 Welcome to this CUBE conversation. I'm Lisa Martin. Jim Richberg joins me next, Public Sector CISO at Fortinet. Welcome to the program, great to see you. Okay, good to be with you, Lisa. Lots of stuff has happened in the last year. I mean, that's an epic understatement, right? But one of the things that, you know, we saw this massive shift to work from home. And now we're, I hope I can say coming out of the pandemic and we're starting to see this hybrid model of kind of work from anywhere. We also saw the massive spike in ransomware last year, ransomware now being sadly a household term. There's so much money in it. From a hybrid approach, what are some of the things that you're seeing? So, you know, when we talk about hybrid, what we go back to is not going to be the office that we left. You know, some of us aren't going back at all. Some of us are going back in, we're not going to have a sign desk. Some of the offices are going to be in different places. And the nature of the work that we've been doing has changed. So it definitely means the new normal isn't going to look like the old normal did before March of 2021. So I tell organizations that they really need to think about what that means in terms of how they structure work, how they structure their networks. Because as you said, Lisa, it's going to be work from anywhere. Some of us are going to go back out on the road. We'll be the road warriors again. So you're not going back to a classic network in an office with cat five cables, connecting everybody's desktop. You know, some of us are even going to get hired who never ever go to the office. So this is the situation where we really have to think through what this means in terms of how we work, the culture we have as a workplace. And unfortunately, it's not just the enterprise and the workforce that had been innovating. The threat actors have gone hybrid. There was a little pause while they started working from home, figured out what to do. But the reality is they took us to lunch when they figured out exactly what these vulnerabilities in the small office, home office environment were and how to exploit them. Lisa, you talked about ransomware rising 700% in the latter half of last year. And this is actually indicative of what I think is the biggest problem we have in cybersecurity. It's not technology. If you're willing to do a rip and replace and put in state of the art technology, there's some really good solutions. Some of that technology, when it starts incorporating artificial intelligence and automation actually goes a long way to compensate for the workforce and skills gap we all hear about three million people short. That's a true number. But Lisa, the biggest problem in cybersecurity from my perspective, and I've been doing this for 35 years is metrics. We can't measure what's going on and say, if I do this, this is how it affects the network security and this is how it affects the adversary's behavior. And that's exactly what we saw in this pivot to remote telework. It took networking and security working hand in hand to make that pivot. Because absent those two as the centerpiece of their organization in March of last year when we all went into lockdown, we would have gone into shutdown if we hadn't had the ability to forward deploy that IT to the home environment. And we could measure our success on the IT side. Did we have enough bandwidth? Did we give them the right platforms? Did the latency mean things froze up or not? We couldn't measure cybersecurity as well. We said, okay, do diligence is, we'll give you a two factor authentication and we're gonna give you a secure connection back to the office. But then Lisa, we were basically treating it as if you were logged on from your cube or your office and the reality is you weren't. You were logged on from an environment that your organization had very little if any visibility or control into what was going on there. And that's how we got exploited. And because we couldn't measure that it was only in hindsight that we could see exactly how insecure that was for many organizations. We cut corners. We had to do this to get up and running. That's not a good jumping off point for your status quo going into this hybrid environment of the future. So it sounds like you said the ransomware and I spoke with Derek Mankey. I think about last month or so ransomware up 700%. I can only imagine what's happening this year. But one of the things I want to get your perspective on Jim is what's top of mind for both public sector and private sector folks as you're saying from a measurement perspective, there's a challenge there. There's this hybrid model that's amorphous, we'll say. What are some of the things that are top of mind for them? And then how are you helping advise them? Because as you say, the threat actors got to work pretty quickly. So there's a race here. Yeah. Well, top of mind for both the quarters is ransomware. And the ironic thing is ransomware is not a new phenomenon. It's been with us for a long time. It used to affect you retail one computer at a time and it was 50 or 100 bucks. Did you encrypt your personal computer? What has changed is the rise of cryptocurrency. It's so easy to monetize the ability to cash out with the victim now. There was a time five to 10 years ago where there were basically three places that were essentially the clearing houses for this kind of stuff. So government could target those through law enforcement and that meant that you really had the equivalent of the pawnbroker you needed to watch out for who was the fence that people were going to. Now, come on, cryptocurrency is essentially a fiat currency in some countries. So it's gone everywhere. The fact that we have commoditized the ability to do it, you're familiar with ransomware as a service. You don't have to be a coder now. You rent the stuff. Sometimes you pay as much as 80% of the profit to the person you're renting it from. You're basically the mule doing the grant work. But we've made it so that you don't need to know anything about computer science to carry this kind of grime off. And frankly, we've got some safe havens, some geopolitical safe havens. It's much like spam was 10 years ago where there were a few countries where probably more traffic coming out as email was spammed than legitimate traffic. And we've got some big nation states that are basically complicit in allowing this to occur, so safe havens. So this is why ransomware has become such a problem for everybody. And then of course you got supply chain. You look at SolarWinds. You look at Microsoft Exchange, Office 365 vulnerability. This again is a problem that's been with us for a long time. It's one that tends to be focused primarily on government customers because this is something where, yeah, you can do it as a criminal activity, but this really tends to be a game that nation states play against nation state targets. But something like SolarWinds was such an epiphany was so serious that a lot of organizations said, oh my goodness, this attacked the root of trust. This fundamentally got into the system from the inside out. It scared people. And the reality is something like that infected far more people than were actively exploited. And I've talked to some people in both the public sector at the state level and in private sector who say, yes, my organization was compromised by this, but we weren't affected. So from my perspective, we were collateral damage. We were caught in the crossfire of a war between nation states. Do we want to spend our scarce cybersecurity resources trying to mitigate that kind of sophisticated threat? No, not when we know we've got ransomware, we've got these vulnerabilities in the work from anywhere environment. That's where I want to put my next dollars. So it's been a healthy conversation with some of them as to what's most concerning to them and what they want to prioritize in mitigation. So if we look at some of the executive orders, Jim would have counted down, you know, ransomware I said became a household word. I'm pretty sure my mom even knows the term ransomware, the colonial pipeline, the meatpacking, where we're starting to see, wow, this is not just as you said earlier in the beginning, isolated incidents or attacks. This is now affecting infrastructure, potentially public health and safety. Talk to me about some of the executive orders. What do you think they're going to do and where should agencies start if this race is going on? Like you said, they've got to be able to prioritize how they defend themselves. So two things to keep in mind when you look at an executive order. An executive order is the chief executive telling the executive branch what to do. If you look at the last executive order that President Biden signed on the 12th of May, people became seized with the fact that, oh my goodness, it tells the private sector it has to give threat information. It has to give breach information to the federal government. It has to change what it does on supply chain. It says when the federal government is your customer, when you're selling them a service, you have to do this. But otherwise you don't do by an executive order something it doesn't have the force of law. It just is the way you tell the executive branch to behave. So use that executive order as a case in point. Very large, very complex executive order that touched a lot of these things, ransomware, supply chain issues. The problem is you put a whole lot of good ideas in one executive order. You put a whole lot of aggressive time frames. Some things had to be done in 30, 45 days, 60 days which is two weeks from now. It's crazy because one thing an executive order doesn't do is give you more money. The only way a government agency can spend money on this is if it aligned with a program it already had or it has contingency funds, reserve funds to do it. So the problem is you take an executive order, you cram it full of good ideas and you have too many good ideas. So the reality is this executive order tells the government to do a lot of things at once. And it has to by law or not well, by the president's direction focus on all those at once. But if I could pick and choose Lisa, I would say start with the section that said focus on modernizing the cyber security of the federal government. There's goodness to come out of that. It says zero trust architecture. Federal government did a great idea of articulating what that was. Even years before we called it zero trust, federal government was segmenting its networks. It had need to know access. It was doing things. I come from the national security community. That was just the way we worked. We can call it anything fancy like zero trust. We didn't trust anybody. That's the way you work in the spy business. But zero trust architecture, accelerating the migration to the cloud, putting in multi-factor authentication and encryption of data at rest and in transit, deploying endpoint protection response. Those are things in the executive order that if agencies could focus on those and make progress on implementing those, thumbs up, you've appreciably increased security without even touching the harder things that unfortunately are going to distract people like supply chain and definitions of critical, what critical software is, and the cyber safety board. All good things, but the problem is if you try to do everything at once, the reality is you end up making progress on, appreciable progress on nothing. Right, which is obviously, we don't have the time for that. I'm curious to get your point, because one of the biggest challenges with respect, well threat vectors with respect to cybersecurity is people. We had, with this shift to home, we had people using corporate devices on home networks and random devices, and now we've got this, as we talked about earlier, this hybrid approach coming back, but how much can Zero Trust help agencies really educate or really help defend from the human error that is often the cause of getting ransomware through email or an attachment? So, Lisa, that is exactly what, we're handicapped by the name, because Zero Trust sounds like I don't trust you, you're not trustworthy, rather than that trust should be based on the transaction. Like if you need to read data to a file, why am I giving you the ability to write to the file or even worse, delete the file? Just give you what you need to get the job done. And this is technology that is your safety net. It's not big brother. When you do real time monitoring as part of Dynamic Zero Trust, it looks at it and says, whoa, Lisa is doing something she doesn't normally do with this application. Did she make a mistake? Did she say reply all on this, which is sending inside data to outside people on the email list? Do we at least want to ask her, hey, Lisa, did you mean to do that? So if you can educate people to say, this is the organization looking out for you. It's looking over your shoulder as a friend. It's not here to be checking up on you. Language matters. And it's like we call things insider threat, recognizing that far more damage in an organization happens from people making mistakes. It's insider risk that we need to manage. I mean, an organization of any appreciable size has bad apples in it. That's just a law of nature. But when we call it, I'm dealing with the insider threat. I've been in government, I've been shot at in some of my dicey situations. I want to avoid being attacked. I want to avoid threats. If I'm an organization, I don't want to avoid my insiders. That's my workforce. That's my biggest asset. They bring risk by their behavior. I need to manage that. But that's constructive. Don't make an adversarial by calling them, typecasting them all as threats. They're humans. They make mistakes. You can help them avoid some of those mistakes through technology. And zero trust gets to that. Got it. And then last question for you, as you know, here we are July 1st, crazy, the half a year has gone already. What are some of the things that you're expecting that are going to happen the rest of the year? Like what can organizations, you talked about some of the things they can implement now. Some of it seems to be sort of like back to basics, but anything that you see on the horizon in the next six to nine months that organizations really need to be focused on. So as they put together their posture for operating in the new normal, I said security and IT were successful in getting us where we got in the pivot to remote telework because they worked hand in hand. So find things like that that you can use to demonstrate to your organization that you really are in the middle of the mix. So as we make this pivot to software defined networking, because again, if we're going back to offices that are different places with different kinds of infrastructure, we don't want to pull cable. We don't want to do that. Software defined networking is a good way to do it. And there are different ways to do software defined networking, some of which are inherently secure. So pick that one and software defined networking. The users love the fact that it gives them better latency, better performance on the apps they care about. The front office likes the fact that they get flexibility for continuity of operations and they save money. This is the example of something that you can pick that allows you to say, I'm giving you greater performance and greater security cloud is the same way. People understand, I think at this point, how to operate in a cloud. The challenge comes in saying, I'm operating in multiple clouds. I need to say, I don't really care. I don't really care where the data or the compute resources, I just need to connect a user, a device, data and resources regardless of location. And that's where taking this big approach to say, it's about convergence. It's about convergence of IT and security. And really it's about convergence of computing to say, I don't care if it's edge computing or cloud computing or work from home, it's all just computing and we've got to connect and we've got to enable that to be secure. That's the priority that if you take that mindset thinking about the problem going forward, I think we'll allow CIOs and CISOs to say, look, we're making a difference for the organization performance, cost and security. Performance, cost and security. And also it sounds like a bit of a cultural changer which is always challenging but certainly that convergence as you mentioned, we've seen it be successful and it's something that sounds now more important than ever. Jim, thank you so much for joining me on the program today, sharing all of your insights, some of the things that you're seeing and what organizations can do to protect themselves from this big threat of ransomware that probably isn't going anywhere anytime soon. I wouldn't expect it to but this has been a pleasure talking to you about it, Lisa. And we'll have to look back and see how accurate we are with this crystal ball. Good idea. Jim, great to have you on the program for Jim Richberg, I'm Lisa Martin. You're watching this CUBE Conversation.