As usual, Stan's been rubbing shoulders with the top names in cyber security...
In this episode we hear about his participation in the Government Innovation Show - 'Transforming Government Through Technology-Driven Initiatives'
Rob and Stan react to talks given by:
- James Burd, Chief Privacy Officer for the Cybersecurity and Infrastructure Security Agency
- Dr Diana Janosek, Deputy Director of Compliance at the National Security Agency
PLUS:
- Recession, what recession? With cybersecurity budgets expected to rise in 2023, Rob and Stan give their thoughts on why.
- Have you heard of Youtube? Apparently it's quite popular. Reimagining Cyber is the latest convert, and the show can be found here:
www.youtube.com/@CyberRes
www.youtube.com/watch?v=PoVifXTIM…Ndcdjin-l2qxkAIwZ
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
As usual, Stan's been rubbing shoulders with the top names in cyber security...
In this episode we hear about his participation in the Government Innovation Show - 'Transforming Government Through Technology-Driven Initiatives'
Rob and Stan react to talks given by:
- James Burd, Chief Privacy Officer for the Cybersecurity and Infrastructure Security Agency
- Dr Diana Janosek, Deputy Director of Compliance at the National Security Agency
PLUS:
- Recession, what recession? With cybersecurity budgets expected to rise in 2023, Rob and Stan give their thoughts on why.
- Have you heard of Youtube? Apparently it's quite popular. Reimagining Cyber is the latest convert, and the show can be found here:
www.youtube.com/@CyberRes
www.youtube.com/watch?v=PoVifXTIM…Ndcdjin-l2qxkAIwZ
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
Rob:
Hi everyone, it's Rob Aragao and Stan Wissemans back with another Reimagining Cyber Extra episode and we're excited to share something that kind of traverses quite a bit, I think of our audience, Stan. So we're going to talk about some recent events relative to the government sector that you participated in, which I'm excited to hear and learn more about and then we're going to also talk a little bit about the commercial side of things, right? And what we're seeing out there in the cyber market overall. Some of the impacts of the recession but also growth, great growth opportunities.
And I think it's important because our audience just spans such a kind of broad range of whether it's federal, whether it's commercial, whether they're CISOs, whether they're just getting started, right? In cyber, we know we've even had students, in, in the mix and listening, which is great. And we also have this kind of global landscape reach as well.
So, I think it's just, an interesting set of topics that we're going to be covering, but also very much broad that helps bring them all in and engage a little bit more detail on these particular items. So why don't I start with the new and most recent event that you participated in, Stan, the Government Innovation Summit..Why don't you share what happened there? And I know you played a big role also in the event.
Stan:
I was lucky enough to be asked to be the chair of this Government Innovation Summit that the public sector network organized.
It pulled together a great agenda of speakers and panelists from the public sector. And as you can imagine, Rob, we heard all about the impact of cloud technology on the public sector, how AI and ML and RPAs are being used.
Cybersecurity was talked about in the context of like zero trust and how agencies are trying to comply with Biden's executive order and how they're having to architect their systems in a way that can be compliant and they're on that journey. And the other aspect of not a surprise is how you upscale your workforce to be able to take advantage of this new technology.
The fact that it's a culture change. And you have challenges with an aging workforce that you have to attract new workers into public sector In this very competitive labor market here in the us and how do you do that effectively and what are some of the tools that some of the agencies are using?
But one of the other dominant themes was how public sector agencies are embedding data analytics at the core of their operations and enabling data driven decision making. , as well as increased transparency to data that the public sector agencies are holding.
Rob:
Was there a bit of I guess a cyber lens put on top of that and privacy elements part of that discussion?
Stan:
In fact, yeah. As far as the representation of the privacy side of the equation, they brought in the chief privacy officer of CISA Okay. James Burd. And he reminded everybody that, as we're talking all about this, all great use of data, you can't forget about privacy, and its importance.
And one of the things that he honed in on was capturing the purpose of why you have that data as you're collecting it, because that really helps ensure that how that data is used in the future is appropriate. So if you're collecting that data in the context of he. Right needs, let's say it's again, some kind of patient record or some kind of associated medical related data EL that you've collected on this individual.
Using it in a healthcare context makes sense then in the future, but you cannot use that data. In another context outside of that initial purpose. Yeah. And that was something he was trying to drive home with folks that you may have to re recollect or send out some other kind of notification to collect the authorization that use it for this other purpose.
Yes. That we need to be putting that into our thought process as you're looking at the health data life. And if you may not even have envisioned other uses for that data, but if you try to use that data for other purposes, then you're going to get yourself in trouble.
Rob:
So it's great to hear that's coming from government and CISA specifically, because we've been doing a lot on that particular kind of area as it relates to the purpose, right?
The purpose, based access and. It's interesting, right? There's been a couple kind of conversations where it's very much a new topic, a new way of thinking in the approach. And once you have the conversation is a realization of this light bulb that goes off and people go, that makes sense and it's applicable to our particular business.
So if you look at it in the commercial sector, there's an organization that we've been working with now for the past several months on exactly the use case you just described, they're in the financial sector. And so they cut across, you can do banking with them if you want.
You can do obviously your investments with them. There's all sorts of different types of kind of services back through that financial business capability that they provide their users, both, consumer and institutional. And so they aggregate all this information and they have the leverage of this data for particular, capabilities, let's say, or services that they're delivering.
But to your point, it's like this firewall almost that you have to put in place, right? That says, yeah, you have that data sitting over there. That's just so valuable. Wouldn't you love it to be able to take it back into market to your particular line of business? But we can't allow you access to it.
Stan:
And if you can't trace back to what that original purpose Yes. Was when you collected the data, then you're again, hamstrung Absolutely. That how you can use the data in the future. And if you think about it, right?
Rob:
So yes, all these privacy regulations are driving at that as an element of it though, it's buried.
This is why it's an interesting conversation. . But if you go back to this particular financial institution, rather large, the SEC is already looking at that. That's an element, right like of today that says when you have a particular, legal agreement that's binding and saying what you are supposed to be able to deliver, as well as the actual use of the data you're capturing on the individual or institution in some cases.
This is all you're supposed to be doing with that information, right? So they have to prove that out or else some severe penalties are coming. So I think it's just a really interesting aspect of some different approaches that people are starting to take into purpose-based access control. That's a great example.
Stan:
They had another very interesting speaker. Dr Diana Janosek, Deputy Director of Compliance at the National Security Agency. She has a PhD in cybersecurity, and she's been in government for 30 years. Wow. Talk about some credentials, right? I'd love to get her on the podcast, but imagine the or the hoops we'd have to go through to get somebody from NSA on her podcast.
Yeah. I don't know how she was able to get out and speak, but it's, it was interesting. She was talking about how they have shifted compliance left in the data life cycle, and so they're leveraging the data classification and tagging they're doing to help ensure compliance upfront.
So less of a detect where there's non-compliance late. It's confirming that there's compliance as they're collecting the data. And then also late life cycle being much more proactive in the purging process. Hey, we're done or we're not, honestly, she didn't necessarily say this, but we shouldn't have collected this data anyway get rid of it. So it was an in, again, there are limits as to what she can say of course. But at that higher level, the effort they've taken to trying to at the top of the funnel, help ensure that they're are remaining compliant as to their mission.
Rob:
That's, if you recall when we had Greg Anderson on, the CPO from EW Scripps that was a part of our discussion with them, which was, as their particular business is launching new projects, they have a seat at the table of influence as to why these things need to be considered upfront.
So the whole data lifecycle governance aspect of it. So being able to do it upfront makes it so much easier to be able to continuously manage that data and say, I'm going to purge it at the right time. And I know what's out there. The flip side of that is, all this legacy data that's sitting out there and trying to understand the reality of need for how long we still need this, right?
Are there regulations in place, seven years for hipaa, things of that nature that I still need this data for or not. So again, another good aspect of just seeing how people are really thinking about this whole shift left con concept and applying it to different things as well.
Stan:
Switching gears on you we're reaching the end of the.
and I, know a lot of folks are concerned about the potential of a recession hitting us. A number of family members and folks I know have been hit by some unfortunate, workforce reductions. And it's concerning as the US Fed continues to increase the basis points interest rates, to try to control inflation, which is important, right? But I read a report recently from Spiceworks Zif Davis called their 2023 state of IT, and I guess on a positive side as far as how the spend is being forecasted at least, or at least reported out by those they surveyed that majority of companies still expect to increase their IT budgets.
And part of that spend is associated with, cybersecurity. And there's an increase expected in the spend on cybersecurity. And so, it goes to show to some degree that if you're in the cybersecurity field or associated with services and products we may be a bit of a recession proof kind of industry in the sense that the need is continuing to be there independent of what the market does cyber threats continue to hit us and you have to put in the proper defenses and ability to detect and withstand these kind of attacks.
Rob
To amplify that we're always doing market research, as part of our own business, right? And figuring out what are the particular markets that we're currently invested in further investing in those markets, other kind of, areas of interest forward looking.
And so as part of some of the research that we were conducting and looking at some of the most relative data, there was a great report. I think, I want to say it was the October, end of October, so timeframe that they released it. But, great resource to go back and look at from McKinsey. And it's basically their cyber market cap survey.
It's 4,000 or so, organizations globally that respond to this. And first and foremost, to really amplify your point of the cybersecurity market and spend in that space. If you look at the market today, the spend is roughly $150 billion. and over the next several years, it looks like it's going to grow to actually be over 2 trillion.
So from 150 billion, 150 billion to 2 trillion, so over 10 x. Wow. Growth in the next several years. Exactly. Wow. So if you look at some of the kind of things that they're talking about in there they're looking at growth, great growth opportunities in, in many different areas though, I'll call out like things we're talking about, right? Data privacy, data protection, major emphasis, one of the key growth areas driven by how much data people are using in terms. Absolutely. Analytics and operations, right? Exactly right. Because again, yeah, the businesses are driving the use of the data that drive new insights on making decisions, on generating new streams of revenue, launching new services.
Yeah, absolutely. But again, what are the privacy and cyber elements behind that? So that's a big piece of that. The identity continues to grow. You talked about some of them, in, in some of the things that you heard at the summit as well. But identity is a key centric point of investment.
Application security. How many episodes have we had around application security, around, securing the software supply chain, right? So that, that was a huge area. And then analytics around security and operationalizing, and more efficiency. So even you mentioned earlier that, not only do we have a cyber talent shortage, then we have this bit of an issue around the aging workforce.
Stan:
That certainly was talked about a lot at the summit. Yes. Yeah, so that's another key. It was, it's one of those continuous challenges of how you attract people right into STEM and into, honestly, in their context, the developer sector.
Rob
Yep. Completely agreed with that and so great. Lots of growth opportunity. Some different areas of the growth opportunity, right? But it goes across all cyber areas. But when you peel back the onion from looking at the survey, it's, what are the particular areas that they're calling out for the reasons for this hypergrowth? And so they boiled it down to, I think it was a handful or so.
So one is all, and we talked about this, all of this digital transformation that we've been going. What's it doing? It's continuously increasing the attack surface, right? So we need to have better visibility, which is the second thing. The CISOs need better visibility. So they're looking for that tooling that supports their way of doing it.
They're not looking for further investment in yet another tool, but if you have a way that kind of looks at the current investments we have, be able to better rationalize which ones we actually should continue to use and then, and take full advantage of the tools that they currently have.
Right? Absolutely. Cuz as we know, it’s only a certain percentage typically that it's being used for, they're not looking and understanding what else they can actually attribute to. But then this kind of umbrella over the top, because they have all these kinds of elements of, in some cases silos of security tooling.
Like how we actually put it all together is another key area of what they were calling out. And then of course, you know this whole cyber and privacy regulatory landscape that we're living in and the changes that are happening there globally, right? But then the other one again was back into the cyber talent, right?
. And so one of the key pieces of that was, how do you help solve for that? And so a lot of organizations, in addition to figuring out, changing some of the hiring practices, and if you remember, not that long ago, we talked to Jim Ralph, right? And Damon Carter about kind of some of the different approaches that they took.
Just thinking outside of the box, like that helps tremendously. But obviously organizations need to figure out a way to do things very quickly. And so a lot of that leans on how can we actually consume these different security solutions through SaaS capabilities, through MSS, right? Managed security services offerings.
So that's again, a very big part of the opportunity out there.
Stan:
They may not have the staff or the expertise to continue to maintain an on-premise right, model. And so they have to shift to either managed services. Another thing as far as that was talked. on the V. There were folks from the VA that were at the summit and they were talking about how they're leveraging RPAs to take care of these mundane, repetitive tasks, and that is saving them what would've been hours and hours of labor on a number of tasks. Now that doesn't translate necessarily to security kind of activity, but again, looking at ways you can leverage technology in the face of this workforce shortage you have and how you can make things more efficient.
It drew a lot of attention from other agencies the fact that VA. Finding success in the use of RPAs
Rob:
Automation? I think, we've been talking about it for a while now, but the reality of being able to see the return value on it is finally starting to come to fruition.
And I think, yeah, robotic process automation capabilities are starting to show that as one element and we need to do more, obviously in the cyber areas As well to help the CISO shortage overall.