From the White House to the Boardroom: Tony Scott on Leading Transformative Tech

Raghu N  00:27

Welcome back everyone to another episode of The Segment. I'm your host, Raghu Nandakumara, and today I'm so excited to be here with someone whose leadership has shaped technology at every level, from the White House to the boardroom. Tony Scott is the president and CEO of Intrusion, who focuses on automated network enforcement, and he's previously served as the US Federal CIO under President Obama. He's also held CIO roles at Microsoft, VMware, and Disney, which means he has seen firsthand how complex aging systems collide with modern realities. Tony, welcome to The Segment!

Tony Scott  01:06

I'm grateful to be here. Thanks for having me.  

Raghu N  01:09

Well, just looking through the list of companies that you have been part of and where you've held such a strategic leadership position, it really feels like we're sprinkled with gold dust today. So why don't you tell us a bit about your background, about sort of how you came into the CIO role?

Tony Scott  01:27

Well, it was a bit of a long journey. I started off a long time ago, working at Sun Microsystems in the early days, eventually took on a role with Price Waterhouse that led me to Bristol, Myers Squibb, running infrastructure, and then I got recruited to go to General Motors as CTO for their IS organization. And then that led to Disney, that led to Microsoft, VMware, and ultimately the White House. So a bunch of really just fun, great experiences in challenging environments at the same time, each of those organizations, as you may recall, has gone through some pretty significant transformations over the years, and it was really fun to be a part of that.

Raghu N  02:18

Yeah, absolutely. And I mean, kind of, I wasn't even aware of the sun, Bristol, Myers, Squibb and Price Waterhouse didn't as well. So this adds further, sort of further stars to your resume. So you spoke about transformation, and today we hear a lot about digital transformation, about how it's sort of front and center for CIOs in your experience as you've essentially watched digital transformation over the decades, what have been the key trends that you have observed along the way?

Tony Scott  02:49

Well, there's, there's always some driver for these transformations. Sometimes it's the invention of new technology that just enables new things to happen. AI is probably a current example of that. Sometimes it's other factors, it's economic forces, sometimes it's just consumer preference for things being done differently. So there can be a whole bunch of different drivers, but I think the important thing is to as an executive who's trying to be responsible for the institution's assets and long term viability, you have to be keeping a focused eye on what are these potential transformations, which one's likely to affect us the most, And what should we be doing to get ahead of that, both educationally, just to understand what's going on, and then operationally, what can we or should we do? And so that's been kind of, I think, important, at least from my perspective. And then it all starts with contextual sensitivity. You know, really deeply understanding where we're at, because somebody once said to me, it's hard to get anywhere if you don't know where you're at, and you don't know where you're trying to go. And so those are all, you know, pretty I mean, it sounds simple, but some of those are actually pretty hard in some cases.

Raghu N  04:22

So when you when you were speaking about and I like how you phrase that, like you don't know if you don't know where you're at, you can't possibly know where to go. Do you feel that sort of as that CIO role has evolved, the knowing where you're at has been increasingly and importantly shaped by the ultimate direction of the organization that you are serving so much increasingly aligned to business priorities. Yeah, I

Tony Scott  04:48

think there's a there's an interesting pattern that I've observed which is yet to be solved in some sense, which is, if you look at sort of the digital architect. Nature of most organizations, and this was true 20 years ago and 10 years ago, and largely still true today. It often mirrors the org chart of the institution. So you'll have systems that are very focused on the function that the org chart dictates. You know, I often say you could sort of overlay the technical capabilities with the org chart, and they'd kind of mirror one another in a lot of cases. And I think we're at a point, particularly with AI, where we we maybe, for the first time, in reality, have the ability to use technology to erase or undo some of the friction that often occurs in any structure that you create. You know, we tried to do it with ERP systems Many years ago, and it helped. I mean, it did some things. It created a system of record that everybody could, you know, have visibility on. But what it didn't really do was erase some of the friction around decision making and escalation and what I call opportunity enablement. And I think, you know, that's kind of the promise of, hopefully, next generation of AI today, most of it's being adopted by, you know, still segments of the organization aligned by the org chart. We're making HR better, you know, we're making manufacturing better. We're making marketing better. But I think there's some awesome opportunities across the board, and that, I think, is the coming transformation that, you know is around the corner, maybe a little bit, but it's probably the biggest opportunity

Raghu N  06:59

I completely associate with that and essentially use because, I suspect, is that that that that sort of, as you said, right? Each like BU business unit essentially ran its own tech stack, so effectively they were all sort of almost businesses within businesses, right? And then that that creates very siloed organizations, siloed technology, etc. Tell us a bit more about what you do and what specific problems you're you're helping solve for your customers.

Tony Scott  07:31

Well, this is, this is going to parallel some of the conversation we've already had, but the basic template for network security is I've got a firewall. It is the interface between me and the Internet, or, you know, my organization and the internet. And then along the way, I've supplemented my, if I'm a typical organization, cybersecurity platform, with a bunch of other tools that work on endpoints and do data loss prevention, and, you know, all kinds of other things. And a lot of that is now, you know, well established. And you know, there's fairly little distinction between the capabilities of, say, one firewall and the other. You know, they're all sort of battling it out for some nuanced sort of capabilities. But here's the reality, lots of things get through the firewall and get past all the other technology that companies have put in place or organizations. And not only that, but it turns out that all the bad things don't have to come in through the firewall. Anyhow, you have employees that are bringing things in and plugging them into the network. You're probably likely connected up to a set of suppliers and maybe customers and partners and so on. So the network that used to be pretty simple, and you have this single point of inspection called the firewall, that's not the reality much anymore. And so our belief is you've got to look at all of that traffic, what's getting through the firewall on the inbound side, what's going out to the internet that might be emanating from inside your network, and all the stuff that's going on laterally to really have effective cyber defense. And so that's what our products do. They look at the things that are being allowed by, you know, all the other stuff that you got in place. And, you know, we think it's a very useful add to anyone's cyber stack at this particular point. Awesome. Here's the analogy I use if you really want to know what's going on in your body. Is check your blood, you know, and this is what doctors do now. They take a blood sample, and they can tell a heck of a lot about what's going on just by analyzing a whole bunch of stuff in your bloodstream, where that function for your digital network. The one difference is, it's not a sample. We're not, you know, doing a point in time draw of blood. We're there, you know, in your arteries, in your veins, constantly looking at the blood you know, that's in your network, and figuring out whether something's going on

Raghu N  10:41

that should be thank you for sharing that. And I like, I love the blood testing analogy. I think I might steal that and use that for some of our own product analogies. How have you successfully, kind of found that balance between transforming the business right, transforming the organization, while also ensuring that you're managing your cyber risk adequately. Like, how do you tread that line?

Tony Scott  11:07

Well, it starts for me with a very simple sort of process, which is, take everything in your environment, hardware, software, architecture, you name it, I mean, everything, and assign it some sort of, I call it a useful life. But, you know, the idea is that nothing should go unexamined or unmanaged forever. You know, it's we all who live in houses. Know, hey, you know the roof I got to go look at every 10 years or 15 years, because that's about the useful life of those things, or automobiles or refrigerators, or, you know, all of the things in our lives all have some sort of useful life with tech. It's getting shorter and shorter and shorter, but it starts with that inventory, what do I have, and what's the useful life of it? And in that useful life can be evaluated in a bunch of different ways. One is its functionality. Is the functionality of this thing still relevant and appropriate for the mission that we have? And in many cases, you find, while it's still working, it's really not appropriate anymore. The other one is financial. Can I do the same thing, you know, for a lot less cost? And this is where Moore's Law and some of the other things start to kick in. And then the last one I think about is architecturally, what is the ecosystem that this thing lives in? And are there way better ways of organizing the pieces to do you know the business function or the organizational function better? And I think when you look at it that way and are constantly reviewing and then planning for the upgrade or the rearchitecture or the replacement of those things. Now you're on the right path, at least. The last thing in the world you want to do is kind of look the other way and ignore it and say, well, that's tomorrow's problem or next year's problem, because, like, the roof on your house, if it starts to leak, the damage is way, way worse than, yeah, proactively taking care of it.

Raghu N  13:33

How, like, you've obviously, you've spent your background is sort of CIO across so many storied companies, and now you're the CEO of a cybersecurity sort of a company, cybersecurity startup, if I'm allowed to call it that, what have been, sort of like, what have been the key learnings that you've taken from your CIO experience that you're now applying as the CEO of a cyber company?

Tony Scott  13:58

Boy, it's a whole you don't have three or four days for me to we

Raghu N  14:06

give us the golden nuggets.

Tony Scott  14:09

It's an old adage, but, you know, it starts with people. You just got to have the right team. And it's, it's a combination of both skills and capabilities, but also attitude and approach and and teamwork and so on. So we kind of have a rule, you know, no jerks. We don't want to work with anybody. You know, that's unpleasant to work with. I don't care how smart they are, if they can't play in a team world, what that we're in, it's just not going to work for us. And it starts with that you got to still have all the right skills and abilities, and then again, it might be obvious from our earlier conversation, but work on a problem that is a real problem and a lot of people would like to see solved, and cybersecurity. Is probably the ultimate example of that today. You know it. This is an issue that plagues every single person, every single institution, every government. I mean, it's just ubiquitous, and there's a huge imbalance between those who want to do harm and their ability and the cost to do that versus defending against those things. So we're trying to help even that equation. And that's a ubiquitous, universal problem, and I find people like working on these hard problems. So those are some themes that you know, sort of our takeaways from my past, where I've tried to gravitate towards those kinds of things, you know, good people organizations, you know, work with a bunch of really smart people work on art problems, you know, and low tolerance for people that are difficult to work with.

Raghu N  16:03

So I mean, I think those are such, such important sort of learnings and and things that we can all apply to, sort of like our everyday roles. If you were to look back on your, your your your experience as a CIO in both the private and public sector, what would be the sort of the most impactful or most satisfying effort that you were involved with?

Tony Scott  16:29

Boy, there's a bunch of them. Probably the biggest one, emotionally for me, was the first time I found myself in the Oval Office sitting with President Obama and Vice President Biden, and this was literally on my first day at work as well. And I think others have called this the imposter syndrome. But, you know, I for with every new job i i always had this thought, but you know, oh, my god, you know, what am I doing here? I'm not sure, ready for this role. What if I screw up? You know, somebody's gonna find out. I don't know what I'm doing. You know, all of those sort of thoughts go through your head. And on that first day, I thought, Oh, this is the ultimate, you know, screw up, you know, I I really have blown it this time. You know, this isn't at the same level of any of the other times I've had that feeling. So that was one, you know, that I probably will never, ever forget. Some of the others were events that happened where you go, Oh, my God, it's on me to go fix this. There was a time at Disney, for example, when we had a lightning strike hit our data center and take out a whole bunch of systems and our in our backups, you know, worked and covered but, and it was early on in my tenure, and I went, Oh my God. You know, we got a big problem on our hands in the federal government. It was we, when we had the OPM breach and 21 million identities were compromised, it was like, oh my god, we my team's got to go lead the charge, to go figure out how to respond to this. You know, even at Sun Microsystems, early on, we were switching from the Motorola chip to the spark chip, you know, which was a reduced instruction set chip. And there was a lot of confusion in the organization and about which we were going to support and how fast we were going to transition. And Scott McNealy, who was our CEO, said to everybody, all the wood behind one arrow had its spark, get over it, right? Yeah. And that told everybody in the organization at a high level what they needed to do to make this happen, and I would it filtered down to me, because I was working on manufacturing systems at the time, and from that, I knew exactly what to do. But to me, it was seminal moment, because it highlighted, to for me, the role that leadership plays terms of creating great direction and then allowing the organization to go. Do you know what it needs to do, to respond? So I've carried that with me, you know, since that first job of you know, you know, you got to be as clear as you can possibly be.  

Raghu N  19:44

And that was a great example of it. I love just that those, those three examples that you gave about, that the example from sun, that the example from Disney, and being sort of in the middle of the OPM data breach when you were the federal government, I just think are such great and contrasting examples. Tools where strong, dynamic leadership was needed. And I'm wondering whether, if, if you're able to, if we could talk a bit more about the OPM, OPM data breach and being the CIO, the Federal CIO, then what were the key learnings and improvements that you sort of put in place to ensure that this, that this type of data breach would be minimized going forward, like, what were the learnings from it?

Tony Scott  20:30

There were really, these are, when I tell you what they are, they're not going to sound that profound, but believe me, it was critical. So the first thing was, you know, figuring out what happened, you know, and we were actually able to figure that out pretty quickly. Somebody's credentials got compromised. That person had elevated privileges, and then, you know, the bad guys got in, yeah. So when you when you think about, well, what should we have been doing to prevent that? There's some obvious things. You know, two factor authentication. It's reducing the number of people that have these elevated privileges. It's making sure all your systems are patched appropriately. Because each of those were elements of how that particular breach occurred. So we figured that out really quickly, but then it became a question of what is the context that allowed this to happen? We did a quick survey around the whole federal government. Turns out the rule and the guidance had been issued 10 years earlier that everybody accessing federal system should be using two factor, okay. So question I asked was, well, how well is that going? Was this particular case in OPM just a rare example of that not being done, or how widespread is it? So, with the help of GSA and others, we, in a very short order, figured out there had been kind of 50% adoption across the federal government. You know, wow, 10 years, yeah, 50, yeah. You know, that's not great, yeah. At the same time, we surveyed, you know, how many people actually had elevated privileges to systems and I was used to ratios that, you know, we managed pretty tightly in the private sector, and it turned out in the federal government, this was all over the map. Many, many, many people had access that just didn't, did or shouldn't have had it, and then patching critical vulnerabilities was the third one. And, you know, it was embarrassing, you know, and the excuse was always pretty much the same. We didn't have the money, didn't have the manpower. There were other priorities, you know, we're doing the best we can all that kind of stuff. So I decided, let's do a cybersecurity sprint. I'm going to create a scorecard. I'm going to go into the, you know, West Wing every week and show the president and the Chief of Staff how we're doing. And we're going to make it visible, all right? And in about eight weeks, or 10 weeks, we got to mid 90% adoption on two factor. We got the elevated privileges reduced by about two thirds, and we reduced the critical patches from hundreds of 1000s to a few 100, right? Because in this particular case, there was clear leadership. The president said to the cabinet, we're doing this, I'm gonna, every week get this report. You can be at the bottom of the list, or you can be at the top of the list. You know, take your choice, and frankly, nobody wanted to be the next headline. I mean, yeah, of course. You know, it was very painful having to testify in front of Congress about, you know, this occurrence, so nobody wanted to be there, and that, you know, there was positive reinforcement. We were providing resources to finally get this work done. But there was also the stick, you know, at the back going, you know, you don't get moving, somebody's gonna, you know, beat on you pretty hard, probably, yeah. So that's

Raghu N  24:45

a great That's a great story, and so many ladies from that. But also, I'm just imagining President Obama in the in the Oval Office, sort of asking you, so how's our, how's our rollout of MFA going? Yeah, like, yeah. Yeah, but I think it's a great example, right? And yes, the thing that sort of got the program moving was the fact that the federal government was a victim of a significant breach, but, but then what followed was the establishment of a very clear strategy with measurable outcomes to a particular timeline, and that everyone, I think, again, sort of aligning with the other examples that you gave, like, for example, the sun it was establishing, we're doing this, and everyone's going to get in line, yeah.

Tony Scott  25:31

And what was important is, you know, this activity in terms of enforcing it and prioritizing it, kept up even after the Obama administration, my successors in the first Trump administration took this seriously. Their successors in the Biden administration took it seriously, and it looks like that's continuing. So it's important that there be, you know, sort of institutional continuity on these things for it to really work over some period of time.

Raghu N  26:05

Yeah, and I think also, and I'm not overly familiar with the US Federal sector, but there's obviously been multiple guidances and mandates that have been published over the last few years, and those particularly sort of the federal Zero Trust mandate that I think President Biden the executive order that sort of really kind of accelerated the adoption of Zero Trust across federal agencies. So do you see a lot of those kind of being rooted in the OPM data breach and then the after effects of that, meaning that just the strategy was much clearer, and the adoption was accelerated.

Tony Scott  26:43

Yeah, I think, you know, and you see this in other organizations, but you can waste a good crisis, or you could take advantage of it and really propel things forward. And, you know, I think, I think that's what happened, you know, and it continues to happen because nobody wants to be on the front page of The New York Times for screwing up, you know, but, but also, you know, we started the technology modernization fund that provided a way for agencies to get the money to do some of these long term systemic changes. And I hope that continues. And there were a bunch of other things too that had roots in those early days that, you know, continue to get improved on and and I'm really pleased to see those things happen.

Raghu N  27:33

And the other thing, I think, just sort of now looking back at sort of the evolution of, sort of CIO and and other leadership roles, I think, for quite a while, sort of the CISO, or the IT security function, was a sub function within the CIO organization, because it was essentially a technology function. But that is now, of course, over the probably the last 15 years, the CISO itself as being a role, and that now evolving into the chief security officer, which is almost directly reporting into the board and and the CEO, given that you've probably been someone who's been right at the center of this evolution, what have you been your observations? And why is this transformation being important in the leadership, in the change in Security Leadership?

Tony Scott  28:19

Well, certainly, I think you've recognized the pattern there. The importance of that role is the CISO role is, I think, not debatable subject anymore. If you don't have one, you're you're probably delinquent. I actually appointed the first CISO for the U.S. federal government. You know, shortly after I got started to that point. So, you know, I totally agree with the proposition there. I think a lot of people have focused on, where does it report more than is actually necessary? I think, you know, the reality is, it's more about making sure that that role has the ability to fully represent all of the cybersecurity risks and challenges and remedies and everything else that the organization needs, and no matter what they're going To have to collaborate with the CIO, whether they report to the CIO or not, because nothing's going to get done if there's a big conflict there. So these two roles need to be like, you know, hand in glove, and I've seen it work in a whole bunch of different ways. I think a lot of this ends up being ego driven, unfortunately and not practically driven about for this organization. What's the best way for us to to do this? You know, years ago, there was a similar problem where the CIO reported to the CFO, and because of some bad. Had experiences where the CFO would use the IT organization to balance his or her budget, because it was the part of their budget, usually, and that resulted in a whole bunch of bad stuff. There was a push to have the CIO report to the CEO, right? Yeah. Well, sometimes that solved the problem. Sometimes it didn't, and it had more to do with the efficacy of the CIO and his relationships, you know, with the other members of the management team than it did with who they reported to in many cases. So I think there's been an over focus in both cases on that, that at the end of the day, if it's an issue, you might not have the right person in the role versus reporting relationship.

Raghu N  30:52

So yeah, I think you make such a great point there, because you're absolutely right. There is a an over focus on where the CSO or the CSO sits in an org chart, whereas, in fact, as you so clearly said, is what should be far more important is, do they have oversight over everything cyber, and have they been given the authority to then take the right decisions. I think, I think that's such a that, the way you encapsulate that is is spot on, is how every organization should be thinking. Because if they're if they've been given those capabilities, then where they sit in the org chart is much less important.

Tony Scott  31:35

Yeah, the way I've expressed it to the CISOs that I've worked with, whether they report to me or or not, and I've had this conversation with the CEOs as well, is this is a role that, like the head of audit, really works for the board. You know, organizationally, they might be on the org chart, reporting to me or in parallel with me, but this is a role that really needs to have visibility and interface with a board on a regular basis and share the observations and the priorities and and what have you at that level of The organization. So I've told every one of them, you know, if you ever find me getting in the way of doing something that you need to do, go with my blessing, to talk to the CEO or the board get done what you need to do. I don't want to be the Debbie Downer on stuff that needs to be done.

Raghu N  32:39

Yeah, absolutely. So actually, I would, there's so many things I've got like that I'd love to ask you, but I'm conscious that, though you graciously said, We need a few days to talk about everything that I'm conscious of your time. So let's just talk about briefly, because cyber resilience now is kind of the like, what seems to be of paramount importance. When you ask, like, like a security leader, like, what is your focus? It's delivering better resilience, better cyber resilience, again, because of your CIO experience, how has that term resilience morphed and they and its adoption and its use and its relevance? How has that morphed over your time in the industry.  

Tony Scott  33:22

Well, I think initially it started more on the just recovery sort of point of view, like something broke, you know, how do we bring it back online? That was where a lot of the focus was, how do we not lose data? Or, how do we, you know, protect our critical assets when stuff breaks, and resilience, really, I think more embodies a couple of better concepts, which is, how do we survive and stay operational when things go haywire. You know, we can't have a world where, if something goes wrong, we're out of business for, you know, an hour or a day, or, you know, whatever. You know, there's a recent example of, I think it's Jaguar, who had some IT systems go down, and took a month, you know, to sort of and obviously, whatever resilience plan they may have had, and I think they probably didn't, or it wasn't a good one, whatever it was, didn't work, and it cost them and their In their shareholders and even their customers a lot, you know, during that period of time. So, you know, it's examples like that that you think of and say, What could we have done to better absorb whatever, because stuff is going to go wrong. I mean, that's just the reality of our world. You know? I there was. Probably never a day in my whole career where something didn't go wrong somewhere. But you know, what do we have to do to make sure it doesn't take the whole organization with us? And you see these faults in all kinds of different things. I remember sitting in my office in Detroit when the Great Northeast blackout happened, and the lights went off in New York all the way to the Midwest in a few seconds of one another, you know. And I thought, surely the world is coming to an end. I was talking to somebody on the phone in New York, and they said, oh, my god, we've just had a total blackout. Yeah. Three seconds later, the lights went out in Detroit, and I thought, oh my gosh, you know, I thought this is a massive cyberattack. World War Three has started. No turned out to be just some unfortunate legacy, you know, stuff in the in the electrical grid that failed and, right, you know, it should have been preventable, but obviously nobody had thought about this notion of resilience in the sort of proper way. And so I think it's, you know, I think because of some of these kinds of incidents, you know, we're now thinking more around, you know, staying alive in a healthy way, even in the face of stuff that's bound to go wrong at some level, and that's a better way, I think, of of knowing this.

Raghu N  36:32

I agree, right and I but I think that. But I think just even recent incidents, there was the there was the Cloudflare outage a few days ago, I think a few weeks ago, there was an outage on AWS in one of their regions. And it just shows you that that resilience, like it has to like every, literally every step in the chain, and it's such a complicated chain, needs to be the focus on resilience needs to be everywhere, otherwise you'll end up finding the thing that is to want of a better expression that's sort of held together by a shoestring. Yeah, right. It doesn't matter whatever else is resilient Exactly,

Tony Scott  37:10

exactly, yeah, yeah. One of the things in my experience was early on, when I was managing a bunch of it, people directly, they would often see something start to go bad, and they would want to study it and try to figure out what, what's going on and so on. And even then, I was relatively impatient, and I said, just restart it, you know, unplug it and plug it back in again. Take a short outage, but we've got a business to run here, and wouldn't have time to study our navel and try to figure out, you know, now if it happens again, then, you know? And so some of it is that as well. It's just, you know, shortcutting the process and just getting back to work as fast as you can. So I

Raghu N  38:01

mean, ultimately, when you boil it down to its simplest form, that's it, right? What is the quickest path to be up and running again and being productive again? Yeah, and it may not be the most elegant path, but sometimes it's, it's the most effective. It's the most effective part. So before we wrap, I have a, I have a question for you. So you're at, you're the CIO at Disney for a few years. What's your, what's your favorite Disney character?

Tony Scott  38:29

Oh, Johnny Depp, Pirates of the Caribbean. Basic, just well. And then obviously, Mickey Mouse has a, you know, as a character. But, you know, I was there during that whole Johnny Depp Pirates of the Caribbean era, and got to go on the set. And, you know, watch some of that being done. And it's just amazing how much work it takes to produce. Yeah, I could have, I should these kinds of efforts. So, favorite set of memories there for sure,

Raghu N  39:03

and at that time, I guess, like taking care of resilience was all about ensuring that everyone the filming of Pirates of the Caribbean finished on time. It got delivered on time, got distributed on time, and everyone could watch it sure exactly when they

Tony Scott  39:18

wanted to exactly. Fantastic.

Raghu N  39:23

Well, Tony, with that, it's been real pleasure to speak to you today. Thank you so much for your time. I mean, it's the fact I think most people would love to be CIOs of one truly sort of household name Corporation once in their career, the fact that you've done it on repeat, and then also thrown in time as a federal CEO. A CIO for for good measure, is incredible. So it's been a pleasure to speak to you. Thank you. Great talking with you. Thanks for tuning in to this week's episode of the segment. For even more information and Zero Trust resources, check out our website at Illumio.com You can also connect with us on LinkedIn and Twitter, at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nanda Kumara, and we'll be back soon.

‍