 Thank you, Dr. Bryson, for joining us today. I wonder if you could start by talking about the town of Gilbert and your role. I mean, as the CISO of Gilbert in Arizona, you're responsible for securing a fairly substantial enterprise. I wonder if you could tell us more about that and specifically how you spend your time. Sure. Town of Gilbert were recognized as being a town, but in reality, we're more of a city. We have 281,000 citizens. We have the support, have a number of critical infrastructure services that we provide to our citizens. So that is a huge responsibility there. I am the first Chief Information Security Officer for the town of Gilbert, so have had to come in and start putting together a strategic perspective on how to secure systems, how to prepare ourselves for future changes that are going to impact us as far as the evolution of technology goes, and we're experiencing a dramatic evolution in technology. So it's been a bit of a challenge, but ultimately it's been fun. Day to day has been really looking at technology, making sure that we have the appropriate processes in place to take on new and evolving technology and make sure we do so with security in mind. Let me ask you a question about strategy. I presume strategy, you start, Tony, with a mental picture, and then you begin to maybe document that with actual pictures or frameworks and things of that nature. What a lot of SecOps pros tell me is that that's really important, but the real hard part is operationalizing that framework. I wonder if you could add some color to that challenge. Sure. As you said, really putting together a strategy is putting pen to paper and trying to understand where your organization is going, understanding what its business objectives are, and making sure that we have the technology in place that can support those particular business objectives. Make sure that we have the appropriate mechanisms in place to secure those systems and help carry the organization forward towards those particular business objectives. Now, from the information security perspective, it's a little bit challenging because naturally we have to deal with the changes that are happening, not only within our business objectives from division division, but also within the technology industry and what's happening there. Ultimately, we've got some unique challenges that we have to face there. We have to try and find the right human resources to bring in and help us take on those particular challenges, but we also have to find the right technology partners, find the right third parties that can come in and be true business partners to us, and help us meet those business objectives, help us meet our security objectives, and help us make sure that we can take on challenges of the changing technology landscape. We are dealing with a very difficult time right now with changes within that technology landscape. One of our guests at this summit is a gentleman named Mark Sorenson who wrote a book. It's a fictional book, but it's very plausible. It's called A Restaurant in Jaffa, and it's about basically what you can do if technology gets in the wrong hands to critical infrastructure. My question is, is that critical infrastructure part of your scope? Maybe it transcends the town of Gilbert and bleeds into the state. What about the critical infrastructure within the town? Is that your scope? If so, how do you deal with securing that? Critical infrastructure does fall into scope for us. Naturally, we do have requirements. We have to deal with both state and federal. It is a unique challenge for us, and we have to be very careful as we take on those particular challenges. We have to recognize that critical infrastructure is a service that every one of our constituents relies on. Let me tell you, as someone who lives in a desert for us who provide water and wastewater services to our constituents, you want to have upset customers. You prevent water from going into their particular homes, and you prevent the wastewater, the excrement from being removed from those particular homes. So that responsibility of managing that critical infrastructure and securing that critical infrastructure is extremely important. It is a huge challenge because we're coming from a time when critical infrastructure was very much handled in one way. That was to go and create air gap solutions and put those, operate those systems in a box, a black box that nothing could get into, nothing could really get out of. Those systems were very easy to secure because they operated within that air gap environment. With today's technology and especially vendors that want to maximize their investments in their technology and leverage support contracts, Internet of Things technology is really starting to take off in that particular segment of the technology landscape that we have to support. And as a result, we have to now find ways to poke holes into that black box. We have to allow vendors access to those critical infrastructure resources. And we have to find ways to do that in the most secure way manner because those are assets that are targets for bad actors, not only within our borders, but also nation states. So we have to be very careful in protecting those particular resources. It's just listening to you. It's sort of awe-inspiring when you think about the scope of what you do in the conversation about critical infrastructure. It's one thing when a company gets hacked and that's obviously a bad thing. But it's like, ah, their stock price dropped. And unfortunately, maybe some private information, personal information got exfiltrated. But when you just listening to you describe the basic services that you provide in terms of securing a municipality, it really hit home to me with respect to how important it is, what you do. And when we talked previously, you shared with us that resilience was the top priority. And so thinking about the municipality-wide resilience, what does that actually mean to you as a CISO? It's been a change in thinking. It used to be that every CISO out there would look at finding ways to put protective mechanisms in place, put more firewalls in place, put more sensors on the network to identify when things were happening. It's been a change in thinking. And resiliency has become, I think, the new way of securing your systems and your data. You have to provide a mutable data set you can fall back to and that you can rely upon. That if something should happen, and that's where we are today, we're no longer saying if we're now saying when this happens, we need to have our mission critical data available so we can restore our systems and get that data back into place so that we get those services back up and running for constituents as quickly as possible. So you're saying it used to be, oh, we need a copy and now you need a mutable copy that you can restore from? That's correct. You need to make sure that the data that you have can be restored. It is the best version of that data that you're going to be able to restore it quickly and get it in place accurately and in a timely manner because, frankly, the services that we provide to our constituents are extremely important to them. Not to mention the recovery point objective and the recovery time objectives. I'm curious as to are they compressing because of the sort of emphasis on digital, particularly post-pandemic? Very much so. All those particular metrics, everything is shrinking. People have very much become digital citizens and they're used to that immediate response they get from doing everything online and digitally. So when we have some type of physical solution that experiences some type of disruption, the expectation is that we still have to get that recovered as quickly as possible so that our customers are getting the same type of response they do from all of those digital interactions that they have. So sticking on the theme of kind of what's the same and what's new, we talked about a year and a half ago, Dell Technologies World, about how you think about protecting your infrastructure, your data, your application. So it's sort of a two-part question here. From a strategy or first principle standpoint, what hasn't changed in part two? Is there anything that's changed since we last talked at the spring of 2022? What hasn't changed is our focus on trying to maintain a level of resiliency. What has changed is how we're approaching that. As an organization, we've been very focused on trying to move as many workloads as we can to the cloud. I find that you get much better security in the cloud than you would on-prem. You've got some major partners like Amazon Web Services, Microsoft, and Azure, that they can spend just ungodly amounts of money to secure their systems that we can't on-prem. So we've made a purposeful decision to try and move those major workloads to the cloud and get those off of the infrastructure that we have to support. I think we're better off trying to support the services to get to the internet and secure connections, more so than trying to build out data centers and host that stuff, secure that stuff within our own data center. So that's a significant change. When it comes to resiliency, we also decided that we want to move that from, again, within our data center, move that out to the cloud as well. So again, we have another layer of protection there that a bad actor would have to try and traverse to get to our data. So the cloud is like a first line of defense. I think if you're not 100% cloud, so you still have a hybrid model. Let me just clarify, is that correct? That is correct. We're still hybrid, but we're getting there. We're 70% plus cloud engaged. Okay. Now, given, as I say, first line of defense, but it's still a shared responsibility model, and I'm particularly interested in how you think about data protection and backup and recovery with respect to putting data in the cloud. A lot of people say, well, my data is in the cloud, so it's safe. And to your point, the infrastructure, what the cloud guys do is great. It's more consistent, and they've got a lot of engineers running around, but they're not necessarily protecting your processes. You've got to worry about your recovery, the data that's inside your SaaS application. So how do you think about data protection for the cloud? Again, we try and focus in on how we did it on prem, and then go out and try and find appropriate cloud service providers that follow the same methodologies that we did on site. When we made the conscious decision to engage in a resiliency strategy, we went out and found business partners that could help us achieve that particular goal. Dell was the partner that we initially engaged with and put in play of the cyber recovery vault on premise, and it has proven to be an invaluable safety net for us, I guess is the way I'd put it. As we started looking at more cloud integrations and wanting to make sure that we could leverage the cloud even for something like cyber recovery, we went back to that same business partner and said, okay, what are you guys offering? Where are you going next that can help us achieve this particular challenge while maintaining the same data principles that we have on our own network and internally? How are you going to do that? And that's where their APEC service really stepped up for us. It gave us multiple options where we could either do on-prem, go to Colo, or even go full cloud. And because we want to go full cloud and there's certain things that we still have to maintain on-prem, that's where APEX was a perfect fit for us. It allowed us to leverage that hybrid environment and achieve those business objectives of trying to secure that immutable data in the cloud. Yeah, as I recall, you were looking at APEX a year and a half ago, but you hadn't yet implemented it. Is that correct? And it sounds like now you have or are beginning to? We're beginning to. We are and we're just initiating the project to move our recovery vault from on-prem to the cloud. We've landed on the service that we're going to use with Dell and we're hoping to have that done within the next six to eight months. And do you expect, Tony, that experience to be substantially similar or even identical between your on-premises and your cloud from a data protection standpoint? We expect the experience to be similar for end users. We expect them to feel nothing. From the support perspective, there's going to be some very minor technical differences in how data is moved around, how data is copied. As you move to the cloud, there is a slight difference. You're not relying heavily on some of the copy practices that are used on-premise, removing data domain to data domain. When you go to the cloud, it's handled a little bit differently, maybe a little bit more old school in some ways, but it ultimately achieves the same end state, which is what we want. We want to have a safe immutable dataset that we can fall back to and rely upon should we run into that significant cyber event that we have to recover from. We can do both with the on-prem solution and also that on-cloud solution. The way they do it is just slightly different from on-prem to in the cloud. But it's back to the first principle as you're working backward from that outcome. It's pretty clear. One of the themes of this summit is data protection as a fundamental component of a cyber security strategy. And in thinking about the evolution of data protection from backup and recovery to data protection, data management, there seems to be a much tighter link now with cyber security strategies. And I wonder, do you think about data protection, backup, recovery as a separate process? Or is it increasingly or now something that shouldn't be tightly integrated into your cyber security infrastructure? And if it is tightly integrated, what are the challenges and prerequisites of doing that? To me, it should be integrated. I've always felt that. We've always gone out and tried to find solutions where, even out to our endpoints, we would have some type of backup solution that if an endpoint got hit, say, with ransomware and took it out of production, how can we most quickly recover that solution and then quickly restore all of the data? Now, some of the cloud services that are out there, OneDrive, allows you to do that pretty seamlessly now. In the past, we leveraged other products. We had a contract with another service provider that allowed us to literally backup systems on the fly. And then if we did run into a ransomware event, no problem, we just burned the system down, rebuilt it, logged back into that particular system, and it would pull the data back down to that endpoint. So it allowed us to take on that particular challenge. The technology has always been there. It's just a matter of how you wanted to approach putting that technology into play. When it came to the enterprise systems, yeah, naturally, you have to look at solutions that are more robust, can handle much more data than when you normally just get from an endpoint. So there are some challenges, but again, it's the same principle just at scale. Yeah, wow. I mean, you got ransomware, no problem. I think this is so helpful for organizations that aren't perhaps as mature and far along as you are, giving them hope that they don't have to sleep with one eye open. Thanks so much, Dr. Bryson, for spending some time with us. You're very welcome. And thank you for watching the Navigating the Road to Cyber Resiliency Summit. Stay tuned for more conversations about the intersection of data protection and cybersecurity right back.