Bolstering Federal Cyber Resilience and Demonstrating ROI

0:05 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, a Zero Trust Segmentation company. Today, I'm joined by Gerry Caron, Chief Information Officer and Assistant Inspector General at the U.S. Department of Health and Human Services. With over 24 years of information technology experience, Gerry began his career in the U.S. Army working in hands-on technical positions. He joined the federal government at the Department of State in 2003 as a systems administrator and has held five different positions at the department over the past two decades. Today, Gerry is joining us to discuss Zero Trust challenges and momentum at the federal level. We'll unpack how to manage operational risk, the role of data mapping in any successful Zero Trust strategy, and demonstrating ROI on your Zero Trust investments. So Gerry, how did you end up being the Chief Information Officer at the Office of the Inspector General at the Department of Health and Human Services?

01:12 Gerald Caron: I lost a bet. No, my journey is kind of unique. I'm from Northern Maine, up in the woods. And I joined the Army. After seven years in the Army, I got stationed at the Pentagon, and I decided at the time IT was the big thing and what better place to be than in Washington, DC? I ended up becoming a contractor back in 2001 at the Department of State answering telephones on a help desk. From there, I worked my way up through hard work into some management positions and then I became a member of the senior executive service in my last job, for enterprise network management at the Department of State, where basically I was responsible for all the infrastructure: Active Directory, the network overseas and domestically, perimeter security, a lot of things. And I applied to this job here as the CIO for the Office of Inspector General here at HHS, to try to do something different. And so I've been here for a year and a half at this point, and it’s been very interesting.

02:10 Gerald Caron: My time at State, I was involved in some events and took on a role of the remediation and eviction lead in some of those events, and that led me to be an evangelist many years ago before executive orders and memos came out about it, on Zero Trust. So I've been also chairing a few working groups around that area. One I tri-chair with other CIOs and somebody from the National Institute for Science and Technology, up at NIST. And I do a non-profit as well, big believer in Zero Trust and cybersecurity as well.

02:48 Raghu Nandakumara: And that's exactly why we're so excited to have you here today. So just before we come on to specifically Zero Trust: you're at State, 110,000 users that you're managing, and now you're at HHS which is about 2,000 users. So it's almost, if I do my maths correctly, it's about 2% of what you were doing at State from a user-based perspective. What are the unique security challenges of both of those environments?

03:18 Gerald Caron: Yeah, no, that's a good question. So at State, I ran central infrastructure and things like that, but all the different bureaus, and it's kind of here the same at HHS, there's, I don't want to say autonomy necessarily, but they have their own unique missions. They have their own IT needs. So while I provided central resources, as far as networking and things like that, I had to accommodate. And in a big federated organization like that, it's hard to get things moving sometimes. Here at the IG, the difference is we do wholly own and run our own network and systems and things like that. We are looking at things as a service – we're taking advantage of SOC-as-a-Service because I'm limited in my IT resources – but we're able to be more flexible and agile as a result because I own the responsibility for everything and it's pretty much centralized. Whereas at a big organization, sometimes it's hard to get things moving while trying to accommodate all those specific missions. Whereas here we're pretty much centralized. But we're still able to be a good example for scalability in the art of the possible through our implementations and be able to share that with a larger agency or others as well, because we're able to move a little more flexible and “agilely.” “Agilely,” is that a word?

04:43 Raghu Nandakumara: It's alright, it's alright. We'll add it to the Oxford English Dictionary next year. No problem. But you talk about State as being very... Because it's a large behemoth of an organization, it's, as you said, it's a lot of the infrastructure or running it is federated. So how do you ensure consistency of security posture across all of those sort of federated sub-agencies, if that's the right term, or sub-units? How is that sort of managed, monitored, governed?

05:15 Gerald Caron: Yeah, one of the things we did, and we actually ran this little tool out of my shop called iPost. So you have a lot of tools, right? Every organization has a lot of tools, but what happens is you'll look at them all in silos. And then you say, okay, how am I doing at patching? Alright, what we did and what we're doing here, and it's going to lead... It's one of our, what do I call, one of our foundational projects that we're going to be doing here, is integrate that data. So when you're decentralized and people downstream are responsible for the IT security, we kind of brought all that information together, made those relationships between, “Alright, here's the Active Directory computer object.” “Alright, here's all the patch data for that, here is all the vulnerability, here's all the scan data, here's the software and the versions, and operating system.” You know, “is that on the approved list, which is over here?” And we built this dashboard for it... So basically...

06:11 Gerald Caron: And we made these groups – could be an office or an embassy or some location or a logical group of people for a system – and we brought all that together and we put this methodology over it, and had this what we call an “operational risk score.” You didn't need to know how to use the tools, we didn't have to train people on how to use these tools, we didn't have to give access to these tools, we brought all that data together, presented it in an easy to use fashion and told them, "Alright, come in the morning, you'll look at your site and say, 'Oh, hey, my patch score is way up and it's given me... It's dropped me down to a D this morning when I was a B yesterday. What is it I need to pay attention to? Oh, okay, here's exactly... I need to do this patch on these systems.'"

06:57 Gerald Caron: So we presented that information to them in that way. Now, we're going to do the same thing here because again, I don't – as a CIO – I need to be able to know what my operational risk posture is, how are we doing overall? So we're bringing those, we're going to be integrating those data sources that we can leverage, find out where our gaps are, put this scoring methodology over that, and then create this dashboard to say, "Alright, how are we doing? How are we doing operationally with managing our risk from patching to vulnerabilities to configurations and all that end-of-life equipment and all of that?" So we'll bring in that concept, we're going to start doing that. Now, why I say that's a foundational project for Zero Trust – think about it. We need to do that more real-time later, so we're going to need all that telemetry from all those tools to make those decisions in a more real-time. Now, different tools come in different waves, so to speak, like one may be every eight hours, one may be every five minutes, it depends.

07:55 Gerald Caron: So minimally, if Raghu is coming into my network and trying to access this data source, alright, what do I know about him? Alright, he authenticated this way, he's on a managed computer, which I know about, coming in on the VPN, the network that I'm managing because he's in the office. Okay, I have enough information to say it's pretty safe to let him through the front door. He can start his work while... Alright, let me check these secondary things and make decisions off that. So I'm doing a constant check, I'm not just giving you access into the door, but I'm doing a constant real-time check as much as possible and the tools can accommodate in making decisions based on what my risk thresholds are.

08:39 Raghu Nandakumara: By the way, do you know this is a Zero Trust podcast? I'm not sure if you're aware.

08:42 Gerald Caron: Oh is it?

08:44 Raghu Nandakumara: You kind of just naturally went to Zero Trust, as like... I think that collation of data that you talked about and providing that consistent view is such an important part of bringing everyone along in that security journey and enacting that culture shift.

09:00 Gerald Caron: And I think going back to your original question about the differences in a decentralized – and even if it’s centralized – I want to see the pockets, the logical pockets of groups of things. I may have contractors responsible for the system, and I can say how are they doing, based on the contract, because we got to hold them accountable. So there's a way to do that too, in the way you group things, coming up with that grouping, I think, and bringing that telemetry together to make those decisions and then... Yeah, just naturally, it falls into... It's a great foundational thing for... As we advance towards Zero Trust. Because you're going to need all that information to make those decisions.

09:35 Raghu Nandakumara: 100% because it's that complete visibility end-to-end is the foundation on which all of your security decisions are then made. So, almost without advertising it as a Zero Trust program, just having that in place is such a great place to start. You have some great analogies for Zero Trust – that involve peanut butter, which I love, and the cinema. Which I kind of like the cinema if it means I've got a bucket of popcorn in front of me. So let's hear your two, your peanut butter and cinema, Zero Trust analogies.

10:10 Gerald Caron: Yeah, we historically have done the... Everybody says “castle moat,” I like to say the “Tootsie Roll Pop” method of cybersecurity. Hard outershell and a soft gooey center. And I think the other thing is, we also... It doesn't matter if it's the crown jewels or the bologna sandwich, we always have tried to do that peanut butter spread approach, make sure the peanut butter is spread evenly. The fact of the matter is, if I lose my balogna sandwich, there's plenty of balogna and bread in the world, I'll probably make another one. Am I concerned? Yeah, 'cause it's frustrating, I gotta go make a new one. But my crown jewels, if those are lost, that's it. There's no getting them back, kind of thing.

10:48 Gerald Caron: So thinking about that being data is, “What's most important and what do we need to concentrate on?” So if my bologna sandwich gets stolen, alright, are my crown jewels still protected? I prevented lateral movement. That's what I want to do. I don't want them to elevate themselves to the crown jewels. Yeah, my bologna sandwich got stolen, I'm concerned. So the analogy about the movie theater is you go to the multiplex movie theater, you buy a ticket online, however, and where...

11:18 Gerald Caron: The example I have, and the movie theater I used to go to – I don't go there anymore, because I found a new cool one – but they scanned your ticket in the lobby. So you walk in the front door, they scan your ticket in the lobby, now I'm allowed in the movie theater. I have access to the concessions to get my popcorn, the restrooms, the general things if you're allowed in the front door of the movie theater to go to. But I was also able to walk into any movie theater. Why? Because nobody was checking my ticket at the doors. There's 20 theaters, there's not 20 people at the doors.

11:48 Gerald Caron: So basically, being a good ethical person, I go to my movie. But of course, you could be there all day and movie hop all you wanted. And then sitting in your seat, because there's no ushers checking and everything. So probably if the camera broke down, you'd probably have to get up out of the movie theater and go get somebody to let them know. That's historically the way, the legacy type of security. They have the perimeter, which is front door, get in the lobby and then you're in. And I can move around laterally wherever I want - and the movie itself being that data, right? So I could go in and, "Hey, IMAX is showing in five minutes, I haven’t bought a ticket for the rate. I'm just going to go in the IMAX version, it's much better."

12:32 Gerald Caron: So with Zero Trust, here's where that becomes different. Still, I'm going to get my ticket scanned at the lobby to make sure I'm allowed inside the theater, but when I show up at the movies and I still have access to the popcorn and the restrooms – I'm in that perimeter, that larger perimeter. Now, I am getting my ticket scanned also when I show up at the movie theater door. Now, if I was trying to walk into the IMAX and I had a regular ticket and they checked it, go back to the ticket booth and upgrade yourself – so do some kind of step-up authentication and then we'll let you in – but alright, I get my ticket scanned at the door. Yes, this is valid. You are allowed in, I'm assigned a seat. And then you have the usher come in and checking constantly. “Is the projector working? Is the screen down? Are the lights low? Are the little lights on the walkway, so people don't trip there? Are the exit signs lit? Is everything working?”

13:29 Gerald Caron: Checking all these factors constantly, to make sure that the data that I'm trying to consume, being that movie, everything's in its right place. I am who I am, I'm in where I'm supposed to be, and everything's working. And somebody's coming and doing that constant check. And if some threshold is met, the projector goes down or something, boom, automatically, automation is going to take place and do whatever it needs to do. So that's kind of the analogy I use for it.

13:58 Raghu Nandakumara: Awesome, there you go. That's how we connect peanut butter, films, cinema and Zero Trust. What was the... You're clearly very passionate about Zero Trust and see the value in it, right? So how are you driving the adoption of Zero Trust at the OIG? What is your focus there?

14:18 Gerald Caron: When I first came in, nobody knew about Zero Trust. There's this mystification and, no offense to any vendors, but there are so many different definitions now. It's just been overused term where people cringe when they hear it. But in the true essence of Zero Trust, if you learned it from Forrester, or listened to John Kindervag who's the father of Zero Trust and everything. Go back to those five principles, understand those five principles. So I noticed some ways cybersecurity was being done and everything, and I introduced it and I actually educated my staff. So brought in some vendors in the art of the possible, and it was like leading a horse to water and they just drank. "Hey, this solves some of our problems if we did something like this," or "Oh man, this is going to undercover some things. We'll have much more visibility."

15:05 Gerald Caron: And then what we also did is I have this chart stolen from the DoD, and it's in the DoD Zero Trust strategy that they released publicly a few weeks ago. There's a whole bunch of functional capabilities under the pillars – there's the five pillars of network data user, but they also have orchestration and analytics, which I also have been using for over a year. And I said, if I did not spend another penny, how are we doing at these things? And they self-rated.

15:34 Gerald Caron: I also gave it to each of the vendors we have already invested in. Said, "If I do not spend another penny on your technology, what you have covered... Whether I'm doing it or not, what can I cover?" So then I knew, alright, we're doing these things, we've got something, sure, we could use a little help over on this thing, and... Oh man. We have some gaps. So with that, created five foundational projects. We looked at what I hate. VPNs have been described to me as a malicious, secure way to deliver a malicious payload. I'd like to go VPN-less in a way where I don't want to rely on my on-premises network. How inefficient is it for you to connect to one of my data centers, just to go back out to where are we putting everything – the cloud and the internet, that's where all of our resources are going. That's so inefficient to do that boomerang, so why can't I send you more direct? So we have TIC 3.0, the Trusted Internet Connection, that has more flexibility. There's solutions out there that give you that telemetry security-wise that you need, but I'm sending my people more direct. Also data mapping, data mapping, what am I trying to protect at the end of the day with Zero Trust?

16:38 Gerald Caron: I'm trying to protect data. That's the gold. A lot of people will say, “Talk about identity.” And you know what, identity is utterly important, because when we talk about Zero Trust, it's the right data, the right people at the right time – but the data has to have its integrity. And if you were a cybersecurity analyst and I got compromised, I'm going to guess your first two questions to me are going to be, "What did I have access to? And is there exfil?" That's not about me; you're asking about the data, really. But who has access to that data is very important. But the data is what... So we're going to do data mapping – and that's not network mapping, this is data, taking an application, what is it connected to, where is it sharing the data, what's sharing data with it? And then you're learning where data resides, lives, and where it's flowing because at the end of the day, I got to be able to baseline that so I know what normal looks like. And then when abnormal happens, I got to take an action.

17:36 Gerald Caron: So we're going to do data mapping; we're also doing integration of those tools. Like I already talked about that, so we can get an operational risk profile of the entire environment and mature our identity management to make sure that we have a true authoritative identity even... Because what happens over there, we get new cloud solutions, we have applications, we have Active Directories. What happens is how many digital IDs do you have? Even in a small agency, there's so many digital IDs because each one of those does have a digital identity, so we got to pull those together to look like an authoritative identity source, and then put some automation and governance over that, so we're looking to mature that as well. Those are our five foundational projects, which I believe, for our needs, are great stepping stones to those next maturity areas.

18:32 Raghu Nandakumara: That Gerry, is such incredible description of how you have built that plan and the real detail that goes into it, the overarching strategy, the tactical sort of steps that you are using to execute against that strategy. I guess the only question that I have around that is, how are you measuring progress? How do you know that you are on the right path or that you need to course correct? How are you incorporating that feedback loop into the execution?

19:00 Gerald Caron: So we have set milestones that we're going to be tracking against with success criteria at certain stages. And one of the things I'd like to do also is I'm not going for, and this is why I say use the peanut butter spread approach before, and I think we abide by FISMA and we have the NIST 800-53, the security controls and things that. And they're very much compliance focused or that's how they're interpreted. Not necessarily meant to be that way, but that's how they're interpreted. I like to use the example and it's oversimplified, but it's an example I use is, “Okay, the control may say you must provide authentication.” I can say, “Alright, username and password. I have provided authentication. I am compliant.”

19:42 Raghu Nandakumara: Yeah. Yeah.

19:43 Gerald Caron: But am I effective?

19:46 Raghu Nandakumara: Yes.

19:47 Gerald Caron: No, I'm not.  

19:50 Raghu Nandakumara: I'm saying yes because the question you're asking is right.

19:52 Gerald Caron: Yeah. No. Yeah. No. No. Effectiveness and compliance are two different things. That's been my thing that I've always said.

20:00 Raghu Nandakumara: I concur...

20:00 Gerald Caron: How do you measure effectiveness? I'd to be able to come in and do some kind of pen-testing or blue team type or purple team type testing incrementally. Is what I put in place effective? Is it accomplishing, is it meeting those principles, kind of thing. So I want to build that in, got to figure out how to do that resource-wise. But I'm hoping the SOC-as-a-Service aspects might be able to help us with that. But I want to be able to measure that effectiveness periodically. So we have those milestones built in for certain incremental milestones on our journey. And then I want to build in that effectiveness check to make sure that we do that act of testing. All right, did this meet that principle?

20:39 Gerald Caron: Is it right data, the right user at the right time? Are you able to move laterally, kind of thing. So we're hoping to build those things into that incrementally as well. Not wait for the end and say, “Alright, let's go back to the beginning” – because I don't want to re-engineer. So that was very important in our pillars as well. 'Cause this is an architecture. So some people will talk about, “Alright, we're going to concentrate solely on the identity pillar and get that done.” “Alright, now we're going to move to the next pillar.” Me, I get concerned when I hear that because this is an architecture, and I always explain enterprise architecture. I'm a big fan of enterprise architecture. Some people scoff at it sometimes. There's four main areas.

21:19 Gerald Caron: There's the business, which is the financials and the mission drives things like that. Then there's the technical which is the implementation. How do you go about doing it? But there's the security, how are you securing. And the data - I focus on those four things. And so in doing that, I want to make sure that, yes, we may be doing more work on one pillar than the other, but we know what those relationships between the pillar, we're not going back and re-engineering because something didn't work because I got so far on that other pillar, kind of thing. So knowing those relationships up front, how those have to interact, what the capabilities need to be between them is something that I'm very cautious about as well.

22:00 Raghu Nandakumara: Yeah. That I think is such an important point because we see so much across the security media, vendor posts, vendor marketing about how doing one particular, focusing on one particular control is the most important thing to do when you are adopting Zero Trust. Right? But you rightly said that you need to really look holistically across your control set and have those things moving together lockstep in parallel. Because the power is the almost the combination of those controls as opposed to one particular thing. Because otherwise you're just over rotating.

22:37 Gerald Caron: Yeah. And when I talk about what my approach towards Zero Trust is, to oversimplify it again is, first of all what I'm trying to protect is data. Alright, so what do I do around data? First, I need to know, like I said, data map. But then I want to build the microsegment. I want to microsegment that, even within its own database. All data's not created equal just because it's in its own database. So what can I do around data? And then a lot of people will say, all right devices, we got to do devices. No, in reality what facilitates access to data? Applications. So what do we do around applications? Now, applications need what to live on? They need a device to live on. They have to live somewhere. Alright, and I'm not going to manage every device. Right?

23:20 Gerald Caron: I have public websites that may need authentication. I'm not going to start managing every device. So there's different risk levels to different things within these categories. And then, devices need what to talk? They need networks. What do I do around networks? Am I managing it or am I not? What can I do that's within my control? And then of course, the users. Alright, what do I do around identity management to make sure the right users get the access to the right data at the right time? So I kind of work inside out in that fashion when I talk about this. So I start with the data. That's what I'm trying to do at the end of the day and then work my way back through all those.

23:57 Raghu Nandakumara: That really is the right way and the way, whether it's sort of John [Kindervag] expressing how you drive Zero Trust maturity, that's very much how he is sort of envisioned a Zero Trust strategy being executed. As very much a holistic view. Because otherwise, what we see is, I think just going back right, is that it's tainted by vendor marketing saying, “This is what you have to do. You must start with this pillar and get that perfect...”

24:23 Gerald Caron: “Because I want you to buy my thing.”

24:25 Raghu Nandakumara: Exactly. Right. Exactly. So I want to go back. You were talking about sort of enterprise architecture. And you talked...

24:31 Gerald Caron: But I'll say something before you go into that. I will say this. We cannot do it without the vendors though.

24:37 Raghu Nandakumara: Yeah, that's true.

24:38 Gerald Caron: They have the technologies, they're building the technologies. But what we're trying to do through the working group, through ATARC because we have... We're going into phase two. We gave everybody their platform for their specific thing. But phase two we're saying we want to team up, and we want to see it end-to-end through all the pillars. You team up with whomever you need to. If you're missing that pillar or those functionality, we need to see it. We need to see it work all the way through. Don't show us slides, don't send us sales pitches, we want... Now here's your use cases, show us. So that's what we're trying to drive for now.

25:12 Raghu Nandakumara: But I think that just talking about that sort of, what is that complete solution. Carnegie Mellon had that Zero Trust Industry Day back in early September, where again, very much sort of academia integrated with government really pushing that integrated approach to Zero Trust. And that was really refreshing to see, and I'm excited about the outcomes of that. I want to go back to something you said about enterprise architecture. And one of the key facets of that being aligning with the mission, aligning with the business objectives. So how, in your role, how have you aligned Zero Trust or the Zero Trust program, Zero Trust strategy with the sort of overarching raison d'etre of the OIG.

25:53 Gerald Caron: I'm glad you asked this question because I talk about this as well. So I don't look at Zero Trust as solely a cybersecurity effort or an IT effort. There is the business of the IG and sometimes I'll even remind my engineers that the OIG was not put on this earth to do IT. That is not the main mission. It is the enabler. So saying that we actually did a presentation on Zero Trust to all the user community. Now, kind of letting them know things are going to change. Here's some benefits we're going to bring you. We're going to send you more directs. So better performance, better interoperability, single sign-on. Some of those things that we're going to introduce which make the users so much happier. But also what the objective is. The question that we're going to be asking even more is, “How do you want to work?”

26:43 Gerald Caron: “Do you need to be more mobile? Are you missing things? What works well, what doesn't? Why?” Because we can build those requirements in because we're modernizing. In essence, we're bringing new technologies, we're bringing new capabilities, we're modernizing. So by including their requirements, there’s a lot less friction when we implement because we listened, and we're going to do it. “Also, what am I getting out of it? What do you need access to? When do you need access to it?” So now I'm getting validation on my inventory of data sources. I'm building personas because I know how people want to work or how they work, what devices they use most. Are they coming from home and networks I manage, or are they coming in the office? I'm learning about a bunch of stuff. Now we're starting to understand things that we can feed into our Zero Trust as well, because this is how they want to work, this is the mission that they have to do, this is the data sources that they rely on.

27:38 Gerald Caron: What are those data sources? They have PII, do they not have PII? Are they available to the public? Are they not available to the public? And really understanding that people in the different offices they mention it sometimes or ask about it. “What's that going to look in a Zero Trust environment,” kind of thing. And it's good, because now we got them thinking, “Yeah it's going to ... Things are going to change, but I'm going to get access to my stuff. I'll have integrity and what I'm accessing these things, I'm working from home.” “Oh man, I don't have to get that VPN hooked up. I'm going straight to my thing.” I'm me, as a CIO, I'm getting my security telemetry still. We're telling them what the benefits are. And then that communication of what they need, when they need it, how they want to work and build that in, and make it more of a modernization effort rather than this bolt-on security IT effort.

28:26 Raghu Nandakumara: Yeah, 100%. That's that proactive sort of, “Here is how it's going to benefit you.” And “how would you like to work?” or “what would you to be able to do?” Those really great questions, and enabling that is amazing. But it's also, ROI on security investments is one of the great intangibles. And going back to saying, “Yeah, we could do a penetration test before and after, or we could do a threat model before and after and we can say that, okay, now we have remediated this threat and so on.” But when they say okay, “I get that, but what am I getting back?” How do you demonstrate ROI?

29:00 Gerald Caron: We just had that question the other day from my boss as a matter of fact. It's like, “Alright, you're asking for this money, you get this money. Are we making any savings or anything?” I hate saying savings. It's always cost avoidance, because I'm never going to ask for a reduced budget as a result of something. I'm going to spend it someplace else. But I say cost avoidance. That got me thinking. And it was funny because the week or the two weeks before I asked somebody in our security team, "Hey, what is the cost of an incident? How much does an incident cost?” So, yeah, I'm investing in security, and it's an investment and I might be shutting down a few things, but I'm still going to spend it on the new things that I'm implementing. But what we have right now, and I got to put some dollar figures against it is, alright, there's small, medium, and critical events.

29:50 Gerald Caron: Here's typically what it takes in man hours from the operations team, from the security team, to remediate those things. The impact and loss of stop work and things for the mission and things like that. So we're putting together that graphic to show us if something does happen – and something will happen at some level whether it be a non-malicious user, which could be a small incident or you claiming to call me in the help desk and I give you access to my PC and you start doing whatever or ransomware or anything. Here's the cost of an incident. Now, you're investing... I'm asking to invest this much compared to that, where you are not getting anything done. We're not supporting the mission, just because we're cleaning up whatever mess came about. We're actually putting that graphic together right now to tell that story because we've been through some incidents and a person I'm working with that's in our CISO shop now comes from state as well.

30:49 Gerald Caron: So we kind of have a good idea. The resources it takes, the after effects, the interruption to work, the days, the nights, the people, bringing in third-parties, specialties, depending on what the technology compromised is, expertise from that, and then there's the residual. That's the event, but what are you doing to prevent it after? So there's always some long-term strategy to – hopefully, you don't just bandaid it – hopefully you put together a strategy. Now there's a cost to doing that. Let's get ahead of that. Invest in this now because it's probably going to cost you more.

31:24 Raghu Nandakumara: Exactly.

31:25 Gerald Caron: If this event happens and here's the dollar figure against that.

31:29 Raghu Nandakumara: Exactly.

31:30 Gerald Caron: And let's say that's just one. If we don't do this, you might have multiples of these kind of thing. So that's what we're putting together actually right now. It's funny you ask.

31:39 Raghu Nandakumara: Yeah. I mean if only it didn't take an incident to act as a forcing function.

31:42 Gerald Caron: Yeah. And unfortunately that's what I've seen in some places. It's like you can warn... It's a little boy that cried wolf, kind of thing. The wolf actually shows up and guess what? Oh, yeah, we should do something about that.

31:54 Raghu Nandakumara: Yes. So true. I want to ask you about just outside the OIG. And we see that, let's say the healthcare sector is particularly targeted these days. And too often those, like a healthcare provider, is forced to essentially stop serving patients and sometimes stop delivering emergency care, critical care, because the attack has essentially taken out access to their critical IT systems. What is going force, and just asking you about healthcare because of who you work for, what is going to force an increased focus on resilience for healthcare providers so that this is not a rinse and repeat?

32:39 Gerald Caron: Yeah. And this is just an opinion, I think there's still some legacy systems that support some of these entities that you're talking about. And I think what it is, it's got to be embraced by the organization. It can't just be the IT people. It's got to be something that is understood and whether it's got to be the IT people that raised this. I've read a lot of articles where in private businesses such as some of them that you're referring to, that there's recommendations the CIO should be sitting on the board or the CISO, either or, so that they... because when you're managing risk, it's not just an IT thing, it's also a mission thing as well. What are the political aspects of the risk and the decisions that you're making? And then that informs the IT risk as well. But I think it has to be well understood that this is, going back to the ROI, this is why this is a good investment. This is going to help mitigate this risk.

33:34 Gerald Caron: So telling that story and making it an organizational priority. And that's the thing about the executive order that came out last year, “Strengthening the Nation's IT Cybersecurity.” And Zero Trust was a big aspect of that which then resulted in OMB Memo 22-09. It was embraced at the highest levels. Now, they're not just making it an IT thing, they're making it the agency's responsibility. You must do these things. So everybody gets on board. Now, it's prioritized at the highest level. That might be a little different in the private sector, how it goes about doing that.

34:11 Gerald Caron: The federal government in this sense, being transparent in that way and showing that this is a priority for the federal government, some are seeing that as well I think and saying, “You know, federal government's a little ahead of us on that.” But there's some in the financial that are ahead of us technology-wise and things like that. But I think it is really, needs to be understood, embraced as not an IT thing. This is a cultural thing for an organization, and it needs to be communicated.

34:41 Raghu Nandakumara: And as you say, you reemphasize what is now just a common theme that security needs to be a board-level priority. It can't just be the purview of the security organization or the IT organization. And you spoke about the executive order, the OMB Memo and those Zero Trust initiatives that you are very close to. How confident are you that they're going to deliver the culture change, the posture change, and the overall improvement of cyber resilience that at least they hope to?

35:16 Gerald Caron: Yeah, I think... I'm the type of person that's one step forward is better than not taking a step at all. I think in different agencies, offices, and things like that, we're all at different things. We all have made different investments of things. We're all at different maturity levels. But I think everybody's grasped onto this. I think people are starting to get an understanding. I think there's still some education, but everybody, I think from what I see, is moving in the right direction based on where they are.

35:44 Gerald Caron: Now, are we all going to get to the same place at the same time, or are we all going to look the same at the end of the day? No – but to me, it comes down to... going back to those five principles. Am I addressing those five principles at the end of the day? Doesn't matter how I did it, can I address those five principles and am I being effective at my cybersecurity? Can I prove that? Yes. Yes or no? Now, like I said we're all going to look different at the end of the day. As long as we're meeting those five principles, I think's very important. Everybody's moving in the right direction. I just think there's some struggles in some areas and there's always going to be, but I think there's good forward motion, and like I said, if you're taking taking a baby step forward, that's better than just standing there not doing anything.

36:26 Raghu Nandakumara: Awesome. And so just talking about baby steps or even giant steps, what excites you most about the future of Zero Trust and Zero Trust adoption, whether it's in Fed or globally?

36:42 Gerald Caron: What excites me? Well, what scares me is, we had a discussion with an analyst the other day on quantum computing. And that's coming sooner than we think. And it's not going to be implementation for solutions that quantum computing can help enable, but it's also malicious actors leveraging quantum computing and looking at security in this different way than being compliant, doing the check boxes. Not looking at it holistically, not being siloed anymore, looking across, understanding what I actually own, what is most important to me and how I'm protecting that I think is very important. That's what I'm excited about, that it's breaking down those barriers. It's a holistic approach. It's approach towards effectiveness, like I said and being more effective. Because things like quantum computing scare the heck out of me.

37:41 Gerald Caron: I think we were talking, he was telling us in 10 years, it's going be pretty much mainstream in some fashion. And that's scary as heck. Now, there has been I think an executive order that came out on that as well, where I think we got to get off the... We got to get moving to protect ourselves against that. So we got to get going on these things that make us more cyber effective.

38:05 Raghu Nandakumara: Awesome. I mean Gerry we've just covered so much today, and more than anything, I think we've got a really great overview about how you have gone about really driving a Zero Trust program, and you going through all that detail and the very organized way in which you're approaching it, I think is just gold dust for practitioners out there who are about to embark or may already have started on their Zero Trust journey. So really thank you for your time today. Appreciate taking time out of your busy schedule to spend this time conversing with us. And yeah, thank you.

38:41 Gerald Caron: Yeah, thanks.

38:42 Raghu Nandakumara: Appreciate it.

38:43 Gerald Caron: Thanks for having me, and it's great meeting you and I really appreciate the time.

38:51 Raghu Nandakumara: Thanks for tuning in to this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You could also connect with us on LinkedIn and Twitter at Illumio. And if you liked today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host Raghu Nandakumara, and we'll be back soon.