Episode 81
Beyond Compliance: Elevating Cybersecurity Practices with Travis Rosiek
As technology rapidly evolves we as a nation need to anticipate the attacks that may come about as a result of that innovation. Travis Rosiek, the Public Sector CTO at Rubrik and former Leader at the Defense Information Systems Agency (DISA), joins Tech Transforms to talk about how the government’s approach to technology and relationship with industry has evolved over the last twenty years. He also discusses compliance, including FedRAMP compliance, managing the vast amount of data that is generated daily across the government and industry, and the importance of the U.S. Government building cyber resilient systems. Catch all this and more on this episode of Tech Transforms.
Key Topics
- 00:00 Government fielded and tested tech capabilities, explained compliance.
- 05:23 Enhanced security collaboration, compliance, and risk minimization.
- 09:14 Experience in government and commercial capabilities. Innovation.
- 10:12 Commercial companies prioritize profitability over long-term planning.
- 14:38 Challenges in public sector recruiting and retention.
- 18:49 Outsourcing SaaS applications frees up resources. AI evolving, human input remains essential.
- 22:33 Assessing incident response: Operational evaluation, not just compliance.
- 25:57 Vendors and program office face process challenges.
- 29:46 Secure cloud data access: visibility, risks, controls.
- 32:27 Emphasizing need for security in IT systems.
- 36:44 CISOs face challenges in evolving tech landscape.
- 38:11 Support CISOs, recruit and retain talent, accountability.
Evolving Cybersecurity Practices: A Shift to 'Cloud Smart' Strategies
Travis's Perspective on Cloud Misconceptions
Travis discusses the early days of cloud adoption, which were often fueled by misconceptions about its benefits. The migration toward cloud computing was commonly believed to be a cost-effective solution that would reduce expenses and simultaneously enhance security. However, he points out that this was not always the case. Many organizations have since realized that the initial cost of moving to the cloud can vary greatly based on specific use cases and applications. This realization has led to a strategic shift toward what Travis refers to as a "cloud smart" approach. Highlighting the need for a more discerning and tailored evaluation of how cloud resources are utilized.
The Role of Commercial Companies vs. Government in Problem-Solving: "Industry is great about solving problems. You know, driving that capitalism type of culture, building capabilities, selling solutions. And they're quicker to implement, adapt and deploy capabilities where the government is very slow in implementation of these you know, they can figure out the problem." — Travis Rosiek
The 'Cloud Smart' Strategic Approach
Taking a "cloud smart" approach indicates a maturation in the perception of cloud services by government agencies and businesses alike. Rather than a blanket strategy of cloud-first, Travis indicates that there is now a more nuanced consideration of when and how to use cloud services. He underscores the importance of aligning cloud adoption with an organization's unique needs. Including the potential scalability, security and cost implications. This approach suggests a collaborative and informed decision-making process. Recognizing that the cloud offers a variety of solutions, each with different features, advantages and trade-offs that must be carefully weighed against organizational goals and objectives.
Navigating Cybersecurity Practices in Cloud Migration
The Balance of Technical and Non-Technical Implications in Cloud Migration
Travis discusses the intricacies involved in organizational cloud migrations. Emphasizing that these undertakings are not solely about technological transitions but also encompass a variety of non-technical considerations. The shift to cloud-based services goes beyond mere data storage and infrastructure changes. It affects strategic business decisions, financial planning and operational workflows. Necessitating a comprehensive evaluation of both the potential benefits and the challenges. Organizations must be acutely aware of the detailed shared responsibility models that cloud service providers outline, which delineate the security obligations of the provider versus the customer. Understanding these responsibilities helps in effectively managing the risks associated with cloud computing.
The Importance of Human Oversight in AI: "But you still can't take the human out of the loop." — Travis Rosiek
The Demand for Advanced Cybersecurity Practices in Multi-Cloud Environments
Travis highlights a significant challenge in the cybersecurity landscape, which is the scarcity of skilled professionals equipped to manage and protect complex multi-cloud and hybrid environments. As organizations increasingly adopt a mix of cloud services and on-premises solutions, the demand for cybersecurity practitioners with the necessary expertise to navigate this complexity grows. However, attracting and retaining such talent is difficult due to competitive job markets and the limitations of government pay scales. This is compounded by the extensive skill set required for modern cloud environments, including not only security but also knowledge of cloud architecture, compliance and various cloud-specific technologies. Travis underscores the need for specialized personnel capable of addressing the advanced cybersecurity concerns that arise from this intricate, dynamic infrastructure.
The Evolution of FedRAMP Compliance
FedRAMP Compliance: A Shared Burden
Travis sheds light on the evolution of the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization and continuous monitoring. While it is often perceived as a costly and time-consuming barrier for vendors seeking to serve government clients, Travis emphasizes that the journey to FedRAMP authorization is not the sole responsibility of vendors. Government sponsors engaged in this process also bear a significant load. This dual burden requires commitment and collaboration from both parties to navigate the complexities involved in achieving FedRAMP compliance.
Strategic Cybersecurity Practices to Navigate FedRAMP Compliance Challenges
Travis goes into further detail regarding the collaborative challenges of attaining FedRAMP compliance. On the government side, a sponsor’s role in shepherding vendors through the process can be incredibly taxing due to staffing and resource constraints. Furthermore, the procedural nature of the FedRAMP framework can prove to be a linear and lengthy ordeal for all involved. Travis suggests that greater investment to ease the procedural efforts for government stakeholders could potentially improve the efficiency of the overall process, helping it to mature and ultimately relieving some of the burden for both vendors and government sponsors.
Addressing Data Volume and Security Risks in Modern Cybersecurity Practices
Data Categorization and Classification
Carolyn highlights the daunting challenge of classifying the vast amounts of data that individuals and organizations are responsible for. Travis acknowledges this burden, especially given the exponential growth of data in today's digital landscape. He underscores that as data multiplies rapidly and spreads across various platforms – from cloud services to mobile devices – accurately categorizing and classifying it becomes more critical yet more difficult. Ensuring the security and proper handling of this data is paramount as mismanagement can lead to significant security breaches and compliance issues.
Cybersecurity in the Era of Cloud and Mobile Computing: "If you can't answer some of those basic questions on visibility, you're gonna struggle protecting it." — Travis Rosiek
Adapting Cybersecurity Practices to Combat Data Volume Surge
Travis points to a report produced by Rubrik Zero Labs that sheds light on the continuous surge in data volume within organizations, often experiencing growth by significant percentages over short periods. This expansion amplifies the challenge of safeguarding critical information. Moreover, the need to provide accurate access control increases in complexity when data resides in a hybrid environment. This includes multiple clouds, on-premise servers, and SaaS applications. The continuous monitoring and protection of data across these diverse and dynamic environments present an ongoing challenge for data security professionals.
Complexities in Data Access Controls
Carolyn and Travis discuss the need for visibility in distributed data environments, as knowing what data exists, where it is stored and who has access to it is fundamental to securing it. Travis advocates for the NIST Special Publication 800-160 as an additional resource that can guide organizations toward building cyber resilient systems. Its principles of anticipating, withstanding, recovering and adapting offer a strategic approach to not just responding to cyber threats. It also prepares for and prevents potential data breaches in complex IT and data environments.
Strategic Alignment of Cybersecurity Practices with Governmental Objectives and Zero Trust Principles
Aligning Cybersecurity Practices with Governmental Objectives
When considering the acquisition of technology within government entities, Travis highlights the importance of aligning with governmental objectives. Especially when it pertains to national defense, scalability becomes a paramount factor, as the technology adopted must cater to expansive operations and adhere to rigorous standards of security and efficiency. In the military and defense sectors, technologies must not only serve unique and highly specialized purposes but also be viable on a large scale. Travis notes that achieving this balance often requires a nuanced approach that can accommodate the specific needs of government operations, while also being mindful of the rapidly evolving landscape of technology.
Cybersecurity and Organizational Resilience: "Having a false sense of security, you know, in anything we build, overly trusting things or having a false sense of security, is probably our Achilles' heel." — Travis Rosiek
Emphasizing Security Principles and Zero Trust
Travis underscores the central role of security principles in the process of technology acquisition and he places particular emphasis on the concept of Zero Trust. An approach to cybersecurity that operates on the assumption that breaches are inevitable and thus requires constant verification of all users within an organization's network. Travis argues that adopting a zero trust framework is crucial for government agencies to protect against a vast array of cyber threats. By following this principle, organizations can ensure that their acquisition of technology not only meets current operational demands but is also prepared to withstand the sophisticated and ever-changing tactics of adversaries in cyberspace.
The ABCs of Technology Implementation
The Adoption, Buying and Creating Strategy
Travis reflects on a strategic approach he learned during his tenure at DISA, known as the ABCs. A methodology imparted by then DISA director General Charlie Croom. This strategy prioritizes the use of existing commercial technologies, emphasizing 'adoption' as the primary step. By leveraging commercially available tech, organizations can tap into advanced capabilities and integrate them into their operations swiftly. The 'buy' component encourages the procurement of already fielded technologies or platforms. This may not be commercially created but has been proven in practical governmental applications. Lastly, 'create' is seen as a last resort. Reserved for instances where the needs are so specialized or critical that a bespoke solution is warranted. Often due to unique use cases or strict national security concerns.
Strategic Balancing of Commercial Speed and Government Foresight in Cybersecurity Practices
In discussing the rationale behind the ABCs framework, Travis reveals the nuanced balance required in government tech implementations. While commercial entities' speed to deploy novel solutions can address particular gaps, government institutions often play a crucial role in identifying and tackling long-term, complex challenges. Especially in defense, the need to build solutions from the ground up may arise when existing products fail to meet the stringent requirements of security-sensitive operations. Conversely, commercial technology's versatility is a critical asset. This marked a shift from the government's historical tendency to primarily develop its own technology solutions. Travis urges organizations to use this strategic framework to make informed, prudent decisions that consider both immediate needs and long-term strategic objectives.
About Our Guest
Travis Rosiek is a highly accomplished cyber security executive with more than 20 years in the industry. He has built and grown cybersecurity companies and led large cybersecurity programs within the U.S. Department of Defense (DoD). His experience spans driving innovation as a cybersecurity leader for global organizations and CISOs, to corporate executive building products and services. His impact has helped lead to successful IPOs (FireEye) and acquisitions (BluVector by Comcast).
As a Cyber Leader in the U.S. DoD, he has been awarded the Annual Individual Award for Defending the DoD’s Networks. Travis currently serves as the Public Sector CTO at Rubrik helping organizations become more cyber and data resilient. Prior to Rubrik, Travis held several leadership roles including the Chief Technology and Strategy Officer at BluVector, CTO at Tychon, Federal CTO at FireEye, a Principal at Intel Security/McAfee and Leader at the Defense Information Systems Agency (DISA).
He earned a Certificate from GWU in Executive Leadership and graduated from West Virginia University with Honors while earning multiple Engineering degrees. He also was one of the first of ten students from across the nation to be awarded a scholarship from the DoD/NSA’s in cybersecurity. His pioneering mindset has helped him better secure our nation and commercial critical infrastructure. Additionally, Travis is an invited speaker, author (blogs, journals, books) and has also served on the NSTAC, ICIT Fellow and multiple advisory boards.
Episode Links
Transcript
Hi, welcome to Tech Transforms. I'm Carolyn Ford. And today, I am pleased to welcome Travis Rosiek. He's the Public Sector CTO at Rubrik. And I had the opportunity of hearing Travis speak on a panel at Billington Cybersecurity Summit, just this past September. And I wanted to hear more from him after that panel. He's had a fantastic career.
Carolyn Ford [:He started at DISA before he moved to industry as he continues to assist government through the private sector. Travis has a unique opportunity to provide us insights in the ever-evolving relationship between government agencies and providers, which, I mean, now it's not just a lip service kinda thing. Like, partnership between industry and government is crucial. And it really is, I think, the only way forward. So Travis having this experience is, it's unique. So he's gonna talk to us today about how agencies and providers are approaching cybersecurity, compliance, and data protection. So with that, welcome to Tech Transforms, Travis.
Travis Rosiek [:Hi, Carolyn. A pleasure to be with you today. Very flattered, and thanks for the kind introduction.
Carolyn Ford [:Yeah. Well, it's I we're like I said, I'm excited to have you. The comments that you made on the zero trust panel were, like, perfect sound bites. The stuff that you said during that panel, I'm furiously jotting it down during the panel. And, so I'm counting on you to give me some more sound bites today, Travis.
Travis Rosiek [:No pressure. I'll do my best.
Carolyn Ford [:So like I said, your career, I mean, it has spanned, decades. I'm not gonna date you. But you started on the Red Team at DISA, and then you moved to growing cybersecurity companies and leading large cybersecurity programs within the DOD. So I wanna start off with how have you seen, the relationship between government agencies and cloud providers, and industry for that matter, how have you seen it evolve over your career?
Travis Rosiek [:Wow. I would say Yeah. I would say quite a bit over the years. So, I think, you know, starting out in the early days, you know, fielding capabilities, testing them, going through that process, You know, the government, you know, DOD STIG, for example, the certification accreditation process. Commercial technology vendors didn't understand it. You know, it was, you know, acronym soup, the details, getting exposure and understanding of what the tests were for. So trying to help vendors, understand, you know, what some of the compliance requirements were, getting through, the DOD STIG process, explaining to them that process, which was definitely in the early days. The government wrote STIGS back then, so they were kind of the ones doing the authorship.
Travis Rosiek [:Now the vendors have some of the responsibility to create those kind of guidance on how to harden the platforms. They have much more understanding of, you know, secure software development, some of the assessment methodologies.
Carolyn Ford [:Wait. So DISA takes, STIGS from industry and writes it in? They're okay.
Travis Rosiek [:Yeah. So originally, DISA would create all of the STIGS. I actually helped write some back in past lives. But now some of the vendors have to, produce guidance on the STIGs because they understand their underlying technology better than the government. So how is actually written and comes together. So the devil's in those details on what really exposed. Some of it's a little bit of trust and transparency as well. Like, are they, are they are they doing it the right way? But it has to go through a vetting process and different types of assessments and accreditation boards and stuff.
Travis Rosiek [:So it's it's quite a lengthy process. But in the old ways, the government was a hindrance. Like, they couldn't keep pace with all of the the you know, the technology just exploding, so they couldn't keep pace with that.
Carolyn Ford [:That was we still kind of see that. Right? That the technology and industry is outpacing, the ability to keep up with or or the certifications. Actually, we're gonna we're gonna come to that. We're gonna talk a little bit about FedRAMP so keep keep going.
Travis Rosiek [:Yeah So not a new problem, just a different different perspective. So Mhmm. Yeah. So the vendors you know, that that public private partnership on trying to collaborate hardened transforms. You know, obviously, there's regulation and other things that have been kind of, peppered in there over the years. But yeah.
Travis Rosiek [:It's it's been a really, a lot more focused collaboration on building, these secure solutions. Obviously, being on the, you know, red team background. Yeah. Obviously, you know, there's more that can be done, I believe. So, like, I've been on the, you know, kind of the bleeding edge kind of pushing to do more, and harden you know, building more cyber resiliency in. I think fundamentally, compliance requirements and it's really about mitigating risk or minimizing risk. So compliance requirements, don't change as fast as, cyber threat actors and their, tactic, techniques, and procedures. So they can evolve much faster than any of the cyber defenders, the companies, etcetera.
Travis Rosiek [:So, you know, I think, you know, being able to up do software updates. You know, if there is a vulnerability that's found in software, how do you patch it and how do you get it pushed out to your customer base quickly? And then, obviously, the last couple years have been, another challenge or another evolution of cyber threat actors is that whole, the supply chain attacks. Right? So cybersecurity supply chain supply chain in general is another big attack vector and another, critical area that the government's really been focused on how to mitigate some of those threats.
Carolyn Ford [:So I heard you say there's more collaboration. I mean, it seems like back in the day, the main competitor for industry was GOTS, government technology. Is that still the case, or has it become really more of a partnership and there's governments more ready to embrace what industry has to offer. Was is that fair?
Travis Rosiek [:So yeah. So, one of the old DISA directors, General Charlie Croom, when I was at DISA, he was kind of a transformative leader, and he had the ABCs. And that was kind of the DISA strategy, adopt, buy, and create. So leveraging commercial technology, the advancement there, integrating, operationalizing it was top of top of mind. Leveraging things were already acquired or in use, by other services and then buying capabilities and then building them was like last resort. So I think depending on the niche or the focus area, that that that aspect is always, you know, kind of, up for, you know, argument about what's the best path. But I think system integrators and others, you know, some of these technologies have been around 20, 30 years. So different types of systems.
Travis Rosiek [:It's it's really hard to get a commercial company to go create something that only fits 1 use case or 1 customer. So I think sometimes it makes sense for the GOTS approach or it's so specialized or uber sensitive from a national security perspective, you know, where supply chain security components, everything is tightly controlled. Those solutions don't scale well. Like, you couldn't mass produce it, but for certain use cases, it comes at a premium to build to build it well and build it right. You know, competing priorities a little bit. So outsourcing everything and then you're kind of, you know, at the whim of either the GOTS capabilities or if you outsource all of your services to service providers, you know, it's kind of 1 in the same. They just have different you know, one is more of replicating things that are in the commercial world at scale or things that are very, specifically built. So
Carolyn Ford [:Yeah. I mean, that's a really good point. Right? Industry's objectives often don't completely align with the governments, especially when it comes to the defense side. The mission is different. And so there's there's just enough nuance that the very least, there has to be some adaptation, right, for those specific use cases that you mentioned. So..
Travis Rosiek [:Yeah. And to that point, I would say, like, my experience from being different sides of the fence, fielding capabilities, assessing them, operationalizing them, or trying to build them and sell them in the commercial and government customer spaces, the government, you know, it's not profit-driven. Right? So Right. You know, in some ways, people scratch their head and, you know, you have to spend money or you lose it kind of thing when it comes to end of the fiscal year. But what the advantage is, the government is unique in that it can actually study these hard problems and kinda look over the horizon. So, you know, identifying risk and driving, innovation in the industry by identifying a problem in the future and then getting commercial companies to go address that problem. So I think from that perspective, if the government, you know, didn't have those resources to study those problems, raise awareness, you know, in the future and driving that innovation, like, that that's where that comes from.
Travis Rosiek [:On the commercial side of things, you know, commercial companies, they don't they don't study these problems. Right? They're kind of, I think, you know, depending on the role in the organization or regulation, primarily focus on achieving compliance and, you know, pro you know, being profitable. So I think maybe there's an overdrive to be profitable over some of the shortsightedness that that leads to. So they're not really looking that far into the future for certain things because, you know, it's it's only going to cost them money. So the government is great about identifying and studying problems. Industry is great about solving problems, you know, driving that, you know, capitalism type of culture, building capabilities, selling solutions. And they're more they're quicker to implement, adapt, and deploy capabilities where the government is very slow in implementation of these you know, they can figure out the problem.
Travis Rosiek [:They're they're very slow and, challenged to actually implement the solution. The industry builds a solution, the government identifies the problem, and that's kind of trying to short circuit that, dynamic. It's kind of where we run into a lot of nontechnical challenges, like acquisition laws and processes.
Carolyn Ford [:Right. And everything you just described is why its important for industry and government to have a really tight partnership they come at things from a little bit from a different perspective, a lot from a different perspective. It's like yin and yang. Right?
Travis Rosiek [:Yeah. A 100%. Yeah. That's that's a great analogy.
Carolyn Ford [:So let's talk about some of the best practices that you've discovered when it comes to having shared cybersecurity models between agencies, and let's get specific cloud providers. You mentioned something before we started recording. I'm gonna let you say it about moving to the cloud and security.
Travis Rosiek [:Yeah. Just over the years kind of looking at, you know, in the early days of cloud and kind of, the exploration of that back I was still on the DOD days kind of looking at that in security, in risks. You know, there's a lot of things to consider, but I think the rapid move to the cloud in the past was really driven not by the security folks. It was driven more by, you know, the IT transformation and, you know, CFO kind of business driven. I think the myth around like it's going to be cheaper to move to the cloud and it's going to be secure or or it's going to alleviate the need for security.
Carolyn Ford [:We can just hand it all over. Somebody else will take care of it.
Travis Rosiek [:Exactly. And we'll save money in the process. Yeah. Yeah. You know, there there's no free lunch in life. Right? There's always there's always implications and costs. So in some use cases, moving to the cloud definitely is cheaper, depending on what you're using it for in the application.
Carolyn Ford [:Well, would you say maybe in the long run? Like, this is a long-end game here. This moving to the cloud is a marathon. It is not a quick hit save money by moving to the cloud. But eventually, you're gonna be more secure. You will well, I don't know. Will you save money in the long run?
Travis Rosiek [:Well, it's all case-by-case dependent. So, you know, the government over the last several years had a cloud first initiative.
Carolyn Ford [:Mhmm.
Travis Rosiek [:So I don't know if it was a driver more to sponsor the use in leveraging the cloud and building the maturity on it. But now they've kind of transitioned to a cloud smart approach. So where you don't have to mandate, I you know, your applications and stuff to go to the cloud first. It's more of a smart approach. So which cloud provider? They offer different capabilities, feature functionality, cost models, you know, expertise. Some things are better to have on premise or in your own environment. Cyber resiliency is another big thing and connectivity. So I think I think cloud smart is definitely the right approach because, you know, not every you know, all not one size fits all.
Travis Rosiek [:Right? So you kinda have to and, really, the devil's in the details in all of this. So I think in the beginning, people didn't really understand the implications, the technical, nontechnical components. You know, there is a shared responsibility model. So when when you pass something into a cloud service provider, you know, you don't have you know, you not resolved all the cyber risk and all the responsibilities there. So I think having that understanding, and then over the years, you know, when when there is an issue with a cloud service provider or the customer has to fix things and data is exposed, your entire security operations chain. Like, the the, the processes have to evolve and adapt with your IT transformation. And I think the IT teams, security teams usually don't get along. They're different contract vehicles, different organizations.
Travis Rosiek [:So in some ways, they kinda have competing priorities. They're they don't you know, the right hand doesn't always know what the left hand is doing. So I think, you know, we've seen some of those growing pains over the years, commercial industry and in government, where, you know, even, you know, we talk about collaboration between, you know, public-private sectors. I think even internal to the, different teams within within an organization, whether it be private or public sector. But yeah. So if your data is in this, multi-cloud hybrid environment, how do you conduct instant response, you know, red teaming assessment, cyber risk? I mean, it's it's a much different, more complex environment that requires different types of skill sets. And I think one of the challenges the public sector has is, recruiting and retaining those skill sets because they're, you know, limited based on the GS Scale.
Travis Rosiek [:Right? So there's certain career fields in the government that pay more comparable to commercial industry. But, obviously, in this space, I think CISA and some other places are trying to create more of a cyber career field where they can offer competitive pay with respect to commercial industry. But when there's 800,000, you know, job openings in cybersecurity, that's that's still a very difficult challenge.
Carolyn Ford [:Right. So I think I heard you say, as far as best practices for a cybersecurity practice and partnering with your cloud provider, it's not a, we don't need a security team. We don't need security practices anymore. It's a we're we have a cloud provider. They have their security. Oh, look. This is one more layer in our security practices. And not only that, are the security practices, the security posture that we have had, some of it will still apply, and we're gonna have to adapt to this new environment.
Travis Rosiek [:100%. Yes. It's the complexity level definitely has gone up. Like, the demands and requirements for that complexity, that expertise has increased. So, yeah. Again, going back to studying the problem, understanding it, and making sure you have, you know, in the government, the DOD DOTMLPF. Right? So understanding soup to nuts, you know, from policy and doctrine all the way to the resourcing and staffing side of things, what has to be in place. So tabletop exercises, red team type exercises, bringing all the stakeholders together and kind of wargaming certain worst case scenarios, is how I like to plan.
Carolyn Ford [:Yeah.
Travis Rosiek [:Mitigate risk, what's the worst possible thing that can happen, and then, work backwards. So I think those things are really important for an organization to kinda look at. You know, it's you know, from, you know, cloud service providers, I mean, they're not saying we do everything either. Right? So they they'll they'll, you know, they'll come out and bluntly say, like, you know, you're still responsible for protecting the data or what's in the cloud. You know, we're gonna protect the infrastructure or the underlying platform. But what happens up there is, you know, you're responsible for doing the monitoring. And then historically, you know, my experience is, you know, contractors you know, a lot of the work is outsourced and contracts are written for certain skill sets. And it takes time for those contracts to be re-competed or, get plussed up for money to add more expertise or diverse skill sets.
Travis Rosiek [:So, you know, it's it's, it's a very complicated environment in the government space to be successful and, you know, kind of that forward looking process. You know, planning ahead definitely helps a lot, but, you know, the way technology evolves, it evolves quicker than, you know, what the palm cycle is or what the, you know, 3 to 5 year planning is with government, budgets. So I think I think that's kind of where part of the dynamic is, where commercial industry, you know, if they need a critical, item, they can move funding around or or prioritize funding and make those investments much quicker.
Carolyn Ford [:So you keep bringing up how complex the cloud has made things. So how does AI fit into this? Is AI a problem solver to some of this complexity?
Travis Rosiek [:So yeah. I so I think I mean, so moving to clouds and SaaS applications alleviates, you know, some of the resource constraints and expertise. So there's only a limited number of, you know, technologists in America, in the U.S. that have clearances, etcetera. So basically, when you outsource and leverage the expertise for, various solution providers in a SaaS application, then that that kind of frees up your own resources to do other things and solve other problems. So I think I mean, there's definitely a lot of advantages and economies of scale there. But from an AI perspective, I think trying to so, I mean, it's definitely evolving, but I think, you know, some of those hard tasks and some of those hard challenges, it can definitely help accelerate, speed up the process for detecting threats, identifying risks, getting awareness and things, but you still can't take the human out of the loop. So I think that's, you know, the other important thing. In many of these, networks environments, understanding the mission, what's important, where critical systems and applications, you know, some of those things are just institutional knowledge within organizations.
Travis Rosiek [:Maybe it's not always written down. So adapting, you know, AI to that problem set, you know, it's it's not a, you know, it's not a perfect fit. Or having the data to build the algorithms correctly is also another challenge. So I think, you know, humans in the loop are gonna be there for many of these, use cases going forward, but it definitely can help address, some of the workforce challenges or shortages in in certain areas.
Carolyn Ford [:Mhmm. So we've kind of danced around this a little bit with moving to the cloud and the cloud smart initiatives. So let's talk about compliance. It's such a dirty word. Like, my compliance is due, you know, all the training so we can check the box, which honestly, like, that's kind of that's how I think of compliance. So and I know that it's probably not the right way to think about compliance. Compliance is there as guardrails. Right? But let's talk about how agencies, private sector, evaluate compliance requirements, and what are some of the cybersecurity measures that can build on those requirements?
Travis Rosiek [:Sure. Yeah. I mean, I to your point, it should be the, you know, the floor, not the ceiling. Right? So achieving compliance shouldn't be the goal of an organization. Unfortunately, I think it is in many cases because that's
Carolyn Ford [:Because it takes so much time, Travis, to check those boxes.
Travis Rosiek [:Yeah. Well, it it I mean, it's again, it goes back to the complexity of the problem. Right? So, yes, it does take a long time. I think yeah. I mean, a lot of the budget is spent just in that process, which I think is, you know, kind of a catch 22. It’s you know, a necessary evil, so to speak. But, at some point, you know, reinvesting all that manual process and time into, you know, implementing innovation. But we're, you know, we're at the part where, you know, trust but verify.
Travis Rosiek [:So, you know, you know, there's still yeah. I mean, you know, getting to the continuous monitoring state where all this is automated, you know, it's the complexity and, it's it's just a challenge.
Carolyn Ford [:Wait. Wait. Are you suggesting that rather than make me take my compliance training every year, there's continuous monitoring to see that, oh, Carolyn has complied all year. She doesn't need to take this training again. Like, I'm totally dumbing it down, I know, but is that what you're saying?
Travis Rosiek [:Yeah. So, I mean, my experiences are I would, a mentor of mine in my government days would would would ask me and my colleagues, you know, what's what's the purpose of incident response? Like, what are we really getting from it? And, you know, yeah. People would say, well, we could figure out how the attack happened, what the impact was, how to fix it, you know, etcetera, etcetera. And he was like, well, yeah. I mean, that's that's, you know, the you know, that's kind of the direct answer, but, really, what's what's the so what piece of it? And then after a lot of deliberation and brainstorming and stuff, the answer that resonated was it's really your opportunity to assess an organization operationally. So are there people, processes, and working? People, process, and technology actually working together? So when you're in the process or in the fight, can they get data? Can they identify, you know, things quickly? Can they communicate? Are they collaborating? Can they actually be cyber resilient and cyber ready? So to me, I think assessing the processes, you know, are you following processes? Are you doing things properly? More in that continuous basis is a better measure from a cyber risk perspective than just solely focusing on, you know, compliance or check the box. Like, did you take your test? Right? So Right. Anyway, to your point, I think the continuous monitoring piece really needs to get into that kind of that operational assessment or looking at the processes, in more detail than specifically just, you know, check the box type of approach.
Carolyn Ford [:Okay. Let's let's talk about FedRAMP compliance. So it is for industry, it's pretty painful to get FedRAMP authorized. There's a lot involved. So as companies look to achieve this compliance, this authorization, what advice can you provide for matching the structure of different FedRAMP levels to the needs of organizations?
Travis Rosiek [:Yeah. I mean, there's, I mean, I think we could probably do, not just 1 session, multiple sessions just on FedRAMP.
Carolyn Ford [:Oh, I'm yes. We could do ongoing forever, Travis. You could do, like, regular training.
Travis Rosiek [:Correct. Yeah. I think in general, you know, seeing FedRAMP evolve over the years, it it's come a long way. I think, you know, the misnomer is the burden is only on on the vendor. Right? The vendor has to invest and do things. You know, it's cost cost, prohibitive. It's expensive. Like, I mean, yeah.
Travis Rosiek [:It is. Yes. Yes. It takes a long time. But I think, you know, also having on the government side of things, you know, the sponsor that's helping get a vendor through the process is incredibly burdensome. You know? It's not like they get extra money if, you know it's not like they're compensated any differently and, you know, it's a painful process.
Carolyn Ford [:And, you know, getting that for both sides it's a painful process.
Travis Rosiek [:Exact yeah. So, you know, the government folks, you know, given the nature, you know, understaffed, under resources, the expertise, You know? So the few that are there to kinda shepherd organizations through the process, you know, it's quite burdensome on them. and they're not, you know
Carolyn Ford [:Right. It just adds to their workload.
Travis Rosiek [:You know, a lot of vendors are trying to get through the process. So they're they're inundated with that. Right. And then you get to the program office who's trying to look at it at, you know, at the last step in the process. And they have some of those same challenges. They're just kind of they're getting it from multiple angles simultaneously. So I think, you know, scaling some of that out, making that process, you know, I think it's too, you know, too linear. Like, you know, I think if you wanted to look at it from, like, efficiency perspective, there's definitely some things that could that could make life easier for all parties involved in kind of the processes, in place.
Travis Rosiek [:So, yeah, I think it's evolving. It's definitely gotten better, but there's definitely room to improve and, you know, it's you know, I think it's more of a procedural thing than, you know, like, having more resources on the government side. Hey, if you're gonna sponsor or, software packages and solutions through the FedRAMP process, making that that, making investments to make it easier on the government side would be, I think, hugely helpful from my perspective.
Carolyn Ford [:Mhmm. Well and let's talk about why we really do FedRAMP. Right? Like, we're doing it we're doing it for the sake of national security. We're doing it really and that national security, when you get down to it, it's the data. Right? So the amount of data across the amount of data on my own hard drive is just unwieldy. So how important well, I mean, I think this almost sounds like a dumb question. I was just about to say, how important is categorization and classification when it comes to data security? I mean, I think it's vastly important.
Carolyn Ford [:I think I think a better question might be, how do you how do you even manage it? I mean, I used to work for an integrator, a system integrator, and I had to classify everything. And it broke my head just that little bit. I mean, maybe AI can help us with the classifications. Because sometime I'm like, I don't know. I don't know what level I don't know if I should burn this, if I should lock it up, if it's fine to just be out in the wild. So I guess let's talk about the classification, the categorization, and then just the burden of even doing that on all this data.
Travis Rosiek [:Yeah. I mean, it's a huge a huge challenge. I mean, if you look at so, Rubrik has a, a threat intel focused team focusing, research around, cyber threats and data. It's called, the team is called Rubik Zero Labs. We we recently just, released the report. Well, probably by the time this airs, you know, maybe a couple months prior. But, some interesting takeaways from that from a metrics perspective. But
Carolyn Ford [:What's it called? Rub Rubik?
Travis Rosiek [:Rubik Zero Labs.
Carolyn Ford [:Zero what? Labs. Labs. That's the name of the report?
Travis Rosiek [:That's the name of the group, who produces the report. Yeah. So if you if you just Google that, you'll see all of the historical reports, some pretty interesting data around trends. So we do some external surveys and research, you know, not cost not our customers, but just in general, across, various, continents and commercial organizations predominantly. But when they just look at the, the proliferation of data within their organization, I mean, it's just you know, within, like, 18 months, you know, we're talking 40, 50% growth of data within their environment. So if you think about that over 3 to 5 years, I mean, you know, hundreds of time yeah. You know, hundreds of percent growth or, you know, 3 to 5 times growth of data within their environment.
Travis Rosiek [:So as that's moving around the multiple clouds, multiple SaaS applications on premise, mobile devices, you know, where's the sensitive data? Where's the critical data? Who has who has access to that? Where is that data? In transit and, you know, at rest, I mean, those are from a security perspective, you know, looking at risk and when there's a compromise or a breach or ransomware attacks or destructive malware attacks, bringing systems down. You know, what was impacted? You know, confidentiality, integrity, availability of the data. You know, who's had access or even insider threats in the government space. You were talking about, you know, burning sensitive data, things like that. So, you know, from an insider threat perspective, you know, who's had access to things? When did they have access? Where were they? So as the government looks to zero trust architecture, kind of looking at some of those attribute, based access controls, all the different, risk calculuses around allowing access, under what circumstances, and for how long, all come into play. But, you know, fundamentally, you know, visibility is the first foundational step. So, you know, if you can't answer some of those basic questions on visibility, you're gonna struggle protecting it. So if you don't know,
Carolyn Ford [:Yeah. Knowing what you've got, knowing where it is, who's got access, that kind of visibility. Yeah.
Travis Rosiek [:Yeah. And then I think, you know, fundamentally looking, we're talking about cloud providers, SaaS applications, etcetera. You know, there's I think, you know, everyone knows about, like, NIST 800 - 53, NIST Cybersecurity Framework, and other other standards that are exist. There's a NIST publication, called the Special Pipe 800 - 160 and it's, focusing on building, cyber resilient systems. And I don't think that one gets enough attention and focus. But but, based on some of my background and experiences, it has some really key principles around, you know, how do you build systems that survive a cyber attack? So in the in the military, the government systems, you know, we're anticipating planning for that worst case scenario. So if there is a cyber attack, or other type of disaster, or kinetic type of effect, how can the system or the environment survive and still enable the the troops and others to do the mission. So, with within that guidance, from NIST, it has 4 major goals for for building cyber resilient systems.
Travis Rosiek [:Anticipate, withstand, recover, and adapt.
Carolyn Ford [:Anticipate, withstand, recover, and adapt.
Travis Rosiek [:Correct. Yes. So I think, you know, kind of looking at, you know, the cloud environments, SaaS applications, Zero Trust architecture, I think, like, applying those goals to everything, or at least the critical systems, I think is another key component. So you knowing what you have, who has access, how do you determine if there is, you know, worst case scenario, an insider threat, a supply chain attack? Right? So, if you can't trust the system so if you put too many eggs in one basket, right, you don't have, you know, various fail safes. Like, if 1 vendor or one solution or one one environment goes down, like, how detrimental is that? Are you a is your mission success a 100% reliant on that one thing or that one vendor, or one application? So I think building some of that redundancy resiliency in that you have fail safes, defense in-depth. Right? So if one detection methodology fails, do you have other things around it to identify that it is compromised and potentially is lying to you? Right? So to me, I think having a false sense of security, you know, in anything we build, overly trusting things or having a false sense of security, is probably our Achilles' heel. So I think trying to drive complacency out. That's probably, like, my pet peeve when I meet organizations that say, hey.
Travis Rosiek [:We're secure already or we're compliant or we're secure. We don't need to do anymore. That that's kind of like you know, from a Red Teamer perspective, that's kind of, that's when you know, like, you're you're not gonna have any trouble getting into that organization.
Carolyn Ford [:Well, and I think that's where, the whole compliance thing can be really a detriment because they think or we think, okay. I've checked all these boxes. I'm safe. And I was just thinking about, so this survey that you guys do that this the Zero Labs does, you use that to build up your cybersecurity so you're anticipating what might happen to you. You're gonna look at your system, see how you can withstand it, how you can recover and adapt. So that's where you do. You take that report and make it actionable for your environment. Is that
Travis Rosiek [:Yeah. I mean, that that's what organizations should be doing a 100%. So anticipate is understanding the threat, staying, you know, current on all the evolving threats. Obviously, the government sector has, classified data sources as well. But, you know, today's era compared to 15, 20 years ago, there's a lot out in commercial industry, that, you know, or most organizations can leverage. So, I think under there's no shortage of threat intel and threat data that's, you know, publicly available today compared to, you know, 15, 20 years ago. But I think the anticipation part coupled with, you know, the compliance side.
Travis Rosiek [:So making it more risk focused, you know, like the risk management framework, things like that. But I think ultimately it comes down to, you know, answering those 4 questions. Can you anticipate or are you anticipating these types of threats or worst case scenarios? What are you doing and what investments are you making to be able to withstand, you know, ransomware attacks, you know, disinformation, you know, data modification, data corruption, you know, data availability, like, destructive malware. Like, you know, the system is down. You you can't recover it. How are you gonna, recover from that? So kind of going through and making sure from tabletop exercises, processes, you know, and then how can you adapt going forward from where your current state is? So taking those lessons learned and doing, you know, continuous improvement exercises.
Carolyn Ford [:So that's great advice for CISOs. The I mean, just to go look at that. So NIST 800 - 160. Is there any other advice that you would give CISOs when it comes to your cybersecurity posture?
Travis Rosiek [:I mean, the the problem you know, the the rapid evolution of Tech, you know, the problem set is just getting bigger. So, you know, just patience, perseverance. You know, it's it's a, definitely a difficult difficult, job for for most CISOs. Right? The, they have all the burden, but they probably don't have all the authority, budget, control and influence that they would like. So I think, I would say not so much recommendations for them, other than empathy. I would say, you know, policymakers, you know, commercial companies, you know, the CEOs, the corporate boards, and then, you know, folks on the hill, like, you know, kind of, reprioritizing, figuring out this pecking order and, empowering, enabling, you know, to get to the change and the resources that are necessary to to have this positive impact. So as as we, as a society and nation become more dependent on IT systems, you know, start relying on artificial intelligence to do things for us to make life easier and better, you know, looking at the, anticipating the attacks that are gonna be against that. Right? You know, kind of worst case scenario, Terminator movies with Skynet and, you know, like, you know, doomsday scenarios.
Travis Rosiek [:So, like, you know, trying to prevent those things from happening. But it all starts with, you know, being able to help, like, CISOs be successful, help help them, you know, be able to recruit and retain, talent that understands these problems, holding organizations, and vendors and such accountable. So enabling them to be able to, make change and acquisitions more quickly, you know, kind of the, the lowest cost technically acceptable models, that the government was doing for a while, you know, maybe save a little bit of money in the near term for the government. But, you know, it had long term consequences. So, you know, I think, kind of that race to the bottom, you know, ultimately, you get what you pay for, so to speak. So I think, you know, trying to, you know, shrink margins, shrink other things from other organizations, you're you're cutting out the overhead to invest back into security and do other things. And it's not just cyber risk, you know, for companies commercially. It's it's, business risk.
Travis Rosiek [:And that business risk is tied to to cyber risk. And the government side, you know, it's mission risk. The mission risk, is, you know, is part of that is cyber risk. And I think trying to translate to folks that don't understand the domain or understand, still don't think it's possible certain attacks can happen or threat actors can do this or that they would be a target. So I think there's a lot of assumptions, that had been in place that, you know, as long as I've been doing cybersecurity that still exists today. So I think, you know, continuing to beat the drum and raise awareness and educate is still, critical.
Carolyn Ford [:Alright. Well, thank you. I'm gonna take us to our Tech Talk questions now. And since since we've got Valentine's Day coming right up, my least I don't even think it should be a holiday, but it's it exists. So here's what we're gonna talk about, Travis. I wanna know what piece of technology you love the most.
Travis Rosiek [:So, yeah, everybody likes chocolate. Doesn't matter what shape it's in. It could be a heart or a a tree. Yeah. I mean, tech you know, just, you know, living in the DC area, I think, you know, traffic jams or any large area, you know, a crash or anything like that and just poor driving techniques and, aggressive drivers and causes backups. Like, I would say the probably the thing that causes me the most amount of of time in my life wasted is sitting in traffic. So I think autonomous driving, is probably what I'm most excited about. At some point, seeing, automobiles and, be more efficient, on the roads.
Travis Rosiek [:And, you know, as we worry about the safety of that, I would say there's you know, all the human error and the deaths associated with with, auto crashes and such, are probably even more risky than any technology risk associated with kind of the autonomous driving. So I think I'm more interested in, very, you know, excited to kinda see that evolve more quickly. I think it'll be it'll be good for for society as a whole.
Carolyn Ford [:Yeah. Okay. See, I would have just gone straight for I wanna teleporter, but we can take it baby steps, Travis. We'll start with autonomous driving and then teleport. Right.
Travis Rosiek [:That's back to the ABCs, my government days. I got or kind of, you know, buy what's somewhat, near term.
Carolyn Ford [:That's right.
Travis Rosiek [:And the create side is the longer term.
Carolyn Ford [:Yeah. Keep keep your feet on the ground. Good. Good. Well, thank you so much for your time today.
Travis Rosiek [:Oh, thank you, Carolyn. Great speaking with you today. Very much enjoyed it.
Carolyn Ford [:Yeah. It was a fun way to spend an hour. And thanks to our listeners. Please share and smash that like button, and we will talk to you next time on Tech Transforms.
Carolyn Ford [:Thanks for joining Tech Transforms sponsored by Dynatrace. For more Tech Transforms, follow us on LinkedIn, Twitter, and Instagram.