other things and solve other problems. So I think I mean, there's definitely a lot of advantages and economies of scale there. But from an AI perspective, I think trying to so, I mean, it's definitely evolving, but I think, you know, some of those hard tasks and some of those hard challenges, it can definitely help accelerate, speed up the process for detecting threats, identifying risks, getting awareness and things, but you still can't take the human out of the loop. So I think that's, you know, the other important thing. In many of these, networks environments, understanding the mission, what's important, where critical systems and applications, you know, some of those things are just institutional knowledge within organizations.

Travis Rosiek [: 00:19:58

Maybe it's not always written down. So adapting, you know, AI to that problem set, you know, it's it's not a, you know, it's not a perfect fit. Or having the data to build the algorithms correctly is also another challenge. So I think, you know, humans in the loop are gonna be there for many of these, use cases going forward, but it definitely can help address, some of the workforce challenges or shortages in in certain areas.

Carolyn Ford [: 00:20:23

Mhmm. So we've kind of danced around this a little bit with moving to the cloud and the cloud smart initiatives. So let's talk about compliance. It's such a dirty word. Like, my compliance is due, you know, all the training so we can check the box, which honestly, like, that's kind of that's how I think of compliance. So and I know that it's probably not the right way to think about compliance. Compliance is there as guardrails. Right? But let's talk about how agencies, private sector, evaluate compliance requirements, and what are some of the cybersecurity measures that can build on those requirements?

Travis Rosiek [: 00:21:15

Sure. Yeah. I mean, I to your point, it should be the, you know, the floor, not the ceiling. Right? So achieving compliance shouldn't be the goal of an organization. Unfortunately, I think it is in many cases because that's

Carolyn Ford [: 00:21:28

Because it takes so much time, Travis, to check those boxes.

Travis Rosiek [: 00:21:32

Yeah. Well, it it I mean, it's again, it goes back to the complexity of the problem. Right? So, yes, it does take a long time. I think yeah. I mean, a lot of the budget is spent just in that process, which I think is, you know, kind of a catch 22. It’s you know, a necessary evil, so to speak. But, at some point, you know, reinvesting all that manual process and time into, you know, implementing innovation. But we're, you know, we're at the part where, you know, trust but verify.

Travis Rosiek [: 00:21:59

So, you know, you know, there's still yeah. I mean, you know, getting to the continuous monitoring state where all this is automated, you know, it's the complexity and, it's it's just a challenge.

Carolyn Ford [: 00:22:12

Wait. Wait. Are you suggesting that rather than make me take my compliance training every year, there's continuous monitoring to see that, oh, Carolyn has complied all year. She doesn't need to take this training again. Like, I'm totally dumbing it down, I know, but is that what you're saying?

Travis Rosiek [: 00:22:33

Yeah. So, I mean, my experiences are I would, a mentor of mine in my government days would would would ask me and my colleagues, you know, what's what's the purpose of incident response? Like, what are we really getting from it? And, you know, yeah. People would say, well, we could figure out how the attack happened, what the impact was, how to fix it, you know, etcetera, etcetera. And he was like, well, yeah. I mean, that's that's, you know, the you know, that's kind of the direct answer, but, really, what's what's the so what piece of it? And then after a lot of deliberation and brainstorming and stuff, the answer that resonated was it's really your opportunity to assess an organization operationally. So are there people, processes, and working? People, process, and technology actually working together? So when you're in the process or in the fight, can they get data? Can they identify, you know, things quickly? Can they communicate? Are they collaborating? Can they actually be cyber resilient and cyber ready? So to me, I think assessing the processes, you know, are you following processes? Are you doing things properly? More in that continuous basis is a better measure from a cyber risk perspective than just solely focusing on, you know, compliance or check the box. Like, did you take your test? Right? So Right. Anyway, to your point, I think the continuous monitoring piece really needs to get into that kind of that operational assessment or looking at the processes, in more detail than specifically just, you know, check the box type of approach.

Carolyn Ford [: 00:24:07

Okay. Let's let's talk about FedRAMP compliance. So it is for industry, it's pretty painful to get FedRAMP authorized. There's a lot involved. So as companies look to achieve this compliance, this authorization, what advice can you provide for matching the structure of different FedRAMP levels to the needs of organizations?

Travis Rosiek [: 00:24:33

Yeah. I mean, there's, I mean, I think we could probably do, not just 1 session, multiple sessions just on FedRAMP.

Carolyn Ford [: 00:24:41

Oh, I'm yes. We could do ongoing forever, Travis. You could do, like, regular training.

Travis Rosiek [: 00:24:48

Correct. Yeah. I think in general, you know, seeing FedRAMP evolve over the years, it it's come a long way. I think, you know, the misnomer is the burden is only on on the vendor. Right? The vendor has to invest and do things. You know, it's cost cost, prohibitive. It's expensive. Like, I mean, yeah.

Travis Rosiek [: 00:25:08

It is. Yes. Yes. It takes a long time. But I think, you know, also having on the government side of things, you know, the sponsor that's helping get a vendor through the process is incredibly burdensome. You know? It's not like they get extra money if, you know it's not like they're compensated any differently and, you know, it's a painful process.

Carolyn Ford [: 00:25:31

And, you know, getting that for both sides it's a painful process.

Travis Rosiek [: 00:25:35

Exact yeah. So, you know, the government folks, you know, given the nature, you know, understaffed, under resources, the expertise, You know? So the few that are there to kinda shepherd organizations through the process, you know, it's quite burdensome on them. and they're not, you know

Carolyn Ford [: 00:25:55

Right. It just adds to their workload.

Travis Rosiek [: 00:25:57

You know, a lot of vendors are trying to get through the process. So they're they're inundated with that. Right. And then you get to the program office who's trying to look at it at, you know, at the last step in the process. And they have some of those same challenges. They're just kind of they're getting it from multiple angles simultaneously. So I think, you know, scaling some of that out, making that process, you know, I think it's too, you know, too linear. Like, you know, I think if you wanted to look at it from, like, efficiency perspective, there's definitely some things that could that could make life easier for all parties involved in kind of the processes, in place.

Travis Rosiek [: 00:26:33

So, yeah, I think it's evolving. It's definitely gotten better, but there's definitely room to improve and, you know, it's you know, I think it's more of a procedural thing than, you know, like, having more resources on the government side. Hey, if you're gonna sponsor or, software packages and solutions through the FedRAMP process, making that that, making investments to make it easier on the government side would be, I think, hugely helpful from my perspective.

Carolyn Ford [: 00:27:00

Mhmm. Well and let's talk about why we really do FedRAMP. Right? Like, we're doing it we're doing it for the sake of national security. We're doing it really and that national security, when you get down to it, it's the data. Right? So the amount of data across the amount of data on my own hard drive is just unwieldy. So how important well, I mean, I think this almost sounds like a dumb question. I was just about to say, how important is categorization and classification when it comes to data security? I mean, I think it's vastly important.

Carolyn Ford [: 00:27:41

I think I think a better question might be, how do you how do you even manage it? I mean, I used to work for an integrator, a system integrator, and I had to classify everything. And it broke my head just that little bit. I mean, maybe AI can help us with the classifications. Because sometime I'm like, I don't know. I don't know what level I don't know if I should burn this, if I should lock it up, if it's fine to just be out in the wild. So I guess let's talk about the classification, the categorization, and then just the burden of even doing that on all this data.

Travis Rosiek [: 00:28:24

Yeah. I mean, it's a huge a huge challenge. I mean, if you look at so, Rubrik has a, a threat intel focused team focusing, research around, cyber threats and data. It's called, the team is called Rubik Zero Labs. We we recently just, released the report. Well, probably by the time this airs, you know, maybe a couple months prior. But, some interesting takeaways from that from a metrics perspective. But

Carolyn Ford [: 00:28:53

What's it called? Rub Rubik?

Travis Rosiek [: 00:28:56

Rubik Zero Labs.

Carolyn Ford [: 00:28:58

Zero what? Labs. Labs. That's the name of the report?

Travis Rosiek [: 00:29:02

That's the name of the group, who produces the report. Yeah. So if you if you just Google that, you'll see all of the historical reports, some pretty interesting data around trends. So we do some external surveys and research, you know, not cost not our customers, but just in general, across, various, continents and commercial organizations predominantly. But when they just look at the, the proliferation of data within their organization, I mean, it's just you know, within, like, 18 months, you know, we're talking 40, 50% growth of data within their environment. So if you think about that over 3 to 5 years, I mean, you know, hundreds of time yeah. You know, hundreds of percent growth or, you know, 3 to 5 times growth of data within their environment.

Travis Rosiek [: 00:29:46

So as that's moving around the multiple clouds, multiple SaaS applications on premise, mobile devices, you know, where's the sensitive data? Where's the critical data? Who has who has access to that? Where is that data? In transit and, you know, at rest, I mean, those are from a security perspective, you know, looking at risk and when there's a compromise or a breach or ransomware attacks or destructive malware attacks, bringing systems down. You know, what was impacted? You know, confidentiality, integrity, availability of the data. You know, who's had access or even insider threats in the government space. You were talking about, you know, burning sensitive data, things like that. So, you know, from an insider threat perspective, you know, who's had access to things? When did they have access? Where were they? So as the government looks to zero trust architecture, kind of looking at some of those attribute, based access controls, all the different, risk calculuses around allowing access, under what circumstances, and for how long, all come into play. But, you know, fundamentally, you know, visibility is the first foundational step. So, you know, if you can't answer some of those basic questions on visibility, you're gonna struggle protecting it. So if you don't know,

Carolyn Ford [: 00:31:03

Yeah. Knowing what you've got, knowing where it is, who's got access, that kind of visibility. Yeah.

Travis Rosiek [: 00:31:09

Yeah. And then I think, you know, fundamentally looking, we're talking about cloud providers, SaaS applications, etcetera. You know, there's I think, you know, everyone knows about, like, NIST 800 - 53, NIST Cybersecurity Framework, and other other standards that are exist. There's a NIST publication, called the Special Pipe 800 - 160 and it's, focusing on building, cyber resilient systems. And I don't think that one gets enough attention and focus. But but, based on some of my background and experiences, it has some really key principles around, you know, how do you build systems that survive a cyber attack? So in the in the military, the government systems, you know, we're anticipating planning for that worst case scenario. So if there is a cyber attack, or other type of disaster, or kinetic type of effect, how can the system or the environment survive and still enable the the troops and others to do the mission. So, with within that guidance, from NIST, it has 4 major goals for for building cyber resilient systems.

Travis Rosiek [: 00:32:18

Anticipate, withstand, recover, and adapt.

Carolyn Ford [: 00:32:23

Anticipate, withstand, recover, and adapt.

Travis Rosiek [: 00:32:27

Correct. Yes. So I think, you know, kind of looking at, you know, the cloud environments, SaaS applications, Zero Trust architecture, I think, like, applying those goals to everything, or at least the critical systems, I think is another key component. So you knowing what you have, who has access, how do you determine if there is, you know, worst case scenario, an insider threat, a supply chain attack? Right? So, if you can't trust the system so if you put too many eggs in one basket, right, you don't have, you know, various fail safes. Like, if 1 vendor or one solution or one one environment goes down, like, how detrimental is that? Are you a is your mission success a 100% reliant on that one thing or that one vendor, or one application? So I think building some of that redundancy resiliency in that you have fail safes, defense in-depth. Right? So if one detection methodology fails, do you have other things around it to identify that it is compromised and potentially is lying to you? Right? So to me, I think having a false sense of security, you know, in anything we build, overly trusting things or having a false sense of security, is probably our Achilles' heel. So I think trying to drive complacency out. That's probably, like, my pet peeve when I meet organizations that say, hey.

Travis Rosiek [: 00:33:58

We're secure already or we're compliant or we're secure. We don't need to do anymore. That that's kind of like you know, from a Red Teamer perspective, that's kind of, that's when you know, like, you're you're not gonna have any trouble getting into that organization.

Carolyn Ford [: 00:34:12

Well, and I think that's where, the whole compliance thing can be really a detriment because they think or we think, okay. I've checked all these boxes. I'm safe. And I was just thinking about, so this survey that you guys do that this the Zero Labs does, you use that to build up your cybersecurity so you're anticipating what might happen to you. You're gonna look at your system, see how you can withstand it, how you can recover and adapt. So that's where you do. You take that report and make it actionable for your environment. Is that

Travis Rosiek [: 00:34:57

Yeah. I mean, that that's what organizations should be doing a 100%. So anticipate is understanding the threat, staying, you know, current on all the evolving threats. Obviously, the government sector has, classified data sources as well. But, you know, today's era compared to 15, 20 years ago, there's a lot out in commercial industry, that, you know, or most organizations can leverage. So, I think under there's no shortage of threat intel and threat data that's, you know, publicly available today compared to, you know, 15, 20 years ago. But I think the anticipation part coupled with, you know, the compliance side.

Travis Rosiek [: 00:35:37

So making it more risk focused, you know, like the risk management framework, things like that. But I think ultimately it comes down to, you know, answering those 4 questions. Can you anticipate or are you anticipating these types of threats or worst case scenarios? What are you doing and what investments are you making to be able to withstand, you know, ransomware attacks, you know, disinformation, you know, data modification, data corruption, you know, data availability, like, destructive malware. Like, you know, the system is down. You you can't recover it. How are you gonna, recover from that? So kind of going through and making sure from tabletop exercises, processes, you know, and then how can you adapt going forward from where your current state is? So taking those lessons learned and doing, you know, continuous improvement exercises.

Carolyn Ford [: 00:36:28

So that's great advice for CISOs. The I mean, just to go look at that. So NIST 800 - 160. Is there any other advice that you would give CISOs when it comes to your cybersecurity posture?

Travis Rosiek [: 00:36:44

I mean, the the problem you know, the the rapid evolution of Tech, you know, the problem set is just getting bigger. So, you know, just patience, perseverance. You know, it's it's a, definitely a difficult difficult, job for for most CISOs. Right? The, they have all the burden, but they probably don't have all the authority, budget, control and influence that they would like. So I think, I would say not so much recommendations for them, other than empathy. I would say, you know, policymakers, you know, commercial companies, you know, the CEOs, the corporate boards, and then, you know, folks on the hill, like, you know, kind of, reprioritizing, figuring out this pecking order and, empowering, enabling, you know, to get to the change and the resources that are necessary to to have this positive impact. So as as we, as a society and nation become more dependent on IT systems, you know, start relying on artificial intelligence to do things for us to make life easier and better, you know, looking at the, anticipating the attacks that are gonna be against that. Right? You know, kind of worst case scenario, Terminator movies with Skynet and, you know, like, you know, doomsday scenarios.

Travis Rosiek [: 00:38:11

So, like, you know, trying to prevent those things from happening. But it all starts with, you know, being able to help, like, CISOs be successful, help help them, you know, be able to recruit and retain, talent that understands these problems, holding organizations, and vendors and such accountable. So enabling them to be able to, make change and acquisitions more quickly, you know, kind of the, the lowest cost technically acceptable models, that the government was doing for a while, you know, maybe save a little bit of money in the near term for the government. But, you know, it had long term consequences. So, you know, I think, kind of that race to the bottom, you know, ultimately, you get what you pay for, so to speak. So I think, you know, trying to, you know, shrink margins, shrink other things from other organizations, you're you're cutting out the overhead to invest back into security and do other things. And it's not just cyber risk, you know, for companies commercially. It's it's, business risk.

Travis Rosiek [: 00:39:14

And that business risk is tied to to cyber risk. And the government side, you know, it's mission risk. The mission risk, is, you know, is part of that is cyber risk. And I think trying to translate to folks that don't understand the domain or understand, still don't think it's possible certain attacks can happen or threat actors can do this or that they would be a target. So I think there's a lot of assumptions, that had been in place that, you know, as long as I've been doing cybersecurity that still exists today. So I think, you know, continuing to beat the drum and raise awareness and educate is still, critical.

Carolyn Ford [: 00:39:49

Alright. Well, thank you. I'm gonna take us to our Tech Talk questions now. And since since we've got Valentine's Day coming right up, my least I don't even think it should be a holiday, but it's it exists. So here's what we're gonna talk about, Travis. I wanna know what piece of technology you love the most.

Travis Rosiek [: 00:40:10

So, yeah, everybody likes chocolate. Doesn't matter what shape it's in. It could be a heart or a a tree. Yeah. I mean, tech you know, just, you know, living in the DC area, I think, you know, traffic jams or any large area, you know, a crash or anything like that and just poor driving techniques and, aggressive drivers and causes backups. Like, I would say the probably the thing that causes me the most amount of of time in my life wasted is sitting in traffic. So I think autonomous driving, is probably what I'm most excited about. At some point, seeing, automobiles and, be more efficient, on the roads.

Travis Rosiek [: 00:40:53

And, you know, as we worry about the safety of that, I would say there's you know, all the human error and the deaths associated with with, auto crashes and such, are probably even more risky than any technology risk associated with kind of the autonomous driving. So I think I'm more interested in, very, you know, excited to kinda see that evolve more quickly. I think it'll be it'll be good for for society as a whole.

Carolyn Ford [: 00:41:22

Yeah. Okay. See, I would have just gone straight for I wanna teleporter, but we can take it baby steps, Travis. We'll start with autonomous driving and then teleport. Right.

Travis Rosiek [: 00:41:35

That's back to the ABCs, my government days. I got or kind of, you know, buy what's somewhat, near term.

Carolyn Ford [: 00:41:44

That's right.

Travis Rosiek [: 00:41:45

And the create side is the longer term.

Carolyn Ford [: 00:41:47

Yeah. Keep keep your feet on the ground. Good. Good. Well, thank you so much for your time today.

Travis Rosiek [: 00:41:53

Oh, thank you, Carolyn. Great speaking with you today. Very much enjoyed it.

Carolyn Ford [: 00:41:58

Yeah. It was a fun way to spend an hour. And thanks to our listeners. Please share and smash that like button, and we will talk to you next time on Tech Transforms.

Carolyn Ford [: 00:42:09

Thanks for joining Tech Transforms sponsored by Dynatrace. For more Tech Transforms, follow us on LinkedIn, Twitter, and Instagram.