A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
The Everyday Battle in Cyberspace
Season One
· Episode
8

The Everyday Battle in Cyberspace

In this episode, host Raghu Nandakumara sits down with Gary Barlet, Federal Field CTO at Illumio, to discuss his own personal experience with Zero Trust, top cyber challenges facing federal organizations, and why embracing an “assume breach” approach to cybersecurity matters.  

Transcript


00:09 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I’m your host Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company.

Today, I’m joined by Gary Barlet, Federal Field CTO at Illumio.

At Illumio, Gary is responsible for working with government agencies, contractors, and the broader federal ecosystem to help them meet their Zero Trust security objectives. Previously, Gary was a Federal Chief Information Officer and is also a retired Air Force Cyber Operations Officer with 29+ years of experience in the military and in government.

Today, Gary joins us to discuss his own personal experience with Zero Trust, top cyber challenges facing federal organizations, and why embracing an “assume breach” approach to cybersecurity matters. Gary, it's an absolute pleasure to have you here today. Thank you so much for joining us.

01:13 Gary Barlet: No, thanks, Raghu. I'm very excited to be here.

01:15 Raghu Nandakumara: Not as excited as I am to have this opportunity to speak to you, Gary. So you've been in the industry for quite a while, and I'm sure you've seen a whole range of different scenarios and experiences. Can you tell us what drew you to cybersecurity?

01:30 Gary Barlet: Sure. So when I started my Air Force career, it was early on in the world of networks for the Air Force, and I actually spent the first half my career not doing anything to do with networks. I really got heavily invested about the second half of my career. But you have to understand, being in the Air Force, we were a prime target for adversaries, especially nation-state adversaries, very serious adversaries. So you quickly realize how critical true network security is true enterprise security, and you realize that it’s not just, "Oh do you have updated antivirus on your laptop? Do you have a firewall turned on your laptop? Do you have a good password?" You understand the complexity involved in trying to provide actual true, enterprise-level security, and I found that to be fascinating. And I found the challenge of trying to try to outsmart your adversaries and fighting a battle, it was an every day battle. In the military, not everyone finds himself in combat. Different skill sets find themselves more often than not in combat, very seldom. In cyberspace, you're in combat every day, and that's one of the things I've most enjoyed about my time doing this, is you're in a fight and you're doing it every day.

02:46 Raghu Nandakumara: In my spare time, I geek out on infrastructure videos on YouTube. And I was seeing the scale of infrastructure that the Air Force and the Armed Forces deploy. How do you go about securing a network that is that fast and that diverse? How do you even go about designing that?

03:07 Gary Barlet: So it's got its challenges. I'm not going to lie. It's one thing to think about doing it in small pieces. You have to try to identify where are you going to focus your resources. That's one thing about being in cybersecurity, you never have enough resources to do everything. You've always got a to-do list that's longer than you could possibly ever hope to accomplish, and you're constantly re-prioritizing that to-do list. So the reality is, you look at things... You do your risk management, what are your highest threats, what's the impact of... If there is a compromise, what's going to have the highest impact, and you really try to focus your efforts on protecting those things. And trying to lock down the things that you think you can lock down, and the last thing is you spend a lot of sleepless nights. You don't sleep very well most nights as a result of it.

03:52 Raghu Nandakumara: I completely agree. So in your experience, and of course, we haven't even spoken about your experience at the postal service... when did you first come across the term Zero Trust?

04:03 Gary Barlet: So the first time I came across the term Zero Trust was probably, I don't know, five years ago. Five, six years ago, maybe. It's been around for a while. But it's interesting. The first time I heard it, I was like, "Oh, here we go. It's another rebranding." You know how the IT world is. We re-brand stuff, what's old again is new again, and we just rebrand things. So when I first heard the term Zero Trust, I was like, "Here we go." And honestly, part of the reason why I felt that way is some of the very first things that were highlighted in Zero Trust, they talked about identity and knowing who's accessing what. In the military, we've been talking about that for a long time. So at first, it felt like a re-branding. And then when you really start to delve into what's really at the heart of Zero Trust, you really start to understand it really is a different way of looking at things in a different mindset, especially when you really get to the heart of it and talk about the mindset of “assume breach." And assume that you're never going to completely win the battle of stopping a breach, but what you can do is try to minimize the impact of that breach.

05:01 Raghu Nandakumara: So actually, what you just said, that's something really interesting. I want to delve into a bit more. So you said that you were one of those people who when you first came across Zero Trust, you thought, "This is just marketing hype." And in fact, there are probably still people today that say that Zero Trust is just marketing hype. But then what was interesting was you said you looked into it and you realized that this was... Actually, it wasn't sort of like new clothes on the same problem, it was actually a completely different way of approaching the problem of how we secure enterprise networks and enterprise organizations. What made you see this as a different approach? What was the difference that you saw that it bought?

05:46 Gary Barlet: It was funny. So I had always had conversations just generically, my time in the Air Force, my time as a federal CIO, about the fact that you just can't always win, you're going to lose, and had always had this idea of, "Okay, what if? What are we going to do? How are we going to respond if we lose?" And then like I said, as I started to really understand Zero Trust a little bit and think about that shift of mindset, it wasn't just a shift of mindset for me, but a shift of mindset for the people that I had working for me, the way that we approach problems. I always had this philosophy of 80 percent is good enough. And that comes down to any time you try to deploy something or you try to do something, that pursuit of perfection is impossible. And Zero Trust I think really gets to the heart of: Look, you want to continue to try to do your best, but there's no such thing as perfect. And you have to be ready for the alternative. What happens when the art of the perfect fails you and you have to deal with the breach? And I think that that's... That monumental shift in approach in philosophy is something that I think that modern entities, agencies and businesses, if they don't make that shift, they're just going to continue to lose.

06:57 Raghu Nandakumara: Right. And that's such a great way of framing it. Essentially, I think what you're saying is, Don't let perfect be the enemy of good, and take that forward-looking approach, because you also mentioned this term, “assume breach." For the listeners, what do you mean by assume breach?

07:16 Gary Barlet: So if you look at... There's been all sorts of reports released recently that... The popular topic today is ransomware. And there's been recent studies released that say something like 76 percent of organizations have been impacted by some sort of ransomware attack. Well, if our defenses were so great, then why is ransomware even a conversation? Why are we even talking about ransomware? But here's the reality, you look at the antivirus market, for decades, the antivirus market has said, "If you just buy our product, we will stop viruses, dead in their tracks." Never happens. Constantly getting infected, constantly dealing with that kind of stuff and all sorts of different types of malware. So here's the reality: it's just a ongoing battle that's impossible to stop and win 100 percent of the time. So the question is, we were able to make... A lot of people were able to make the shift of, "Okay, look, I know I've got updated antivirus, but I need backups. I need to back up my information because if this stuff gets infected, how do I recover from an infection? Oh, I'll restore from backup."

08:17 Gary Barlet: But, what do we do about breaches? And that's where I think a lot of agencies are still lagging, is understanding, it's going to happen. At some point, it's going to happen. There is a... So, following that mindset, you just have to assume that at some point, something's going to happen. We're all human. Networks are run by humans. I think that people lose sight of the fact that networks are run by humans. Humans make mistakes - and those mistakes are going to be capitalized on, and you have to be prepared to deal with what happens when those mistakes are capitalized on.

08:46 Raghu Nandakumara: So I think what you're saying is that it's absolutely okay to take that approach of the assumption that something unexpected is going to happen. Is that a good way of stating it?

08:58 Gary Barlet: Absolutely. And I will tell you, that is a hard thing, especially for people that have grown up in traditional IT, to make that shift, because basically what you're saying is, "I'm telling you right upfront, at some point, I'm going to fail. I'm going to fail. I'm going to fail on the job you've given me, which is to defend the enterprise that you've entrusted me with." At some point, I'm going to fail. And now the question is, What am I going to do about it when I fail? A lot of people don't want to admit that they're going to fail. And it's... Again, it's going to happen. So you might as well accept the fact that it's going to happen and then have your contingency plans in place of “What am I going to do about it when, not if, when it happens?”

09:35 Raghu Nandakumara: And I think that's right. It's like essentially assume the unexpected. And then if you start with that, then, essentially, what would you do to ensure that that unexpected event has the least negative impact possible.

09:47 Gary Barlet: And that's the key. So some people think about the fact that, Okay, something bad happened, that's the failure. In my mind, it's always been, Something bad has happened, what was the impact? What did it do to my operations? How widespread was the impact? How much did my customers feel? Because quite honestly, if the customers don't feel something and it's just something on the back-end that you're dealing with but the customers don't feel it, that's a win. If the customers don't notice the impact, that's one of the biggest wins you can have, right?

10:16 Raghu Nandakumara: Yeah, absolutely, absolutely. And so let's go from there. So we've understood how you got bought into that concept of Zero Trust. So can you now tell us a bit about how you then actually put that into practice, maybe some of the projects that you helped pilot and spearhead where you took this approach in the public sector?

10:35 Gary Barlet: I was involved with deploying CAC cards in the military. And the CAC card is the physical card that you have to put in. It was the widespread implementation of two-factor authentication in the military. And that's having that secure identity - so every one of us had a card, had a certificate on it, it was tied to us as an individual, to lock down and try to zero in on that identity piece of it. And then we capitalized on those identity pieces throughout systems throughout the entire military of, Okay, now that we know that this is supposed to be Gary because it's the physical card that's in his hand, he has entered the pin that only he knows, now we have a certificate-based authentication that we can, with some level of a surety, say, "This is Gary." Now we can use that for accessing systems across military.

11:23 Gary Barlet: So that was... In today's world, that's seen as Zero Trust. Again, it really wasn't called Zero Trust when we were doing those things, but that kind of approach, I think, is critical when you're thinking about these things. And then projects of migrating to the cloud and trying to adopt the security mechanisms that the cloud can bring to you. And especially when we started getting into things like doing assessments of where people are logging in from, looking at Comply-to-Connect on laptops. I was involved in a project of deploying Comply-to-Connect, where we looked very hard at what was the state of the device that someone was trying to use to access the enterprise, and then what did we do based on that state event endpoint. So there's just a couple of examples of projects that... Again, were they necessarily called Zero Trust at the time? Sometimes, yes, sometimes no, depending on the timing of the project, but from a perspective of trying to implement some of the main tenants of Zero Trust, we attempted...

12:24 Gary Barlet: I will tell you, we attempted... I was with an agency. We attempted a very large implementation of 802.1X and dynamic VLANs to try to do segmentation. And I will tell you, it was not very successful. Sometimes you try something and it just doesn't work. That was one of those projects that was not a successful implementation of trying to do a Zero Trust implementation for me.

12:48 Raghu Nandakumara: Yeah, that's a really interesting thing because I think sometimes the challenge, particularly with something like segmentation, it's not that segmentation and whatever you want to pre-fix that with, network segmentation, macro, micro, etc. That's been something that us as network security professionals have been wanting to do since, I'm going to say, time immemorial. But just the technology to allow us to do that at the scale of today's enterprise networks has only just essentially become available and truly usable, which is why we still see lots and lots of flat networks, it's because organizations are still catching up. Is that, essentially, the challenge you run into?

13:32 Gary Barlet: Absolutely. I mean, just when you're trying to do something like a segmentation project at scale, you run into a couple of main obstacles, number one is just sheer volume. If you're really going to do it properly, you got to really implement it with every major device that's on your enterprise. And if you've got a large enterprise, that's thousands and thousands and thousands of IP addresses that you're trying to keep track of. And then just the sheer dynamics of an enterprise, especially if you've gotten into the world of virtual machines and rapidly spinning things up in the cloud and multi-cloud environments, just that complexity that gets involved. So now you magnify your problem of, you're not just trying to keep track of all these instances of things, all these different IPs, but they're in all these different locations.

14:20 Gary Barlet: And how are you supposed to keep track of all that stuff? And then throw on top of that, you've got... Most places have a very limited IT staff for all the work that they've got to do, just their day-to-day job of trying to keep things running, and then you try to apply something like this on top of them and go, "Hey, I'm going to pick you. It's your job to make sure any time something new joins the enterprise, you've got to figure out all the hundreds of places you got to go update so that that thing connects in the way it's supposed to connect, but doesn't cross boundaries it's not supposed to cross." That's an impossible challenge to give someone.

14:53 Raghu Nandakumara: Yeah, completely. Which is why you then... I think what is the fallback is," But it's like, "Well, what compensated controls do I have?” Or more often than not, “Am I okay just to accept this risk and move forward?" And that often is what we land on, is that we just add it to the risk register and say, "Yeah, I know about that."

15:15 Gary Barlet: And that's a funny thing. That's what usually ends up happening, is you get people that go, "Okay, what is it going to take for me to try to mitigate this risk? Oh, well, If I triple the size of my IT staff and I triple my IT budget, then maybe I might be able to mitigate it to some extent." And the decision makers are like, "Yeah, where do I sign? Because I can't... " That's an impossible investment for you to make. "Where do I sign? What's going to be the impact if I don't do this?" And they... People hem and haw a little bit, and then whoever's responsible says, I'm going to sign off on this because there is no way, Mr. CIO, I'm going to triple your staff and triple your budget to do this thing that I, honestly, am struggling to understand anyway. Because what I expect you to do is keep my enterprise encircled with this nice layer of defense, and anything inside should be safe. So why am I stroking this check for you?"

16:04 Raghu Nandakumara: So do you think that we are now at a place, whether this is in the fed space or in general enterprise, where we've gone too much towards risk acceptance and the importance of risk mitigation has kind of been put to the side?

16:23 Gary Barlet: Yeah, actually, that's an interesting question because I think the answer is yes. I think that we have gotten to a point where... It used to be the opposite problem. We didn't want to assume any risk. We wanted to mitigate everything. And then as that got beat into people's heads that that's a ridiculous approach, that's an impossible goal to achieve, people started loosening the throttles a little bit, loosening the shackles a little bit, and found themselves, I think, to the point where now there's almost no controls in place. And people are saying, "Hey, as long as it's about getting the job done, yeah, we don't care if you let personal devices into the enterprise, because it's all about keeping the... " You hear a lot about, "Well, how do we attract younger talent?" And younger talent is not used to being constrained. So we got to do things to make sure that we're not constraining the talent that we're trying to hire. So now all of a sudden, you’ve gone to, "I'm just going to accept all the risk and kind of cross my fingers and close my eyes and really hope nothing bad happens."

17:18 Raghu Nandakumara: Yeah, yeah, exactly. And when something bad does happen, what I hope is that they don't go and look at the risk register and say, "Did we really accept this risk?" And why and who, and etc. Let's come back to sort of the federal government and security challenges that they face and why they're adopting Zero Trust. So we've always seen this... This is a big push in the US federal space. Firstly, what are the challenges, what are the security challenges the federal government faces today? And why do they need to adopt Zero Trust?

17:53 Gary Barlet: Sure. So some of the challenges that they face, number one, and this... A lot of this is similar what you're going to hear... what you would hear if you ask the same question about private sectors. But in the federal space, money, people, and then flexibility to get things done. So you start with the fact that they're constantly dealing with the federal budgeting cycle, how much money are they being allocated. And oh, by the way, people don't realize how far in advance you're working your budget from a federal perspective. It's not a matter of, "Hey, it's July and the next budget year starts October 1st. Here's how much money I want." Huh, you've made those decisions years ago about how much money you need for a given fiscal year. So you're trying to forecast into the future from a budgetary perspective, and they don't... The federal budget system isn't designed to say, "Oh, well, feel free to ask for a couple of million dollars that you can't explain what you're going to spend it on. Feel free to just ask for surplus cash just in case something comes up in the future." So that's a...

18:52 Gary Barlet: That whole cycle is a challenge for the federal government, and then just getting the right resources when you look at the landscape around globally, the shortage of IT staff and the shortage of IT expertise, and especially when you start getting to security, that's a smaller piece of the IT problem... How does the federal government compete for those resources? If you're a young wiz, at IT security, and you look and go, where am I going to go work?

19:19 Gary Barlet: Do I want to go work at the federal government, I'm going to be a GS whatever, and it's usually a lower GS rank rating making $40-50,000 a year? Or, I want to go work at some company somewhere making $140-150,000 a year? And the Federal government is got to figure out a way to try to attract that person to come work in the government and not go work for one of the 10,000 openings in their home state. That's not even worried about telework and anywhere in the world. But that is a huge challenge for the federal government and then the kind of the mindset, right. Trying to get hold people accountable. Right, so when you need to make shifts, and you need make changes in the federal government, trying to hold people accountable to make those changes can be a challenge in the government.

20:09 Gary Barlet: It's very hard to fire people. And so if somebody's not doing a good job, you spend a lot of time trying to kind of bring them along before we can get rid of them, and while that process is going on, they're filling a seat, supposed to be fulfilling a responsibility. And if that happens to be one of the key positions to protect your enterprise and the person is not cutting it, it can take a long time to get rid of that person, and now you're back to the challenge of how do you backfill that seat again?

20:35 Raghu Nandakumara: Yeah, so that then brings me to a question. So obviously there's been a huge push, there's President Biden’s Executive Order last year that sort of really accelerated adoption of the Zero Trust security approach amongst federal agencies. So you kind of talked about essentially a large people problem that the federal agencies face. Given that, do you think the adoption of Zero Trust and actually following through with this EO is going to be realistic?

21:06 Gary Barlet: I think... I hope it'll eventually be realistic. It's not going to be realized in a short period of time. So when the Executive Order came out, here we go, right. Here comes another mandate from on high, is telling all these federal agencies it's something they got to go do, and there's no money that comes with it to go do it. IPv6 is, a perfect example. I lost track of how long ago the federal government was supposed to be migrated to IPv6, most agencies... don't even know how to spell IPv6 - much less have they implemented IPv6. And that was a federal mandate ages ago.

21:40 Gary Barlet: Now, I think where Zero Trust has a better chance at success is... I think there's a much more recognized need for implementing the principles of Zero Trust, then there is a... for again, something like IPv6. So I think there's some of the founding tenets and the core tenets of Zero Trust, I think resonate with people and they understand going back to that, Hey, you know, I realized that we have probably accepted a little bit too much risk and we've got to figure out a way to kind of minimize that risk structure that we've got in place here, and I think Zero Trust brings some of that to the forefront for agencies.

22:14 Raghu Nandakumara: I think just to the IPv6 comment, I think if anyone who's worked in networking or network security over the last 20 years, everyone has their own little funny IPv6 story. In my case, it was at a former employer, I think there was this thing called World IPv6 Day, probably about a decade ago, and we were all participating in it and... What did we have to do for that day? Just that for that one day. For that one moment, show that our external facing website could be accessed by IPv6. Just for that one moment. And after that, we're back on IPv4 everyone. Okay, so you say that Zero Trust because of the importance of it, to just the sort of the resiliency and the cybersecurity of federal agencies at large and the criticality of it, this is one that is going to get the traction, it's not going to be another sort of IPv6, to say that right?

23:11 Raghu Nandakumara: When I look at the mandate, and on one side as a Zero Trust practitioner, I'm excited about it. Like finally, we've got a government agency and that too the US Government mandating the... And this can only be good for both the public sector in other countries globally, but also then there trickling into the private sector. But on the other side, I kind of look at the timeline that has been laid out, and a part of me thinks that it's not aggressive enough. We're getting to the real risk reduction pieces, far too far down the line, and why can't we go deep, broad and sooner. Am I just being kind of just too greedy here and this is a good thing, and we would get on the train and to let that timeline map itself out?

23:54 Gary Barlet: So I think that I would love to wave a magic wand and have it done much faster. Having spent so much time in government, I will tell you the timelines that have been laid out are fairly aggressive for the government. And it is right, and again, I go back to, again, the whole budgeting conversation, right, and the fact that your budgeting multi-years in advance, the procurement process. And keep in mind, and this is one thing that I think some people lose sight of, federal agencies operate under the laws that have been passed by Congress. So the restrictions that they have, people ask, why does it take the government so long to buy something? Well, I'll tell you why, because there are so many rules in place to ensure fair competition, to ensure that you try to avoid single sourcing and getting vendor lock, so there's all these different things there.

24:41 Gary Barlet: And they all are very justifiable checks and balances to have put in place, but the ramifications of some of those checks and balances makes it very difficult for agencies to do procurement and can really drag out timelines. So it's not a matter of "Hey, lets just whip out your credit card and go buy something today and pick whoever you want," that doesn't work in the federal government. Private entities can for the most part, go buy what they want from whomever they want, whenever they want. The federal government and the DOD, they don't have that kind of luxury, so that in of itself automatically adds a huge amount of time to a timeline to try to implement something, just because of the sheer amount of rules that have to be followed and the checks and balances, and dealing with you know, people protesting, right? You do a major award, you get one protest, you may have just increased your procurement timeline by 50 or 100 percent.

25:33 Raghu Nandakumara: Okay, right. So then, how do you think organized federal agencies are going to be held accountable such that they are tracking against this plan and delivering against... And I understand, right, that these are government agencies, things take their own time, but like how is the accountability going to be enforced?

25:57 Gary Barlet: So the accountability piece is the piece that I worry about the most, because if history is any judge and anything to measure by, accountability is always one of the things that doesn't seem to take effect when these kinds of things come down the pipe. You can see in a different setting, in a private company, if you told somebody, "Raghu I've given you a deadline, I expect you to meet that deadline," and if you don't meet that deadline, there's a pretty good chance they’re going to go... "Thanks for your service. You can leave now, and I'm going to try to bring somebody in there and the next time I give them a deadline, will meet that deadline." In the government, most people don't get fired because they didn't meet a deadline, they didn't meet a mandate. They don't... that's not why they get fired. And it's unfortunate that sometimes some of these... And I'm not saying Zero Trust is one of these, but sometimes mandates come down and it's really just about checking out box, so that somebody can say, "Hey, we did something," and then there's, "Hey, what's the next thing?”

26:52 Gary Barlet: “What's the next shiny object we're going to go chase and nobody ever bother to look backwards," that's of all the things that affect Zero Trust, it's that accountability. Because really it's going to be up to the agencies to hold themselves accountable, and probably the closest thing to accountability will be, most federal agencies have a Office of Inspector General, this is something close to my heart, since that's where I come from, they'll go in and they’ll write audits and say, "Hey, federal agency, you were supposed to do x by this time, we're going to write you up you haven't done that." Right, and then that'll get published, that could get observed by noticed by Congress. Congress, may ask the head of the federal agency, "Hey, I've got to report my hand that says ‘We the Congress, the President told you to do something by a certain timeline, you didn't do it.’ What are you going to do about it?” And their answer may be, "We're sorry, we're going to go do it today, or... Yeah, we'll see what the write-up looks like two years from now when we get re-looked at again."

27:45 Raghu Nandakumara: Yeah, well, who doesn't love an audit or being on C-SPAN. I think there's lots that other governments globally can learn from the US’s sort of approach to adopting Zero Trust, but moving away from the public sector, what do you think the lessons are for the private sector? And we don't need to take it as the private sector at large, but maybe specific verticals within the private sector, what can they learn from the sort of the approach that the federal government is taking?

28:17 Gary Barlet: I think that, again, we talked about some of the inefficiencies of the parts of federal government taken, however, that high level widespread focus. So within verticals, when you look at whether it's in the banking vertical, whether it's in the medical vertical, trying to take something to make it become the de facto standard, and “Hey, if you're not doing this, you're seriously lagging.” And in the private sector, right... you've got competition. So I can see if competition starts going, "Hey, well, we do this and they don't... My competitors don't do this, but I'm doing this, I've adopted Zero Trust, I've adopted these security practices, I'm protecting your information, my competitors aren't protecting information.” Right, I think that adoption of a standard, happens faster in the private sector because of the fact that you're competing for dollars. Anything you can use as a differentiator is key, so I can imagine a private sector company going, "Hey, the President thought something was so important that he issued his mandate to the government."..

29:18 Gary Barlet: “We're already doing that, right? Look how good we are, right.” So within different verticals, I could easily see some of these things become a kind of de facto standards, it's no different than when they start trying to compete with each other on, “Hey, what benefits do we offer? What capabilities do we offer?” I think that that's critical and if you can get that security mindset to say, "Hey, this is another one of those things that we should be comparing ourselves against each other,” that can become that thing that I can point to and say, I do this, you don't... So I would encourage, right in the private sector, think about some of these things and go, How can I use it to my advantage? But you better be doing it, because the last thing you want to do is pretend like you're doing it and then you know have something happen and have to explain to your customer base why you weren't doing it.

30:00 Raghu Nandakumara: So essentially almost using Zero Trust for security as a differentiator, and as a competitive sort of differentiator between you and your competition... Right.

30:08 Gary Barlet: Absolutely. Its interesting right... Because you look right when a private company, and I think you're going to start slowly, you're seeing this change. When a private company gets breached right, what happens... It's a big splash in the news. Then they go, okay, usually if the answer is, “Oh, we're going to pay for free credit monitoring for you for a year.” In the worst case scenario, maybe somebody files a class action law suit and you get the letter in the mail and then you end up getting a buck 50 as part of the settlement. But I think that you're starting to see companies that are starting to really take hits now, when these things happen, right. Because if suddenly as a customer, you start feeling like I can't trust company X with my credit card information...

30:46 Gary Barlet: What are you going to do? You're going to stop shopping there. And I think that as the populus becomes more and more savvy about the stuff, and I think there's... We're reaching this tipping point where people are tired of hearing "Oh, it happened again. And it just happens," right? I really think the populus is getting tired of that and they're going to start holding people accountable, and it maybe it’ll just be with their feet and their check books. They're going to take their dollars somewhere else because they're tired of hearing about, "Oh, here we go again, my stuff got compromised again."

31:13 Raghu Nandakumara: And that's a really interesting point, right? The end there, because I think that the general public now has a much better basic understanding of security breaches. They have a much better basic understanding of a ransomware attack. So it's not that organizations can kind of just sort of dust it off under the carpet and forget about it. When it happens, people have very much like a, “Oh my God, not yet again. I’m not safe there” type reaction now.  

31:44 Gary Barlet: Absolutely, I know things have changed when I get a phone call from my 70-plus-year-old mother who says, "Hey, this happened at this company, I'm pretty upset about this," and my response is, "take your money somewhere else." And she says "that’s probably a good idea." When you're to the point where customers are asking those types of questions, I really think that we have crossed a threshold of... And I don't know that we'll go back, and I think people are really just starting to get tired of this, and companies are having to start taking this more and more seriously, because some of these breaches, they've gone past their embarrassing breaches. But they're starting to become really financially impacting breaches because customers are starting to lose confidence in companies.

32:29 Raghu Nandakumara: Absolutely, but also I think the concerning thing is that when you unpack the details of what caused those breaches, the root causes are typically always the same. It's kind of like when we are often not learning, and I think that's the frustration.

32:48 Gary Barlet: Yeah, that is definitely the frustration, and I can think of the last time there was something that... Again, I'll go back to my mother. We were talking about something that had happened with a company that she was doing business with, and she had enough understanding of the problem to say to me, “My understanding was somebody had a weak administrator password. How dumb is that?” And that was coming from my mother. If it's got to the level of my mother, who is the most un-IT savvy person you want to meet, can say something like that and ask a question like that, something has shifted in the environment.

33:24 Raghu Nandakumara: It looks like she should be given a job in cybersecurity, right. She’d have the skills, she'd have the awareness for it. So just coming back to sort of Zero Trust adoption very quickly, do you see a difference in approach between how the private sector is going to adopt Zero Trust and how the public sector is going to adopt Zero Trust?

33:43 Gary Barlet: So first of all, I think that the private sector is already much further down the path of Zero Trust than the public sector is... You can just see that with different entities and some of the things that they've deployed and implemented, the government is just now starting to talk about, so I think they're already further down... And I think that they've got a couple of different things. So we talked about this competition thing, right. So take any vertical you want, and there's multiple companies in that vertical, that if I as a customer feel like you're not doing something safely, I will go somewhere else. But now, let's compare that to the public sector.

34:15 Gary Barlet: There's only one Social Security Administration, there's only one IRS, there's only one VA. I can't take my money and go somewhere else because the services I'm being provided, there is only one of those. Right, so there's not as much of driving incentive in the public sector as there is in the private sector, because the customer base is stuck. There's no competition in government, there's nowhere else to go, so they don't necessarily have the same things hanging over their head on the government side, as they do in the private sector, because in the government sector, you know your customer base isn't going anywhere. Whereas in a private sector, you have to be flexible and you have to be adaptive because you don't want to lose your customers and its revenue base and you can't afford to lose customers.

34:58 Gary Barlet: So that's why I think that's one of the other reasons why I think things take a little bit longer in the public, in the government, is because of that, the fact that there is no competition, there's nowhere else for your customers to go.

35:09 Raghu Nandakumara: Yeah. Awesome, no, that's such a great observation, sort of the driving factor behind why the private sector is going to take this probably... It's not about taking it more seriously, but it's actually going to be more aggressive and do something about it. So kind of just to sort of wrap up on this point, what does the future of Zero Trust look like from your perspective?

35:33 Gary Barlet: So I think that the future of Zero Trust is going to be about, again, going back to this whole assume breach. I think trying to get things down to the smallest piece possible. You talk about securing data, at the data element level. You're talking about securing applications at the application level, and at the individual piece, we get into microsegmentation of the individual pieces of an application. Trying to draw that ring of defense as small and as close to the source as possible, as opposed to the traditional, let's just draw big circles and try to prevent anybody from getting through the big circle, right. And doing it in such a way that it's layered, so that it really makes it difficult for advisories to get in. And then the last piece is, is I think as artificial intelligence and machine learning and those types of things really start to get themselves more ingrained in the security world, and having those things be adaptive and not have to have as much involvement, human interaction. I think that that's going to be critical in really trying to isolate things at a much faster pace, then they're able to be isolated now. And also just deployed...

36:36 Gary Barlet: Right? Just set up in the beginning, right? Just looking at how do we deploy these tools in the first place, if you got to rely on people to do all that work, then by definition it's going to take a while going back to the limit of resources. But as more and more things become automated, more and more things become with machine learning and artificial intelligence, not just with the implementation, but the deployment of the capability right up front. I really have a lot of high confidence that security’s got nowhere to go, but up, right? It's always an uphill battle, so it's got nowhere to go but up. And I think that there's a lot of room for growth and improvement when it comes to the deployment of Zero Trust, and I think as technology adapts, it's just going to allow security to adapt faster.

37:18 Raghu Nandakumara: So I think like what you're saying here is, is that you're optimistic, you're one of those people who believe that like going forward, Zero Trust, and particularly if I think back to the original formulation of it, and those rings that are around sort of continuous monitoring and automation orchestration, sort of looking forward, we will end up with Zero Trust architecture, Zero Trust ecosystems where you do have that sort of secure by design, a continuous feedback loop where data is coming in from your sensors, that your policy engine, etc., is processing to then adapt that security policy to maintain that least privileged state, and that is something that you see as being realistic in the future... Right.

38:05 Gary Barlet: Absolutely. Yeah, no, I think it's well within... And you're already seeing a little bit of that, right? You see it, you see some of that, it is already in play today, I just think that's going to become more the norm. The security is going to be rapidly adaptive, we're going to get out of the world of waiting for, "Hey, what's the latest signature update, what's the latest update that's coming in." We're going to get better and better at handling zero-day exploits and taking care of unique situations with our users, I really believe that technology is going to lead us there.

38:37 Raghu Nandakumara: So just moving off of Zero Trust for a brief few minutes. Outside Zero Trust, what else do you love about cybersecurity? What are the trends that you follow?

38:47 Gary Barlet: There's a couple of different things, right? Number one is, I just love the ongoing, constant, never-ending challenge. I just love the fact that some people would hate it, the fact that there's no finish line, there's no end on the opposite. I love the fact that it's constantly challenging. I love the fact that it's going to continuously give you something to do, right. Every morning you wake up, you've got something to focus on, and you know that there's a new challenge right around the corner. So I love to play chess. Chess is about strategies. Chess is about trying to out think your opponent, trying to look multiple moves ahead, and that's where IT security should be, if it isn't for someone, is the fact that it needs to be about anticipation, it needs to be about thinking ahead, and I'm really excited to see... I'm worried and excited at the same time to see what advances and things like when you just throughout the increases in capabilities of artificial intelligence and then you start... More and more people are talking about quantum computing, quantum computing could potentially be the greatest boon to IT security ever, or it could also be the greatest threat to IT security ever.

39:53 Gary Barlet: And I think that uncertainty, it's kind of fun, to be honest with you... I'm a weirdo when it comes to that.

40:00 Raghu Nandakumara: Kind of to... It's always good to take for the CSOs and the CIO, who are kind of listening avidly to this, they all want to hear what is your one nugget of wisdom. So for them, top of mind is cyber resilience these days. If you could give one bit of advice to your fellow CIOs and CSOs, and how to build and optimize cyber resilience, what would that be?

40:08 Gary Barlet: Yeah, so I would say that looping back to something you talked about earlier is, if you are not assuming breach, you must be assuming breach. If you are still in the camp of, “I'm going to stop the breach”, your camp is getting smaller and is outdated. You must be in the camp of assume breach, and then you need to be looking internally at your enterprises and asking yourself, how do I mitigate the impact of that breach, how do I try to do the best I can to keep services running for my customers, and not be the person that says, "I'm going to hit the big red button and take the entire network offline." That was one thing I used to fight against some of my less advanced folks that worked for me when I was a CIO in the beginning, when they’d say, "Oh, we need to take everything offline." No, we're not taking everything offline. We can't do that, we're in the business of providing service, right. So then with that approach, you have to implement things internally, your network. And obviously, I'm a big believer in segmentation and microsegmentation, that you have to have things in turn on your network that allow you to isolate the impact right down to the smallest footprint possible.

41:15 Gary Barlet: So that the rest of your enterprise can continue to function and you don't have to shut everything down just because of a malware, ransomware, something may take a small foot hold, but you want to stop it as close to the source of origination as possible and as quickly as possible, so you can continue operations and then just focus on a very small problem and not have to focus on a larger problem because you allowed it to spread out of control.

41:39 Raghu Nandakumara: Yeah, I think... So I love how you phrase that right, because I think it's the key message to security professionals is ladies and gentlemen there are three letters of the AIC triad: and the A stands for Availability, it's just as important as integrity and confidentiality. Well, Gary, it's been an absolute pleasure, thank you so much for joining us on the podcast today.

42:01 Gary Barlet: Appreciate it, thank you and I really enjoyed the conversation.

42:06 Raghu Nandakumara: Thanks for tuning into this week’s episode of The Segment. For even more information and Zero Trust resources, check out our website at www.illumio.com. You can also connect with us on LinkedIn and Twitter, at Illumio. And if you liked today’s conversation, you can find our other episodes wherever you get your podcasts. I’m your host – Raghu Nandakumara – we'll be back soon.

Back to top
Read more