Subscribe
Share
Share
Embed
The Admiral, A Christmas Story, new policies, the New White House Cybersecurity Policy, information security importance, DEI, diversity in cyber, government training, empowering the people, poker, hiring, and zero trust.
Welcome Juliana Vida to today's episode - she currently runs strategy for Public Sector at Splunk.
Welcome Juliana Vida to today's episode - she currently runs strategy for Public Sector at Splunk.
Creators & Guests
What is Risk and Reels: A Cybersecurity Podcast?
A podcast for movies. A podcast for cyber talk. A podcast for smart people to say smart things to smart listeners. Hosted by Jeffrey Wheatman, former Gartner Analyst.
00;00;19;21 - 00;00;48;18
Jeffrey
Greetings and salutations one and all, and welcome to today's episode of Risk in Riddles. I am your host, Jeffrey Wheaton. And today I am joined by my dear old friend, Julianna Vita. Julianna and I worked together at Gartner for a number of years. She is now she now runs strategy for Public Sector at Splunk. She also I generally don't talk about people's backgrounds, but I do just want to call out one thing in your background.
00;00;49;03 - 00;01;03;16
Jeffrey
Julianna did us this service in the military, in the Navy, and I always want to tip my proverbial hat to folks that serve. Thank you for your service, Julianna, and welcome. I'm so excited. We've been planning this for a while. How are you?
00;01;03;29 - 00;01;11;00
Juliana
I am very well, thank you. Jeffrey And. And it was my honor and my pleasure to serve. So thank you for always being so respectful of that.
00;01;12;02 - 00;01;33;27
Jeffrey
Yeah. So just a real quick story. So, you know, Juliet and I worked at Gartner together, and, you know, it's a big company. There are lots of people we don't necessarily know. So I was chairing the security conference in National Harbor, and one of our keynotes was, well, now retired Admiral James Stavridis and Julianna reached out to me and said, you know, I know the admiral any way I can be involved.
00;01;34;10 - 00;01;49;22
Jeffrey
So we came up with this great thing. I got up on stage and I had my little notes and I start to intro the admiral and I said, You know what? I'm going to actually bring up someone who knows the admiral much better. And Julianna came up and Julianna had served with the admiral, and it was so fun.
00;01;49;22 - 00;02;03;09
Jeffrey
He was so taken aback and people loved it. The of people came up to me after and said that was so that was so great. So. So thank you. And I'm glad because that that's how we became friendly. Right. Which is awesome.
00;02;03;28 - 00;02;25;05
Juliana
Exactly. And that's a that's a huge conference. And I know that you were the chair of that conference for several years. And so for me, it was a great professional moment in so many ways. And the idea that you had to kind of have me surprise intro, my first commanding officer as a young officer, that's what I'm every this was for me was just like, I can't believe this is my life now.
00;02;25;11 - 00;02;26;10
Juliana
I mean, it was.
00;02;28;10 - 00;02;48;19
Jeffrey
Yeah, it's, you know, having jumped from such a big company for me to, you know, a small startup at black height was a big, a big change because the exposure we had over there was like tremendous. And, you know, people ask me your time why I made the move. And I had a great time at Gartner. I had a great 15 year run there.
00;02;48;19 - 00;03;08;11
Jeffrey
I made a lot of friends, still friends with all those people. And, you know, sometimes timing just just happens. And I know you actually made a jump probably a year before I did. So. Yeah. So it's it is it's nice to be here and it's nice to talk. So as we are easier, we start off with a movie question.
00;03;09;05 - 00;03;26;28
Jeffrey
So as I said, I don't know when this is going to go up. And as I sit here staring out my window at the snow, a lot of movies are filmed in the winter, right? So not necessarily Christmas movies. What is your favorite winter movie? Winter theme, Winter time, sort of open ended.
00;03;28;00 - 00;03;56;14
Juliana
Well, you mentioned not you know, there are movies other than Christmas movies, but I have to I have to go to a Christmas Story or just have there's so many classic moments. My family, it's become like a cult classic for us, you know, the tongue on the flagpole and the fake snow in the department store when he goes to see Santa and they kick him down the slide and just all that goofy, I don't know, from from our childhood in.
00;03;56;14 - 00;03;58;12
Juliana
But and before I mean, probably well before.
00;03;58;21 - 00;04;03;00
Jeffrey
But I love that you should just shoot your eye out just.
00;04;05;12 - 00;04;07;29
Juliana
So sorry to disappoint you, the Christmas movie.
00;04;08;17 - 00;04;33;24
Jeffrey
But doll, that's a great choice. I love I love that movie. I think my favorite winter theme movie, though, is actually Groundhog Day, whatever. I mean, I love that movie for a lot of reasons, but for whatever reason, I always think about when he makes the ice sculpture, when he's trying to win over Andie MacDowell on whatever, whatever date that was.
00;04;33;24 - 00;04;54;01
Jeffrey
But I just I just yeah, the Christmas story, really. That is a classic, classic film. And yes, it's a Christmas movie, but it's definitely a winter movie. We watched it plenty of times. So that is that is an awesome, awesome, awesome choice. I know what I'm expecting. I'm going to buy you the bunny suit.
00;04;56;10 - 00;04;57;16
Juliana
Well, I can't wait.
00;04;58;20 - 00;05;21;26
Jeffrey
I then next time, next time we'll share a stage. You'll have to wear the bunny suit. I'll just, I guess. Santa. Santa maybe so. Yeah. They're pretty. You know, there are so many of those of those great movies out there, you know, And I think watching a winter themed movie sitting inside where it's nice and warm, I think is always, always a fun thing.
00;05;22;09 - 00;05;22;18
Juliana
Yeah.
00;05;24;11 - 00;05;48;13
Jeffrey
So let's talk a little bit about cyber. Recently, the White House released its new cybersecurity strategy. It's I think, probably the fourth or fifth one. Right. Every every White House. I think since George Bush put one out. I actually posted a blog not too long ago on it. And let's let's kind of talk a little bit about it.
00;05;48;13 - 00;06;06;15
Jeffrey
I think there's some great stuff in there, but I'd be interested to hear your thoughts having served and working so closely with those government clients. What's what's the feeling you're getting from people? Is it just another document? Do we think we got something? Does it have legs or is my old friend Dick Butterfield used to say, Does the dog hunt?
00;06;06;28 - 00;06;31;09
Juliana
Yeah, well, I think it's more along the lines of here's another top down policy that will help us more when there's more implementation guidance which will be coming, you know, it'll be forthcoming. So it's not like, oh my gosh, this is and now we're all going to get all the funding we've ever wanted and all the support we've ever wanted for cybersecurity.
00;06;31;09 - 00;06;58;00
Juliana
That is not going to happen. However, the fact that the administration continues to put out specific guidance, that language in there that resonates with people in the security industry, in the cybersecurity industry, that can only be helpful because, you know, have that top down support, even if it's very high level and not really something that you can implement against right now.
00;06;58;06 - 00;07;34;18
Juliana
That top down level is really important because it then turns into other policies, guidelines, memoranda that will then have more specificity, specificity about how to implement, you know, what what the administration is putting out. And I think it's it's also a double edged sword. So I talk a lot about this from the perspective of having been in the government and awash with RPG laws, regulation, policy and guidance with, okay, we have all these documents, we have all these policies, they often will just sit on the shelf somewhere and become something else to collect the dust.
00;07;35;03 - 00;07;56;07
Juliana
But they also are what we as security practitioners kind of always want it. We want the attention of senior leadership. We want the the voice of the top levels of the government saying this is important. It's not just mid-level or low level practitioners that are saying this is important, but it's the senior level folks too. And you have to have all of that.
00;07;56;07 - 00;08;16;17
Juliana
You know, you have to have top down, you have to have bottom up in between is where the guts are. That's where industry gets involved. That's where we can be most helpful. You know, this as a as a vendor to just go making broad comments about, hey, government, we know you have these problems and what will help you is not nearly as helpful as specifically.
00;08;16;17 - 00;08;37;01
Juliana
Here's where we can help because there's so many vendors in the space. So all of that to say the guidance is very helpful. It is encouraging for people in the security space to say, see, this still is important. In fact, it's even more important than ever. But the devil will be in the details and we fermentation guidance will follow.
00;08;37;04 - 00;08;51;18
Juliana
And that's where people will actually be able to make puts and takes and where they spend money and where they make investments about the technology use that will be that will bring those policy guidance elements to life.
00;08;52;24 - 00;09;21;11
Jeffrey
Okay. So that's a great take. So a couple of sort of questions, kind of diving down a little bit. So so there are definitely some very different things in here than we've seen before. I think there is a much stronger push about addressing organizations that are within, you know, the critical infrastructure areas. Here's the problem that I have, and I'd be interested to hear your your thoughts.
00;09;21;11 - 00;09;40;16
Jeffrey
Right. You're going to go to an energy and utility company as an example, and they have systems that are old and they're not going to be able to lock them down. So how do we go to one of these companies and say, so, you know, this thing that works, you need to spend $200 million and replace it. Who's paying for that?
00;09;41;17 - 00;09;57;06
Jeffrey
We will. As as users, right? So how do we. But I just feel like it's it's 0 to 100, Right. So what do we do while they're saving up their pennies to replace that $200 million system that works?
00;09;58;05 - 00;10;26;10
Juliana
Yeah. Wow. If I had the answer to that question. Definitional. I mean, because we're saying that is the problem. That is a huge challenge specifically for the public sector. That's my expertise, that there's so much technology that we know it and and there's even guidance about that. Thou shalt upgrade and modernize your legacy technology. Okay. There isn't going to be a pile of money coming from the sky to to go do that.
00;10;26;18 - 00;11;11;01
Juliana
However, I do think I like how you put it while they're saving up their money to go buy the next modern thing. There are cultural and people related things that governments can do, that companies can do that can kind of close that gap a little bit between for the technology to catch up. There are millions of people that work for the federal government in all the levels, you know, including the Department of Defense and all of the intelligence community and all of the agencies that have a presence worldwide, like the State Department and, you know, others that aren't just in the United States, millions of people who still, because of cultural barriers and information sharing
00;11;11;01 - 00;11;43;26
Juliana
barriers, do not think that technology or information security is important to them and they don't have time to go learn it all. You know, you and I are experts here, and I would venture to guess free, but you're still learning stuff, everyone, right? And so am I. So what are the chances that someone who's maybe early in their career or even mid-career in the government have even a baseline of knowledge and understanding about their role in protecting the systems of the government that they use every day?
00;11;45;12 - 00;12;10;02
Juliana
There's there's so far removed if they're a finance person or an acquisition expert or job interview contracts, or their job is to do audits on, you know, down the line of whatever h.r. System that they might be an expert in. They are not something that they play a role in, in protecting the information of the department of x-y-z.
00;12;10;02 - 00;12;52;28
Juliana
Whatever they work for. So the opportunity is for senior leadership to empower those people, send them to the free training webinars. I know, know this one. It a lot of other vendors do it with vendor small vendors. We have free education. Come listen to the webinar, come do the hands on, you know, hackathon event, learn something new so that when the government or when the agency that they work for does have the money to put in place the technology, that person, those people may already have an idea of, Oh, I've seen this technology before or Oh, I don't tune out when someone talks about zero trust because I don't think it's important.
00;12;53;06 - 00;13;16;06
Juliana
You know, raising the level of education and awareness of the entire workforce is just as important. I would argue right now as turning a switch on ripping and replacing that old technology with the new stuff because there's just technology just moving so fast to wait until the tech is in place, until you actually empower people to use it is is way too late.
00;13;16;16 - 00;13;36;11
Juliana
So that's why that's why I think people can make some real changes and it makes people feel good about the work they do. I like to say no one goes to work wanting to suck that day. They don't. They want to be good. Well, when they're constantly being told, you just keep doing your job over here, Mrs. H.R. person or Mr. Finance Person and the i.t.
00;13;36;11 - 00;13;59;25
Juliana
People are going to take care of the technology. They they they can't feel like they have a rightful place in, you know, leveraging technology or being a good steward of it so that there's not another hack and another agency doesn't get attacked. So education awareness training, a lot of which is free, that is where the government can get immediate results.
00;13;59;29 - 00;14;00;08
Juliana
Right.
00;14;02;01 - 00;14;29;24
Jeffrey
Okay. Interesting. So so I think you said a lot of interesting things there, but I just want to put a little bit on the this sort of process and people element. Right. I think the tendency is always, well, what tool can we buy when in fact we know that tools are there to enable people in process. Right. So, you know, hiring people has been a big challenge.
00;14;29;24 - 00;14;55;29
Jeffrey
We've actually talked about it with a couple of other other guests. And I was actually in an event in in New York yesterday and they were talking about, you know, the difficulty. And I think I think there are a couple of challenges there in the people say, number one, I think there is not enough people, but more importantly, I think there are opportunities to pull people from other areas that we are ignoring.
00;14;57;05 - 00;15;26;25
Jeffrey
I think there's a lot of I mean, you and I have talked about this and, you know, we work together in the DCI group and our former employer. In my opinion, there are not enough women in cybersecurity. There is not enough diversity, not just from from a racial perspective, just from a cultural from a background perspective. We know the government tends to be sort of mono cultural in a lot of ways.
00;15;27;08 - 00;15;49;04
Jeffrey
And I think, you know, because you are in the military, they want checklists still, and we've been trying to move them away. I mean, ever since RMF came out, which I thought was a great framework that we just have to wait for a lot of people to retire because they want the checklist. They want to cover themselves. So how how do you see not just the government, but but focusing critical infrastructure to covered?
00;15;49;14 - 00;15;53;26
Jeffrey
How do we address the human problem? We don't have people.
00;15;54;19 - 00;16;16;27
Juliana
That's well, first of all, you're right. There aren't enough people, which when you really think about that, is pretty scary because there are other countries on the face of the earth that do have lots of people who are indoctrinated. Some of them are very young and do things, you know, with a hands on keyboard or or insulin or let me let me just not go there.
00;16;16;27 - 00;16;37;25
Juliana
You know, our our our major global competitors have people that they can tell what to do or people will do them. We don't have that in the in the US, thank God. You know we have a much better system here, but we have a lot of gaps with talent, with skills, just like you said. Now that's where the automation conversation can come in.
00;16;37;25 - 00;16;57;09
Juliana
That's where we can have a conversation about you can, you know, help one person be ten, 20, 100 times more productive if you incorporate modern technology that enables them to do that. But we started out the conversation by saying, you know, there might not be enough money to bring those tools in, but this isn't going to sound sexy or cool.
00;16;57;09 - 00;17;30;08
Juliana
But what we're talking about is going to require, honestly, like kind of brute force, personal, intentional outreach to those underrepresented groups that experts like you, people who care about DNI, like me and you and Ana, in our in our network, we have to create opportunities that make women, people of color, people with neurodiversity on the spectrum to make them feel welcome, wanted and truly included in this work that we do.
00;17;30;19 - 00;18;17;11
Juliana
That means that every I use the example of a hackathon earlier, all those hackathons cannot cannot be branded as com where your jeans and your hoodie and your sunglasses work on this problem because guess what? That doesn't appeal to a lot of other demographic groups then the majority demographic group. So it has to be let's create an event where women might want to come to that, speak their language, but that maybe uses different words than hunting or and I'm not saying we can change the lexicon of cybersecurity overnight, but we know that there are words that attract certain demographics and certain words that repel them.
00;18;17;23 - 00;18;43;14
Juliana
So let's get smart about how to attract the talent. Talent pools we know are underutilized. One thing I've learned about this over the last couple years I never really thought about was people on the autism spectrum. They would be perfect for this kind of work because they just want to put their head down and do work that is analytical and and they're not interested in the social element of, you know, let's hang out and have coffee and whatever.
00;18;44;14 - 00;19;11;21
Jeffrey
Let's let's say no. I know plenty of people who also have social issues, but also not social issues. But yeah, they they just want to be in front of the computer. But, but that's a that's a really good point. I, I think sometimes we hear DIY and it's always about gender and skin color. Yeah, right. But I think you point out a really interesting, interesting one about, about neurodiversity.
00;19;11;21 - 00;19;36;29
Jeffrey
And we know people on the spectrum, for example, are really good at pattern recognition because they have a level of focus that that we can't get to. So in interesting here, here's the challenge that I see as a white dude. In one day at the Gartner Security Conference, I went to go attend our friend Deb Logan's presentation on using neurological sort of tips and tricks.
00;19;37;22 - 00;20;02;02
Jeffrey
So it's a great session. I'm sitting there, I turn around and look at the room, you know who's in the room? A bunch of women. They already know there's a problem and they can't fix it, you know? Wasn't in the room, guys. People who can actually fix the problem. How do we how do we do that? Because I will tell you, I have for the last year, I have been trying to get in touch with groups that help support.
00;20;02;13 - 00;20;37;22
Jeffrey
I want to help. I can mentor people. I you and I have had a lot of conversations about sort of careers and like what's next and what we can all do and how we can leverage what we have and what we know. I can mentor people, I can coach them, and I'm having a problem getting involvement. I mean, even the guy group, Gartner, it was like me and Andrew and and a couple of people who show up and it was a bunch of amazing, amazing women who are in a position to change the status quo.
00;20;38;06 - 00;20;41;07
Jeffrey
So what do we do? How can I help? I want to.
00;20;41;09 - 00;21;16;12
Juliana
Help. I think it's kind of the reverse of what I just said about reaching out to underrepresented groups. If there is an event like you probably kind of knew that when you went to the Deb Logan session, you might be one of the only white dudes in the room. You probably thought, Oh, well, knowing that maybe you could have reached out intentionally to a client or a peer or one of your former water analyst buddies, I'm going to go to dev Sessions with me or you know, I know you're you're active with in LinkedIn and women are often calling out their male allies.
00;21;16;13 - 00;21;40;23
Juliana
The men in their lives that are supportive reach out to them and say, hey, bro, I'm going to this event and I think we need more men in the room. Would you come with me? So I think it's a two way street there that we all can do a better job of just taking our engagement to the next level and bringing in people who we see out in the environment, engaging and sharing great content and being supportive.
00;21;41;05 - 00;22;05;14
Juliana
And when we have an opportunity to go to an event, let's bring them along. And then they tell two friends and they tells your friends and so on its own. It's not going to fix the problem tomorrow, but you are on the exact right track of all of those women in the room, of all of those women in the room, likely most of them are not in the position and don't have the power to do anything other than get more educated about a topic they're already pretty familiar with.
00;22;05;25 - 00;22;23;08
Juliana
So it's on all of us. Reach out intentionally. You know, each one, teach one, whatever length, you know, whatever quip you want to use. But that's what I would suggest. You know, a lot of really influential people, Jeff, and I would say use your powers for good. I mean, I'm not saying you don't. I'm just No.
00;22;23;18 - 00;22;46;21
Jeffrey
No, no. You know what? You're you're spot on. I think maybe I'm making the mistake of observing the problem and admiring it and not I like that. So next time I'm going to drag some some of my brothers with me, so. All right. Excellent. So. So let's let's get to circle back, because there are a couple of other things in in new cybersecurity strategy that I thought were interesting.
00;22;47;27 - 00;23;17;14
Jeffrey
One was the concept of pushing responsibility back on the hardware and software companies. Right. So you work for a company that is not small, right? So you're probably in a better position to be able to make sure that everything is spot on. But there are lots of companies out there that are smaller and don't have, you know, 200 people in there in their dev teams or their team.
00;23;18;05 - 00;23;44;20
Jeffrey
How do we do that? So I think in theory, I think it's a brilliant idea. Right. But how in practice, how do we do that in an evenhanded way so that the smaller companies can function? Yeah. All right. And how do we how do we know what's what's good, right? Because code is ever going to be perfect. Yep.
00;23;44;20 - 00;23;50;08
Jeffrey
So where does the level of blame go in that particular because I think it's a great idea.
00;23;51;04 - 00;24;14;09
Juliana
Yeah, well, another great question I wish I had the answer to because it was whatever. But one thing that I a couple of things that I think could work, and that is this was a concept that was unfamiliar with the software companies and that was the concept of the channel selling through larger companies that we partner with because they have a broader reach than we do.
00;24;14;15 - 00;24;35;15
Juliana
You're right, Splunk is not small. It's also not a behemoth. There are a couple of them out there. I won't name them, but even they want to expand their reach with more customers. So how do you do that? You find a channel partner who has relationships with other client places or other vendors that you can be better together with.
00;24;35;25 - 00;25;01;07
Juliana
So I think that's one way. Now I can't speak for every other vendor and I can't speak for every small company and how how expensive that is for small businesses. I don't know how difficult, but I would imagine that the same kind of structures that exist in the partner and channel ecosystem and the government, quite honestly, because there are public and private partnerships that are gaining more ground today than there ever were before.
00;25;01;11 - 00;25;27;24
Juliana
And thank God for that, because the government cannot do it not even close to on their own. You know, they need industry to come along. So hence the public and private partnership. That is somewhere where I believe companies of all sizes are welcome to engage, you know, because there's an awareness that even at strong tech companies with brands that have been around for a while, even we don't have all the answers either.
00;25;27;24 - 00;25;50;26
Juliana
And there we don't. Every element of tech or cybersecurity is not our our niche is not somewhere where we're going to invest. So we benefit when those smaller vendors and the Internet ecosystem as well. So it has to be those partnerships because there is no way every small company that has, even if they have the best widget in the world, will be successful selling to the government.
00;25;51;00 - 00;26;16;07
Juliana
It's too hard, it's too hard, too bureaucratic. There are whole businesses that are built around helping small companies do with the government, and most of them stop doing most not. I shouldn't say that most a large portion of small companies just say, I can't afford this, I can't do it. I can't get the FEDRAMP certification, I can't put together in a partnership kind of structure.
00;26;16;19 - 00;26;20;23
Juliana
Maybe there's more help for those small companies to to be successful.
00;26;22;03 - 00;26;36;25
Jeffrey
So I love that. But to play devil's advocate, do we think that we're then going to end up with a monoculture where these big companies are going to gobble up all the small providers? Right. If I have to help you protect your stuff, I might as well own you and brief the benefits of that.
00;26;37;16 - 00;26;58;17
Juliana
Well, there is some of that, but this is another evolution that I've seen. Just one minute Splunk, and that's because we have a pretty robust government affairs business unit that I never knew about before. And we have dialog with Congress and there are fractures around that and there are ways that we as a vendor can voice our concern.
00;26;58;17 - 00;27;32;03
Juliana
We have the same concern, you know, because the bigs, just like on the industrial side, look at the companies that make hardware and jets and that they're so huge, they, they have a lot of power and control in terms of gobbling up companies. Well, the same is true on the tech side. But what I've seen is that more and more on as many as we'd like, but more and more elected to Congress people and senators are getting smarter about technology and their role in legislating technology than there ever has been before.
00;27;32;29 - 00;27;58;15
Juliana
We need more education, yes, but at least they're opening their doors to have conversations or even at the committee level or the subcommittee level. They are listening to technology vendors like like us. I would imagine they're open to startup conversations as well. I just don't know because I'm not in one. But that didn't always exist. You know that sharing of information, that opening a dialog.
00;27;58;28 - 00;28;24;28
Juliana
So that is our way as a as a vendor to kind of hedge against or help to hedge against that monolithic, you know, monopoly take over. Because left to their own devices, the large companies will probably want to do that. So there are ways for us to vocalize why monopolies are a bad idea, you know, and behemoths. Just scooping up small companies is a bad idea.
00;28;25;07 - 00;28;30;19
Juliana
And I think we just have to keep leaning into those opportunities and talk with legislators when they give us the open door.
00;28;31;23 - 00;28;57;09
Jeffrey
Right? Yeah. I mean, it's we're we're definitely seeing consolidation in the cloud in general, which I think is going to one of the problems that we are working with our clients solve as an example is concentration, risk and cascading risk. Well, if you don't have options, you don't really you lose the ability really to deal with to deal with a lot of the concentration risk.
00;28;57;09 - 00;29;29;12
Jeffrey
So. All right, great. So you you mentioned public, private. So that was sort of the third thing that I wanted to talk about. You seem somewhat optimistic, which is good. I have not been as optimistic because we've seen this conversation before and a lot of the big companies kind of go like, what's in it for us? And years and years ago, I covered encryption technology and there was a standard called actually 1619, and it was about key management.
00;29;29;27 - 00;29;50;28
Jeffrey
And every vendor in the space said, Oh, we'll be happy to manage everyone else's keys. Oh, you want to manage my keys? Not so much. Right? So, so it seems to me that a lot of these these things, it's very difficult because people don't want to give up control, right? They don't want to open their own code, as it were.
00;29;51;07 - 00;30;07;22
Jeffrey
So what are so you see, I'm optimistic about the public private. You gave some some you alluded to some examples. So where where are you seeing public, private, actually be good and bringing value as opposed to just more headache?
00;30;09;00 - 00;30;55;23
Juliana
Ukraine. I will say that unfortunately the and this is the case with many things, right, Jeff? It takes a crisis to open up breakthrough some of the paradigms and some of the barriers that have existed. It doesn't always work out, but when something bad happens, people rally together and they want to do good in the world. And I would argue that the Ukraine, the war in Ukraine right now is one of those brewing platforms where there are vendors coming together with government to share more than they normally would, you know, because it's the right thing to do for this country that's been overrun and and yet has a leader like I don't think we've ever
00;30;55;23 - 00;31;20;14
Juliana
we've seen, you know, in modern years that people want to get behind. I that's just personal because I know Splunk is involved in some of those conversations. So I know that we are involved. But I think that's that's an example of if we can use that to show there is we're better together sharing information than if we keep protecting like, like you use the key example I'm going to share, Mikey.
00;31;20;21 - 00;31;53;12
Juliana
Well, then guess what? Stuff like 911, you know, the cyber and the all the cyber attacks that are going on around the world that happen because of lack of information sharing, they're going to keep happening to us. And nobody wants that. You know, nobody wants that. So maybe this time, Jeffrey, we can get everybody behind how look, if we come together, we can actually support this horrible thing that's happening in the world that is is not right, is unfair, is, you know, killing people and all that.
00;31;53;12 - 00;32;29;05
Juliana
So that's that's my one example. And I'm hopeful that it lags behind it. The other thing is the notion of timing and there are certain concepts that just people aren't ready for until certain times in history and in our lives and maybe the time is right now. More people in the world, practitioners of cyber security, are aware of how cyber can affect them on a personal level, that they're paying attention, that they're learning more.
00;32;29;25 - 00;32;36;01
Juliana
Maybe that will be helpful and I am optimistic. I am hopeful. Maybe my bar is pretty low. I don't know.
00;32;38;13 - 00;33;03;29
Jeffrey
Well, you know what? That is one way to to not be disappointed. So so, you know, it's funny you mention the global aspect because back in December, I was approached to write a blog on predictions and I kind of don't like doing that because you either you're either not interesting or you're so aggressive, people call you a dope.
00;33;04;10 - 00;33;29;03
Jeffrey
So I ended up actually writing a more humorous take on it. And one of my predictions was that we were going to see a global cybersecurity regulation. And what's funny is we're actually surprised to hear buzz around that. And a buddy of mine, Larry Whiteside, who I don't know if you know him, but he's very he's very visible, so very into it.
00;33;30;11 - 00;33;55;01
Jeffrey
He was actually at the White House not too long ago, but he he does these walking kind of video snippets and he actually talked about it. He said is is it time for a global regulation? So maybe maybe it is time. I don't know who would write it. And so somehow I think that some of the major players out there that are that we would need to be involved are actually part of the problem.
00;33;55;01 - 00;34;28;02
Jeffrey
And I don't want to get political, but yeah, I think we all know we all know who those people are. So I think it's interesting. They I do know that we have seen some global push toward like a ransomware policy set at least. But I'll tell you, I was talking to our head of research last week and we were talking about ransomware and ransomware gangs are are the new unicorn startups.
00;34;28;12 - 00;34;57;16
Jeffrey
They have documented organizational charts, they have customer success, they have sales, they have marketing, they have tech support, they have business units. You know, we were talking about how, you know, ransomware attackers sort of find their targets and they farm them out to people who know the industry. Right? So the bad guys are working together and we as defenders, not as much.
00;34;57;27 - 00;35;21;08
Jeffrey
And I just sometimes I feel a little hopeless. I mean, part reason why I left to Gartner to come to blackout is because I'm closer to the problem and I feel like I can be more good. But I still talk to people who are really struggling with some of the basic blocking and tackling. And, you know, I definitely I agree with you.
00;35;21;08 - 00;35;43;16
Jeffrey
I think there's some good stuff in the in the strategy. I just think there's a reach to get a lot of it done. And as we know, the way the way these things work is if we have a shift in party leadership, they'll chuck it and they'll publish another one. And I think that that's one of the challenges that that we see.
00;35;43;16 - 00;36;02;23
Jeffrey
And it's not just the federal level, right? We see it at the state level, at the city level, you know, and you may get to like a new governor gets elected and they're less technical, more technical. And I just feel like there is there's a lack of long term consistency. And this is a long term problem that can't be solved by a new strategy every four years now.
00;36;03;10 - 00;36;27;08
Juliana
Absolutely I, I just there's no easy way to solve the issues that you're bringing up. There just isn't. But the hope and then the open dialog, let's share more than we've ever shared before, you know, in the past, because that's the only way we're going to be successful. We just have to keep that up and, you know, and hope that and hope that terrible strategy.
00;36;27;08 - 00;36;47;13
Juliana
But the momentum that we have right now, people are paying attention. The administration is providing governance and help. We can't make ourselves crazy with what might happen after the next election because, first of all, we know it's going to be, you know, combative and there's going to be all kinds of inefficiency and mudslinging and all that kind of stuff.
00;36;47;13 - 00;37;12;10
Juliana
But let's not do that. Let's not let that from keep let's not let that get in the way of creative solutions and partnering while we have the opportunity, because it is the right to do and our adversaries are out there kicking our butts in so many ways that we've got to do something different and that joining together is is the way to do it.
00;37;13;11 - 00;37;36;04
Juliana
One thing that kind of comes to mind, Jeffrey, I think, is talking to nontechnical people about why this is important can be hard to do these stories. And then I kind of brought up real briefly the issue about Ukraine. You only have to share a little bit of information with people about how important the cyber environment is to Ukraine's success to get people going.
00;37;36;04 - 00;37;48;00
Juliana
Oh, okay. I see why this could be valuable. But another one that another colleague of mine shared with me recently is an example he uses about playing poker. I don't know if you play. Are you a poker player?
00;37;49;05 - 00;37;57;12
Jeffrey
I know how to play poker. I am too emotional to actually gamble because I yeah, I'm too emotionally invested in Vegas.
00;37;58;24 - 00;38;21;24
Juliana
I play poker in brief. I'll just be realistic about it. The idea is that there's cards that are put on the table that are community cards. Everyone uses the cards that the dealer puts out, but what you have in your hand, your cards in the hole, are the cards that only you see. So you're making making bets or taking risks and thinking about what other people are likely to have based on how they're betting their money.
00;38;22;03 - 00;38;51;22
Juliana
Well, sometimes there are people at the table who are in collusion with each other, and they are giving each other signals about what kinds of they have. And, you know, they have an advantage because they are sharing information that the rest of us we need and don't have. So I kind of like in that to not that we want to talk about us being in collusion with each other, but your chances of being winning, taking the pot, you know, winning the game, whatever, they go way up.
00;38;52;00 - 00;39;10;29
Juliana
If you know what all the other cards are that everybody has, Right. And so that's the timing. That's where we need to be sharing information with each other, because our adversaries are inclusion at the table. They are there to take our money and take a lot stuff that's more valuable to us than money. And we have to think of it that way.
00;39;11;03 - 00;39;40;03
Juliana
You know, we've got to start playing together. And if we don't, we're just going to be the schmucks that keep getting our money taken away from us and, you know, changing the rules of the game not to be illegal or unethical, but stuff that we can control, the trusting other government agencies, for example, trusting other companies that you might have partnerships with, like let's actually lean into that and, and share and yeah, maybe it'll hurt our pocketbook in terms of market share or who we sell to.
00;39;40;12 - 00;39;46;28
Juliana
But that's not as important as being able to help the world be safer, you know, for everybody. My opinion.
00;39;47;15 - 00;40;10;09
Jeffrey
I'm, I'm with you. I, I, I want I want to help people be better. And I do think there is a little bit too much sort of cutthroat ness. That's the word. I don't think it is out there. And I think when it comes back to the whole standards thing, right, if everybody worked together on one set of standards, everyone would be better off.
00;40;10;09 - 00;40;38;28
Jeffrey
And I don't think it would negatively impact anybody's market share. It would actually force people to actually execute. What would a shocking idea. Right. Let's let's actually reward companies that execute well and have good products rather than than the ones that are holding extra hold cards. I love that poker metaphor. I did I did go to a casino last week in sit down at the blackjack table, and I lost $60 in like three and a half minutes.
00;40;38;28 - 00;40;56;05
Jeffrey
So not a not that not a very good gambler. Here I have my buddy and I sat down. I had I had blackjack the first hand. I was like, ooh. And then I hit 20 and the dealer had 18. Ooh. And I didn't win another hand until all my body was gone.
00;40;56;26 - 00;41;01;19
Juliana
Well, but when you go to check out you do you control how much money you're.
00;41;01;19 - 00;41;28;19
Jeffrey
Going to lose in the end. Well, she was awesome. Yeah. That I think put something up on LinkedIn about it for International Women's Day because she is one of the undisputed queens of of rock and roll. And they told her back in the day, you can't be a woman in a rock and roll band. And she showed them she's, you know, in her sixties and she's still, you know, out there rock and roll.
00;41;28;19 - 00;41;58;14
Jeffrey
And so, yeah. Okay. So one last question before we before we do our are wrap up and how so from so you mentioned the very beginning talking about how the new strategy is a good framework and that there is going to be a bunch of guidance coming on. Is the guidance coming from the White House, are they looking at this and this and the D.O.D. like, what are you hearing?
00;41;58;14 - 00;42;08;04
Jeffrey
And obviously, I won't ask you to share anything that is under you, but what are you hearing from the people that are going to be doing these things?
00;42;09;07 - 00;42;32;21
Juliana
Right. Well, what traditionally happens and I'm not I am not a government affairs expert. I'm just going to tell you that as this happened to their knowledge and their expertise. But what happens is after the an executive order comes out or an administration level policy, the Office of Management and Budget, OMB will then issue a series of memoranda that then get more specific.
00;42;33;12 - 00;43;03;06
Juliana
So when this executive order came out, you know, 18 months ago or so, and then the OMB issued a series of memoranda, OMB Memorandum 21, Tech 31, for example, was about the data logging component of the executive order, cybersecurity executive order. So it's like a level of level or two of specificity that then the agencies and industry can look through for specific.
00;43;05;15 - 00;43;27;14
Juliana
You have to log, you know, maintain your data logs for this period of time or it's very, very specific. And that stuff we can take action on the conversations we can have as a vendor with our customers about take this high level guidance or let us help you with this data logging piece. So and that was just one of the memoranda that came out subsequent to the executive order.
00;43;27;21 - 00;43;46;13
Juliana
So my guess is that's what's going to happen next. And then every agency and then they have their own strategy document that that they will incorporate pieces of the National Cybersecurity Strategy into their document. So that's that's what happened. That's I can't speak for every department because I know. But that's and.
00;43;46;22 - 00;44;01;09
Jeffrey
Going to be able to are we going to be able to make any substantive progress before the next election? Because we may have an administrative change. And if we do, I feel I feel like so much of what gets done then gets back out when there's an administrative change.
00;44;01;29 - 00;44;24;11
Juliana
But. Well, I get your point but a lot of what's in the cyber security policy isn't new. It's just new in policy, you know, So it's people who are already working on the things. I'll use your just as an example, again, just because that one is a is a term that is coming out in legislation and that, you know, we're this is like, oh, hey, Xerox us.
00;44;24;12 - 00;44;28;02
Juliana
That's a showed up on my you know, in my inbox yesterday. Now it is I'm sure.
00;44;28;03 - 00;44;33;09
Jeffrey
Not much familiar with zero trust I you this is the pcci though that's what everyone is saying.
00;44;36;02 - 00;45;05;11
Juliana
So that's you know people are already working on these issues, already delivering capability that aligns with the what's outlined in this in the strategy, which just adds that layer of authority. You know, and legislation that's required for a lot of organizations to actually take action. So, you know, not not a whole lot new. You're not going to see steps of, oh, wow, they just educated me on a bunch of stuff because you're an expert in this field.
00;45;05;20 - 00;45;18;03
Juliana
So that's yeah, I yes, but we change it after the next administration. But I wouldn't say the earth shattering because progress is already happening along with the elements that are in the strategy.
00;45;19;08 - 00;45;43;09
Jeffrey
All right, awesome. So we are about out time. I want to thank Juliana for joining us. Let me give you a quick recap and then I'll kick it back to you for any final thoughts. So, Steve, it went to a movie, Christmas Story. And as we're sitting here, you know what I my vote I am with you. Christmas stories is the one positive partnerships are definitely really, really important in there and you definitely seeing some some good movement there.
00;45;44;07 - 00;46;06;07
Jeffrey
I need to be part more part of the solution for DEA and I am going to take that as as some homework. I have always been a big fan of that work and I do think I can probably do more. So I'm definitely going to going to do that. And Juliana thinks that we're actually going to start making some some progress with with with cybersecurity.
00;46;06;07 - 00;46;11;26
Jeffrey
And I hope that she is correct. Any final thoughts, my friend?
00;46;14;08 - 00;46;32;28
Juliana
Keep going, Jeffrey. Keep being out there, having different conversations than everyone else because there's a lot of noise and the more creative you are, the more people are going to listen. So thank you for having me be part of that effort and part of that journey. It's a pleasure to be your friend and your and your former colleague and keep rocking.
00;46;33;26 - 00;46;46;19
Jeffrey
Awesome. All right. Thanks, Juliana. This has been another episode of Risk in Reals with our guests, Juliana Vita. Stay safe, Stay healthy, Stay secure. We've made out.
00;46;55;12 - 00;47;15;23
Ender
Thank you for listening to Risk and Reals, a cybersecurity podcast. Be sure to follow us on Apple Podcasts, Spotify, or wherever you listen to riveting 30 minute conversation about movies and cybersecurity. Jeffrey will be on the road this year at some of the industry's biggest events, but you can always find him on LinkedIn and Twitter at Jeffrey Wiegand.
00;47;16;21 - 00;47;25;15
Ender
This podcast is powered by Black Hate, the only security rating service to deliver the highest quality intelligence to help organizations make better risk decisions.