 From around the globe, it's theCUBE with digital coverage of AWS re-invent 2020. Special coverage sponsored by AWS Worldwide Public Sector. Welcome to theCUBE's coverage of AWS 2020. This is specialized programming for the Worldwide Public Sector. I'm Lisa Martin and I'm joined by Mick Baccio, the security advisor at Splunk. Mick, welcome to theCUBE virtual. Oh, thank you for having me. It's great to be here. So you have a really interesting background that I wanted to share with our audience. You were the first CISO in the history of US presidential campaigns with Mayor Pete. You were also the branch chief of Threat Intelligence at the executive office of the president. Tell us a little bit about your background. It's so interesting. Yeah, those. And I'm a Goonid Def Con and I teach lockpicking for funsies. Working for Mayor Pete as a CISO of the campaign was a really, really unique opportunity and I'm glad I did it. I'm hoping that, you know, on both sides of the aisle, no matter what your political preference, people realize that security and campaigns kind of need to be married together. That was an incredible experience and work with Mayor Pete and I learned so much about how campaigns work and just the overall political process. And then previous to that, being at the White House and Threat Intelligence for all branch chief there, working over the last election, the 2016 election, I think I learned probably more than any one person wants to about elections over that time. So, you know, I'm just a security nerd that kind of fell into those things and here I am and really, really, really just fortunate to have had those experiences. Your phone and your email must have been blowing up the last couple of weeks in the wake of the US presidential election where the word fraud is brought up many times every day. But election security, when I saw that you were the first CISO for Pete and Buttigieg, that was so recent. I thought really, why are they just now getting folks like yourself and you are a self-described cyber security nerd? Why are they just recently starting to catch onto this? I think it's like security on a campaign and security anywhere else. And credit to the Buttigieg campaign, there is no federal or mandate or anything like that that says your campaign has to have a security person at the head of it or any standards to implement those securities. So, you know, the Buttigieg campaign kind of leaned into it. We want to be secure. We saw everything that happened in 2016. We don't want that to be us. And I think more campaigns are getting to that point. Definitely, you saw recently a Trump campaign, Biden's campaign, they all had a lot of security folks in and I think it's the normal now. People realize how important the security is to not only a political campaign, but I guess the political process overall. Absolutely. We've seen the rise of cyber attacks and threats and threat vectors this year alone, ransomware occurring every one attack, every 11 seconds or so I was reading recently. So give me an overview of what the biggest threats are right now. Two elections and I think the election process in general. You know, like I said, I'm just a security nerd. I've just got a weird background and done some really unique things. So I always attack the problems like I'm a security nerd and it comes down to, you know, that triumvirate the people process and technology. People need, had to have faith in the process, faith in the technology, need to have a clear source to get their information from. The process to me, I think this year, more than previous elections highlighted the lack of a federal uniform standard for federal elections. State to state, we have different standards and that kind of leads to confusion with people because, hey, my friend in Washington did it this way, but I'm in Texas and we do it this way. And I think that standard would help a lot in the faith in the system. And then the last part of that, the technology, you know, voting machines, campaigns, like I mentioned about campaigns, there's nothing that says a campaign has to have a security person or a security program. And I think those are the kind of standards for, you know, just voting machines that needs to be a standard across the board that's uniform so people will have more faith because it's not different from state to state and it's a uniform process. I think our whole country could have benefited from more uniform processes in 2020. But one of the things that, like I did my first mail-in ballot this year, always loved going and having that in-person voting experience and putting on my sticker. And this year I thought, in California, we got all of our, but there was this massive rise in mail-in ballots. I mean, think about that insecurity in terms of, you know, getting the public's confidence. What are some of the things that you saw that you think needs to be uniform going forward? Again, I think it goes back to when you look at, you know, you voted by mail, you voted absentee and your ballot was due by this date. You know, where I live voting absentee, it's due by this date or needs to be received by this date. And I think this year really highlighted the differences between the states and I'm hoping that election security and again, everyone's done a super fantastic job. CISA has done incredible this year. All their efforts were working with election officials, secretaries of states on both sides of the aisle. It's an incredible work and I hope it continues. I think the big problem with election security is, you know, the election's over. So we don't care again until 2022 or 2024. And I think putting something like a federalized standard whether it be technology or process, putting that in place now so that we're not talking about this in two or four years, I'm hoping that momentum continues. What would your recommendation be from building security programs to culture and awareness? How would you advise that they start? So one of the things that when I was on the Buttigieg campaign, you know, like I said, we was the first person to do security for a campaign and a lot of the staffers didn't quite have the background or professional background to work with a security person or know, you know, why, what I was doing there. So my hallmark was, you know, I'm trying to build a culture heavy on the cult. You got to get people to buy in. I think this year when you look at what Krebs and CISA and where the team over there have done is really find a way to tell a security story in every facet of the election, whether it be the machines themselves, the transporting the votes, accounting the votes, how that information gets out to people. Websites, they started like rumor control which were amazing, amazing efforts. The public-private partnerships that were there, I had a chance to work with MJ and Tanya from AWS, some election projects. I think everyone has skin in the game. Everyone wants to make it better and I hope that momentum continues. But I think, you know, embracing that there needs to be a centralized, uniform place for every state. And I think that will get rid of a lot of confusion. When you talk about culture and you mentioned specifically cult, do you think that people and agencies and politicians are ready to embrace the culture? Is there enough data to support that this is really serious? We need to embrace this. We need to buy in, as you said. I hope, right? I don't know what it could take. I'm hoping so. After seeing everything, you know, being at the White House from that aperture in 2016, seeing all of that, I would, you know, think right away, oh my gosh, 2018 the midterm, if we're gonna be on the ball, that really didn't happen like we thought it would. 2020, we saw a different kind of technical or I guess not as technical security problem. And I think I'm kind of shifting from that to the future. People realize, and I think both sides of the aisle are working towards security programs and security posture. I think there's a lot of people that have bought into the idea, but I think it kind of starts from the top. And I'm hoping it becomes a standard. So there's not really an option. You will do this just for the security and safety of the campaigns and the electoral process. But I do see a lot more people leaning into it and a lot more resources available for those people that are. Talk to me about kind of the status of awareness, of security needing to combat these issues, be able to remediate them, be able to defend against them. Where are folks in that awareness cycle? I think it ebbs and flows like any other process, any other incident or event that happens. And from my experience in the infosec world, normally there's a compromise, there's an incident, a bunch of money gets thrown at it and then we forget about it a year or two later. I think that culture, that awareness comes in when you have folks that would sustain that effort. And again, on the campaign, even at the White House, we try to make everyone a part of security. Security isn't all the time thing that everyone has a stake in. I can lock down your email at work, I can make sure this system is super, super secure, but it's your personal threat model, your personal email account, your personal social media, putting more security on those and being aware of those. I think that awareness is growing and I see more folks in the security community just kind of preaching that awareness more and more and it's something I'm really, really excited about. Yeah, the biggest thing I always think when we talk about security is people. We're the biggest threat vector and what happened eight, nine months ago when so many businesses in any public sector and private went from on-site, almost maybe 100% on-site to 100% remote, people suddenly going, I've got to get connected through my home network, maybe on my own personal device and didn't really have the time of so many distractions to recognize a phishing email just could come in and propagate. So it's that the people challenge, it always seems to me like that might be the biggest challenge besides the technology and the processes. What do you think? I, again, it goes back, I think it's all part of it. I think people, I've looked at it slightly, a friend of mine made a really good point once. He was like, hey, people are going to click on the link in the email. It's just, I think 30% of people do, it's just the nature of people. After 20 some odd years in InfoSec, 20 some odd years in security, I think we should have maybe done a better job of making that link safer to click on, to click on, to make it not malicious. But again, it goes back to being aware, being vigilant. And to your point, since earlier this year, we've seen attacks increase exponentially, specifically on remote desktop protocols from COVID related themes and scams and ransomware targeting healthcare systems. I think it's just the world's getting smaller and we're getting more connected digitally. That vigilance is something you kind of have to build in your threat model and build into the ecosystem when we're doing everything. It's just something, you know, I equate a lot to, you've got junk email, you're opening your email box, you got some junk mail on there, you just throw it out. Your email inbox is no different and just kind of being aware of that a little more than we are now might go a long way. But again, I think security folks, we need to do a better job of kind of making these things safer because malicious actors aren't going away. No, they're definitely not going away that we're seeing the threat surfaces expanding. I think it was Facebook and TikTok and Instagram that were hacked in September. And I think it was an unsecured cloud database that was the vehicle. But talking about communication, this is we talk about culture and awareness, communication from the top down to every level is imperative. How do we embrace that and actually make it as standard as possible? In my experience, you know, from an analyst to a CISO, being able to communicate and communicate effectively, it's going to save your butt, right? It's, if you're a security person, you're that cyber guy in the back end, something just got hacked or something just got compromised. I need to be able to communicate that effectively to my leadership who was going to be non-technical people. And then that leadership has to communicate it out to all the folks that need to hear it. I do think this year, just going back to elections, you saw a lot of rapid communication, whether it was from DHS, whether it was from, you know, public partners, whether it was from the team over Facebook or Twitter, you know, it was a lot of activity that they detected and put out as soon as they found it. You know, it was communicated clearly and I thought the messaging was done beautifully when you look at all the work that, you know, Microsoft did or the blog posts that came out, that information is put out as widely as possible. And I think it just goes back to making sure that the people have access to it whenever they need it and they know where to get it from. I think a lot of times you have a compromise and that information is slow to get out and, you know, that delay just creates a confusion. So it clearly, concisely and it find a place for people can get it. Absolutely. And how do you see some of these challenges spilling over into your role as the security advisor for Splunk? What are some of the things that you're talking with customers about right now that are really pressing issues? I think my role at Splunk, it's super, super weird because I started earlier in the year, I actually started in February of this year and a month later, like, hey, I'm hanging out at home. But I do get a chance to talk to a lot of organizations about their security posture, about what they're doing and about what they're seeing. And, you know, everything, everybody has their own, everybody has a special snowflake, some are more special than others, credit to Billy. But people are kind of seeing the same thing. You know, everybody's at home, you're seeing an increase in the attack surface through remote desktop. You're seeing a lot more phishing. You're seeing at least a lot, people just on their computer all the time. Zoom, WebEx, I've got like, I don't know, a dozen different chat clients on my computer to talk to people. And you're seeing a lot of exploits kind of coming through that. Because of that, people are more vigilant, people are adopting new technologies and new processes and kind of finding a way to move into a new working model. I see zero trust architecture becoming a big thing because we're all at home, we're not going to go anywhere and we're online more than we're not. I think my circadian rhythm went out the window back in July. So all I do is sit on that computer more often than not. And that constant authentication, just to, you know, make sure those assets are secure that we're accessing from our work resources. I think that gets worse and worse. Or it doesn't not worse rather, but that doesn't go away no matter what your model is. Right. And I agree with you on that circadian rhythm challenge. Last question for you. As we look at, one thing we know, this uncertainty that we're living in is going to continue for some time. And there's going to be some elements of this that are going to be permanent. We hear execs and many industries saying that maybe we're going to keep 30 to 50% of our folks remote forever. And tech companies that are saying, okay, maybe 50% come back in July, 2021. As we look at moving into what we all hope will be a glorious 2021, how can businesses prepare now knowing some amount of this is going to remain permanent? It's a really interesting question. And I'll be on, I think I know the team here at Splunk, it's constantly discussions that they're having are constantly re-evaluating, constantly changing, you know, friends in the industry. It's, I think businesses and those executives have to be ready to embrace change as it changes. The same thing that the plans we would have made in July are different than the plans we would have made in November and so on. And I think just having a rough outline of how we want to go. The most important thing, I think is being realistic with yourself and what you need to be effective as an organization. I think, you know, if 50% folks going back to the office works in your model, it doesn't, but we might not be able to do that. And I think that constant ability to adjust a lot of companies kind of has thrown into the fire. I know my background is mostly public sector and the federal space has done a tremendous shift. Like I never, well, rarely got to work remotely in my federal career because I did secret scroll stuff, but like now the federal space is just leaning into it. Just they don't have an option. And I think once you have that, I don't think you put Pandora back in that box. I think it's just we work remote now. And that's just a new, it's just a way of working. Yep. And then that couldn't be more important to embrace change and change over and over again. Make it's been great chatting with you. I'd love to get digging into some of that secret squirrel stuff. I know you probably have to show me. So we won't go into that, but it's been great having you on theCUBE. Thank you for sharing your thoughts on election security, people, processes, technology, communication. We appreciate it. All right. Thanks so much for having me again. My pleasure. I'm Lisa Martin. You're watching theCUBE virtual.