Episode 68
Insights from the Billington Cybersecurity Summit with Willie Hicks, Federal CTO at Dynatrace
On this special episode, Willie Hicks and Carolyn Ford discuss the Billington Cybersecurity Summit, as well as insights from panels, led by Willie, on workforce automation and zero trust.
Key Topics
- [00:22] Willie's Workforce Automation Panel Highlights
- [03:28] The Difference Between Training & Education
- [11:11] Securing Data In A Zero Trust World Panel Highlights
- [16:31] Willie's Experience with Constant Reverification While Working in Financial Data Protection
- [20:44] Overarching Impressions from the Billington Cybersecurity Summit
Quotable Quotes
On the Human Factor: "I think this is always the case, that the human's usually going to be the weakest link. We're always the weakest link. But that's why that constant reverification is so critical."
On Generative AI: "We can't fear these things like generative AI. We've got to embrace it. We've got to use it. We've got to figure out how to use it and use it right and use it appropriately. But we have to figure out how to use it because you know who's using it? Our adversaries."
About Our Guest
Willie Hicks is the Public Sector Chief Technologist for Dynatrace. Willie has spent over a decade orchestrating solutions for some of the most complex network environments, from cloud to cloud native applications and microservices. He understands tracking and making sense of systems and data that has grown beyond human ability. Working across engineering and product management to ensure continued growth and speed innovation, he has implemented Artificial Intelligence and automation solutions over hundreds of environments to tame and secure their data.
Episode Links
Transcript
Carolyn Ford:
Welcome to Tech Transforms, sponsored by Dynatrace. I'm Carolyn Ford. Each week, Mark Senell and I talk with top influencers to explore how the U.S. government is harnessing the power of technology to solve complex challenges and improve our lives.
All right Willie, we just finished up with your Billington panel “Striking the Balance: Building a Smart Workforce and Increasing Automation.” And I want to ask you, what were some things that jumped out at you during this panel, maybe things that you hadn't thought about or just what struck you?
Willie Hicks:
Well, first of all, it was a phenomenal panel. The caliber of panelists was top-notch. You've got DoD CIO, you've got academia from National Defense University, you've got industry. So we got a lot of interesting insight, and I took a lot away from the panel and from the discussion. I think some of the things that really kind of stood out to me that I really hadn't, I guess I hadn't considered from a workplace standpoint and things that I've always talked about. So for example, AI is not replacing the workforce we talked,
Carolyn Ford:
We've even talked about this every time we talk about AI.
Willie Hicks:
Right.
Carolyn Ford:
It is not replacing. I loved what Mark, so Mark, I can't remember his last name now.
Willie Hicks:
Gorak.
Carolyn Ford:
Thank you.
Willie Hicks:
Yes, Yes.
Carolyn Ford:
Yes. So he's with the,
Willie Hicks:
DoD.
Carolyn Ford:
DoD. Thank you.
Willie Hicks:
Yeah, CIO. Yep.
Carolyn Ford:
Yeah. So he said that, ask yourself what is rote and repetitive in your job. Those things are probably really good candidates,
Willie Hicks:
For,
Carolyn Ford:
AI and automation.
Willie Hicks:
Automation. Yeah, exactly. And what I also found fascinating there is that, and I guess I've thought about this but haven't really articulated it, is that for some period of time, it's not even a worry of AI taking jobs away. AI is probably going to add some jobs to it.
Carolyn Ford:
Well, yeah, but they mentioned that, right?
Willie Hicks:
Yeah. Yeah. Because there's this learning curve. You'll have to be retrained because those rote, repetitive tasks, those are what AI is really good at. But there still needs to be the workforce that maintains the AI that does it. Let's think about it from a cybersecurity standpoint. AI might be really good at finding the anomaly, looking at hundreds and thousands and tens of thousands plus logs and data points. And in that noise, finding that anomaly that might be a real security vulnerability. And we talked about this actually before the panel began, that a hybrid workforce is great for this because you could have someone sitting at home. You don't always have to be in a SCIF. You don't always have to be in a secure facility, like a physical government SCIF, because maybe that SCIF has been translated to a local, somewhere local, maybe your house, maybe it's been secured enough where you could get that alert, analyze it and say, oh, this is real. That's something you could do.
Carolyn Ford:
Right. And we need those critical thinkers. To Amy Hamilton with DOE, whose part of the academia,
Willie Hicks:
No. She's at National Defense University.
Carolyn Ford:
That's what she said. She's like, there's a difference between training and education. Training is teaching people how to use a tool or a thing. Education is teaching people to be critical thinkers.
Willie Hicks:
Right.
Carolyn Ford:
And to your point, freeing up those, letting the AI find the problem, send the alert.
Willie Hicks:
Right.
Carolyn Ford:
Now we need the critical thinkers.
Willie Hicks:
Right. Because that's the thing. AIs are actually better at those menial, kind of monotonous tasks where that's where people make mistakes, they get tired, they're looking at the same screens over and over,
Carolyn Ford:
Oh, they're soul sucking.
Willie Hicks:
And over it.
Carolyn Ford:
It makes me want to throw my computer out the window.
Willie Hicks:
Right. And you're just looking at a dashboard and you're just looking for that noise, trying to look for that alert. People can make mistakes. People can miss that. They can be tired. They had a bad night, they're not feeling well. The AI doesn't have a bad night. The AI doesn't get tired.
Carolyn Ford:
Doesn't care.
Willie Hicks:
It is very good at that one very specific task. And when it finds that, it's going to send it to a human that's really good and now critically analyzing that to say the AI is saying that this is an anomaly, that this might be a problem. Let me put a little bit more analytics into it. Let me put some human thought into it to see this is something we really need to execute on. And to the point that was added earlier that we've trusted, and let's just take AI out of it, we've trusted automation for decades now. The car industry.
Carolyn Ford:
Right. Right.
Willie Hicks:
There are very few people who build an actual car. I mean, there used to be the days of the assembly line where you had hundreds of people and they riveted and bolted and built every component of that car. Robots build most of that today. We don't have a problem with that. I mean, this is not my,
Carolyn Ford:
Well, it's become normalized. In the beginning though, I bet they had the same fears.
Willie Hicks:
The same fear. Yeah. Yeah.
Carolyn Ford:
And in fairness, it did put people out of jobs. But there were new jobs to step into.
Willie Hicks:
And there were training programs. That was the whole, I mean, I grew up through a lot of that period of time where we were talking about exporting jobs and automating jobs, and there were big jobs programs, training programs to make sure that the workforce was retrained. Some people did lose those initial jobs, but we're in a market today where honestly, there are more jobs than people to take them.
Carolyn Ford:
Right. Well,
Willie Hicks:
So.
Carolyn Ford:
To your point, you opened up the panel with right now, today there are 700,000,
Willie Hicks:
Thousand.
Carolyn Ford:
Cybersecurity jobs that are open.
Willie Hicks:
Right. And that's just not an anecdote for me.
Carolyn Ford:
That's probably an underestimate too.
Willie Hicks:
And that's from the Homeland Security subcommittee.
Carolyn Ford:
Yeah.
Willie Hicks:
They were interviewing and had some industry and government experts there. And their estimate is, yeah, we've got, that's close to a million cybersecurity jobs that we need to fill. This is why AI is so important, and automation is so important.
Carolyn Ford:
Well, and to your point that AI's creating new jobs, we need people, and I think Mark actually mentioned this, we need people in those AI jobs to create the AI, to run the AI.
Willie Hicks:
Right.
Carolyn Ford:
So I wanted to talk about something Alberto said. They were talking about training and how do we make the workforce more comfortable with AI and with the new technology coming. And Alberto said, it's our goal to make training obsolete. And talk about that a little bit.
Willie Hicks:
No, no, and this is a good point. It was a little bit of a divergent point, but where say for example, Mark was coming from a DoD perspective is how do we train the workforce? Some of these systems are very complex and we've got to spend a lot of effort and time. I think he was saying somewhere maybe spending a day every week in training. So you're talking about maybe, and we do this in industry too. We have a lot of training that's given to our developers, to our cyber teams. We might spend weeks or months sometimes training on secure coding practices and all. And then Alberto said, well, we should just be making the software more user-friendly, making sure we don't have to do that much training because we have to do that much training, there might be a problem there.
Carolyn Ford:
Right. Make it more intuitive.
Willie Hicks:
Make it more intuitive.
Carolyn Ford:
And I'm all for that, man. I just want to be able to push a button.
Willie Hicks:
Right. And there was consensus across the board that UX and design of these applications and systems needs to be better. And the point I've made to Mark, and I'm curious from just our conversation in the past, I'm really big on public private partnerships and Mark had mentioned kind of in their training cycles, they have feedback loops so they can get feedback into,
Carolyn Ford:
Yeah.
Willie Hicks:
Is this valuable training? What was difficult about it and so forth. Then my question to Mark and to the panel is how can industry be exposed to some of that feedback?
Carolyn Ford:
Yeah. Is it getting back to industry?
Willie Hicks:
Industry.
Carolyn Ford:
He said, no, not yet.
Willie Hicks:
Yeah, not yet. Because,
Carolyn Ford:
Not yet.
Willie Hicks:
That could help us, because we do this from our UX design. We'll go to customer focus groups and we'll have these different ways that we vet our designs and so forth. But I think it would be fascinating if we could get direct feedback from, especially I focus on government, but I would like to get direct feedback from my agencies knowing not just to complain about, oh, I don't like this or whatever. No, just actual feedback on this UX design is not working.
Carolyn Ford:
Right.
Willie Hicks:
And it's too difficult for my employees to navigate or to understand or the data that's coming out of it, I need two or three people to interpret it. That's a problem. And we need to get that kind of feedback back. And we don't have that kind of feedback loop coming back into, at least from the public sector. I'm not seeing that.
Carolyn Ford:
Yeah. Yeah, I agree. So I want to move on and talk about your impressions from your panel on zero trust and securing data in a zero trust world. But before we move to that one, do you have any other thoughts that you wanted to mention on this panel on automating the workforce?
Willie Hicks:
us, to augment us [inaudible:Carolyn Ford:
Yes.
Willie Hicks:
And it was heartening to hear that this is kind of what I'm seeing. I see this from industry, but this is actually kind of propagating throughout the whole of the public sector. So it's just really a lot to take in.
Carolyn Ford:
Yeah, yeah. I agree. All right, so let's switch gears a little bit and talk about the panel that you moderated on zero trust and securing data in a zero trust world. I'm just going to start you off with what struck me the most is they all hated the term, and when I say they all like the govies especially really hate the term zero trust. I haven't heard that before. Have you?
Willie Hicks:
I can't say I really have not as fervently as everyone was just like, let's stop calling it zero trust because zero means nothing. There's no trust. It was kind of a, I can't remember what one of the panelists said. They didn't call it zero trust, they called it earned trust maybe.
Carolyn Ford:
I can't remember all the terms they,
Willie Hicks:
I go to back to my,
Carolyn Ford:
Used to either. Yeah, same.
Willie Hicks:
But they came back out with,
Carolyn Ford:
They just really did not like it.
Willie Hicks:
But I think another thing that also came, not in the panel, but after the panel, I was talking to a couple of individuals who were sitting there, and one thing that I think the panel wanted to get across, but a lot of people in the audience wanted everyone to understand is that zero trust, this is not new.
Carolyn Ford:
Right.
Willie Hicks:
I mean, it's,
Carolyn Ford:
Well, Shane said we've been doing this forever.
Willie Hicks:
Ever. Yeah.
Carolyn Ford:
This is cyber hygiene.
Willie Hicks:
That's exactly what I wanted to get to. This is just good cyber hygiene. This is, and these ideas about zero trust, the DoD and even industry have been really championing this type of, not really zero trust, but constant verification, reverification of identity and credentials. This has been something that has been around for many years. Now post Solar Winds, post Log4j, all of these. And it's just becoming more and more important that this is the industry and private sector and public sector really start to embrace this across the board because it is in our nation's best interest,
Carolyn Ford:
Yeah.
Willie Hicks:
But it's not anything new. So that's just something I,
Carolyn Ford:
Exactly. Well, and I really liked the different perspectives that we had. So we had Shane Barney, and he was CIO at DHS.
Willie Hicks:
Yes.
Carolyn Ford:
So he's immigration.
Willie Hicks:
Yeah.
Carolyn Ford:
And his view of the data and what they do with it and how they manage it was vastly different.
Willie Hicks:
Right.
Carolyn Ford:
And Gerry kept pointing this out. So Gerry Caron, he's the CIO for the Department of Commerce.
Willie Hicks:
Right.
Carolyn Ford:
And he's just like, yeah, the way you look at data, what you need to do with data is really different than the way I do. And you talked about them sharing data, maybe not even sharing data, but sharing policies.
Willie Hicks:
Right.
Carolyn Ford:
And how to secure the data. And they're like, yes and, we have different missions.
Willie Hicks:
Right. Well, and I think that was brought up. They do have different missions. It was funny because a lot of things came up. It was different missions, different funding structures where I think Shane comes from a world where unlike most agencies,
Carolyn Ford:
Oh, yeah.
Willie Hicks:
They're revenue generating.
Carolyn Ford:
He has his own money.
Willie Hicks:
He's got his own money.
Carolyn Ford:
He's like I don't need anybody's money.
Willie Hicks:
So a lot of these things are, they're not fighting for budget. These are kind of key to the mission. But also I think it was interesting that you were talking about sharing data, and we talked a lot about sharing data, data classification and so forth, because there's a lot of inter-agency sharing between, especially with DHS and that cyber hygiene is important across the whole. It has to be because you're only as strong as your weakest link. And so if you're sharing this data, it's got to be common. We got to have a common framework across the board. So we're all confident that this data is maintained and secured and so forth. So I think a lot of that conversation kind of revolved around that.
Carolyn Ford:
I actually, my favorite comment, the whole panel, they were funny. That was something that jumped out at me, especially Gerry and Shane man. They were on a roll. They were like a comedy team.
Willie Hicks:
Yeah, they were riffing off each other. I think somebody made the point, cybersecurity professionals are not supposed to be this funny. But it was good.
Carolyn Ford:
Oh gosh, the audience, we were laughing the whole time, but probably my favorite standout comment was Travis Rosiek, he's the public sector CTO for Rubrik. And he was talking about you can secure and you can have this defense in depth, but then you've always got the human factor.
Willie Hicks:
Yeah. Which is very critical. I mean, and I think this is always the case, that the human's usually going to be the weakest link.
Carolyn Ford:
Always. We're always the weakest link,
Willie Hicks:
We're always the weakest link. But that's why that constant reverification is so critical. And I was, again, kind of going back to none of this is new. I mean, I go back to my pre, my life at Dynatrace. I worked in the finance sector and I go back 20, 20 plus years working in IT and finance, which obviously not only government regulations, so we have to be extremely, our data is very sensitive. It's customer data. Any compromise of that data would not only breach customer confidence, but also that would be a criminal federal offense, especially if some of this data got out. So we were always very sensitive to how do we protect it.
And I just think about these ideas about re-verifying and... I remember when I first started off, if I go back 20, 25 years going into bank branches where tellers would literally have their passwords taped onto to their monitors, which back then I'm just like, come on people, we can do better than this. But fast-forward about 10 years, it only took one or two breaches for all of industry to figure out we've got to get our cyber hygiene under control. So I remember constant training 10, 15 years ago on how do we protect data? How do we protect our customer data? The customer data is the most important thing. And then I remember our first big data center move. When I walked into that brand new data center, I had my brand new badge. You walk in, you badge into the door, you walk past the door, you go to security, they see your badge, you go to the turnstile, you have to badge into the turnstile. I would go to my desk, I log in, everything. I'm constantly verifying,
Carolyn Ford:
Yeah. Just making sure in the building. It doesn't mean you have access to everything in the building.
Willie Hicks:
Every door. I mean, if I go to the raised floor, my job meant that I had to have access to the raised floor. I went through five doors, each one with a badge reader and then the last one, a badge reader and a biometric scan.
Carolyn Ford:
Yeah, I was just going to say, you probably had additional, some sort of,
Willie Hicks:
With a man trap in the middle and all of,
Carolyn Ford:
What's a man trap? Are we talking like Mission Impossible?
Willie Hicks:
Well yeah, you have one door on one side, and if you,
Carolyn Ford:
Oh, no way.
Willie Hicks:
You could get stuck in like,
Carolyn Ford:
Did you ever get stuck?
Willie Hicks:
I won't talk about that, but yeah, especially if you had, but you had to get someone to get you out. And the thing is, is that these ideas, that was physical security,
Carolyn Ford:
Yeah.
Willie Hicks:
But in my mind, that's just,
Carolyn Ford:
It translates.
Willie Hicks:
Yeah, it translates because we're constantly reverifying. And even on top of that, when I got into the raised floor, I couldn't open up a cabinet without actually running my badge over, it verifying that I could go and,
Carolyn Ford:
Continual authorization.
Willie Hicks:
And it would open the door. It would open the door and let me in. And then I have to log into the system.
Carolyn Ford:
Yeah.
Willie Hicks:
Just in that, there were like 15 re-verifications before I actually got to the server to log in. So I mean, these aren't new, that was 20 years ago.
Carolyn Ford:
Right. Right.
Willie Hicks:
So.
Carolyn Ford:
And it's just applying what we already know about good security to the new ways of, and your panel today, AI is not going anywhere.
Willie Hicks:
Right.
Carolyn Ford:
Figure out how to use it.
Willie Hicks:
Right.
Carolyn Ford:
This is our world. We are a digital cyber world. And we can either embrace it and learn it and educate ourselves,
Willie Hicks:
Right.
Carolyn Ford:
Or we're going to be left behind, but worse. We're going to get hacked. We're going to get breached.
Willie Hicks:
Well, this is a great point that was brought up by the panel, is that we can't fear these things like generative AI. We've got to embrace it. We've got to use it. We've got to figure out how to use it and use it right and use it appropriately. But we have to figure out how to use it because you know who's using it? Our adversaries.
Carolyn Ford:
Everybody. Yeah.
Willie Hicks:
And I think it was Dr. Amy,
Carolyn Ford:
Hamilton.
Willie Hicks:
Hamilton who mentioned that she has an exercise where, and I didn't actually realize you could do this. I'm going to try it when I get home. But you can go to your favorite generative AI program and say, create me a phishing email.
Carolyn Ford:
Oh, that's right. Yeah.
Willie Hicks:
And she said,
Carolyn Ford:
And it does a really good job.
Willie Hicks:
And it's very realistic.
Carolyn Ford:
Yeah.
Willie Hicks:
And the hackers have access to this. The adversaries have access to this and probably a lot more.
Carolyn Ford:
Exactly. And we need to embrace it. All right, while we wrap up our special edition at Billington, any other impressions since you've been to the conference?
Willie Hicks:
Nothing more than as always Billington is a phenomenal, phenomenal conference. This is our second year here. Hopefully we'll be here many, many years afterwards. Just kudos to the Billington team, to all the speakers, to everyone here, because I learn something every time I come here.
Carolyn Ford:
Yeah, agreed. I do too. And it really is the A-list of the government leaders,
Willie Hicks:
Yep. Yep.
Carolyn Ford:
That are here and industry too. I love that every panel has a mix of industry and government. Get the different perspectives. I love that the government leaders are saying we need to do better at partnering with industry.
Willie Hicks:
Yes.
Carolyn Ford:
Because even five years ago that wasn't the case.
Willie Hicks:
Right. Yeah. And it's not lip service. I really am seeing a lot more action than I've had in the past so. And I think it's just, it's inevitable. As the threats become greater, we have to lean on each other.
Carolyn Ford:
We're in this together.
Willie Hicks:
We are into this together.
Carolyn Ford:
As Ann Duncan, one of my like,
Willie Hicks:
Heroes.
Carolyn Ford:
Heroes, yeah.
Willie Hicks:
Yeah. Yeah. Yeah.
Carolyn Ford:
I'll just say it.
Willie Hicks:
Yeah, I'll say it. She's awesome.
Carolyn Ford:
Right. She's awesome.
Willie Hicks:
Yeah.
Carolyn Ford:
This is us. This is not us versus them. We're all in this together.
Willie Hicks:
Together. Yep.
Carolyn Ford:
All right.
Willie Hicks:
All right.
Carolyn Ford:
Well, thanks Willie Hicks.
Willie Hicks:
Always a pleasure.
Carolyn Ford:
Thanks for joining Tech Transforms sponsored by Dynatrace. For more Tech Transforms, follow us on LinkedIn, Twitter, and Instagram.