 Mark Sorensen is an engineer by training, who over the decades ascended to become an executive, leading thousands of engineers and software developers while managing successful businesses within iconic companies. His recent book, A Restaurant in Jaffa, is a fictional cyber thriller with a plausible and frightening storyline of how the security of critical infrastructure can be compromised when technology gets in the hands of individuals who want to do serious harm. The book's timely narrative blends Silicon Valley inside baseball with a lemon tree-like perspective on Middle East tensions to highlight the real threats faced in today's world. Mark Sorensen joins us today in our Massachusetts studios. Mark, great to see you. Thanks so much for coming down here. Thanks, Dave. It's good to see you again. So congrats on the book. As you know, I haven't finished it yet, but I'm almost finished. And it's really quite amazing. What was your motivation to write this book? Well, I mean, it started with I've always been a big reader, but I've never been a writer at all. And when I retired from EMC slash Dell, I had on my bucket list, I was going to write a book. And of course, I jumped into it, not knowing when I was getting into. Five years later, this is what I ended up with. But when they say, what are you going to write about, they always say, write what you know. And what I know is the computer industry, technology. And so that became a framework for what I wanted to write about. I think we had a lot of engineers that worked for me way back in the day in Israel. So I had a familiarity with the Israeli Middle East technology world, as well as the political challenges that we're seeing play out over our TVs today. So that became a natural background. So even they say, write what you know. So there's a technology, computer industry. Add in exotic locations like Israel. Cyberterrorism obviously gives you something for conflict, which all books need. Add in an intelligent, attractive young man and intelligent, equally attractive woman, star mix, and this is what you do. It is a page turner. And it really is a sophisticated mix of how technology and geopolitics and intrigue and human emotion was very deep character development. So I'm amazed at how were you able to take all this on? Well, I'm an outliner, and I wrote a giant outline that began with, here's what happens in the middle, here's what's happening in the beginning, here's at the end. And then I tried to divide it up. And then I just sat down and wrote. I mean, the very first chapter, our hero is standing in the middle of a trade show in Las Vegas. Now, I've stood in that same hallway in Las Vegas. It was Black Hat, right? No, yes, at the Black Hat convention. So again, writing what you know in Restaurant Jaffa is certainly, there was a Restaurant Jaffa that one of the first times I ever visited Israel, myself and my head of HR were down there. And I was just obviously very moved and impressed by this interesting location and the history that revolved around it. And so there off I went. And of course, I spent a lot of time trying to learn how to write, whether it was in classes or books and online classes. In terms of the plot, I tried to make sure that I could entertain someone like you, who's a deep technical knowledge, broad knowledge of the industry, as well as the 75-year-old book club people that I spoke to a couple of weeks ago. And these are elderly women, but older women are getting a collection of a dozen of them and they're not technically sophisticated. So I need to make sure, how does this work, where you can read it and enjoy it and they're not talking down to you? And others who can read it, it's like, I have no idea what they're talking. So there's a little bit of a balance there. Well, it's so much of it resonated with me. I mean, you mixed in Stuxnet. You had a very brief description of Stuxnet. You could have written a whole book on that. You talked about assembly language, again, resonated with me. I remember doing no op commands, telling the system to wait until it read a key so I could write the Pac-Man program. You had C-language syntax in there. And again, very timely things like supply chain hacks that we hear about today. But as you say, you worked in murder and torture, political intrigue, and one can actually imagining all this happening in real life, can't they? Well, I mean, I tried to use, if I was a criminal, these were terrorists, these were common soft points in anybody's, whether it's the government's, private industries or what have you, the soft points in their security paradigm that they have. Listen, you guys are doing a whole event and seminar on cyber resiliency here. It's clear that most people, most governments, most schools, private industries, they're not resilient yet, okay? Yet. And so these are all hacks that occurred, easily doable, frankly. And we've seen that some of them come true since the publication of this book. And I won't go into all of those things, but these are nothing, some rocket science. These are pretty obvious shortcomings that we currently have in the IT security infrastructure and the things that you guys are trying to speak to your audience about. So how do you think governments and organizations should think about today's threat landscape and what should be done to sort of fill the gaps that isn't happening in your view? Well, certainly cyber security has to be top of mind for all IT professionals. And this has evolved, right? At one point in time, we were more worried about disk head crashes. Remember those, right? The disk head crashes. So our resiliency there is that we had a backup somewhere that we could take, whether it was a big physical disc or mag tape back in the day and restore it and be back in there, right? So that resiliency changes in terms of your business, right? Back when I used to run engineering back in digital, right? We said to ourselves, we could probably live with losing a day's worth of work and we'd take a backup and each day we'd take that. And sometimes we'd take backups when we give them to Iron Mountain, they isolated it somewhere off site. So just in case we had a five- So that was your RPO, right? That was our RPO back then, right? And so that all people threw it back up and data protection techniques have done a pretty good job of that, of course. The new paradigm is around cybersecurity and threats from beyond, but those two technologies are very much adjacent to each other and those technologies actually play together. While you can looking to prevent something from attacking you and damaging your business, your data, your people, right? You should probably always assume that it might happen someday. It probably will. So if it does, what's your plan? Okay, what is your plan? And so this is where I think a lot of folks are just beginning to realize that, we can only put up the wall so high and so deep, but we should be prepared that someone's gonna break in. And once they break in and they damage or steal, otherwise impair the ground jewels of my business, what am I gonna do about this, right? Do my data protection schemes and the data that I have backed up, am I gonna minimize any loss of information? Can I get back up quickly? What if I'm a hospital in healthcare records, right? What if those are modified? They have to be immutable, right? We need to make sure that all of those pieces are put together so you're being both offensive, knowing that you've gotta try to, you know, prevent these folks from getting in, but assuming that someday they might, what are you gonna do? So hope for best, plan for the worst. So security is such a complicated manner. I wonder if you have a point of view on this. I think a lot of customers that we talk to struggle with the following. They want best-of-breed technologies and there's so much new innovation coming out and so they'll install the latest and greatest tool and as a result, you get this tools creep. You know, at the same time, they're trying to consolidate and simplify their environment. So how should organizations think about, and CISOs and SECO approach, think about balancing that need for the best-of-breed with the greater simplification? Right, and so today, most companies, if you ask them that their CIOs and CTOs would tell you that their overarching security strategy is rather fragmented, right? And this is because of the chase for the best-of-breed individual silo of technology, right? But they don't talk to each other, or at least they haven't done. And that's certainly a lot of IT professionals are trying to figure out, how can I get an umbrella across this that keeps all of these technologies and doing a great job, right? I mean, this is very difficult stuff, right? And sometimes you just can't get it from a single vendor. How can I get an umbrella around here that creates policies around this that has unified authentication and credentialing technologies? And how do, again, as we just talked to, if and when things go south and I have to rebuild my infrastructure, rebuild my business, right? How can I do that? It can all of these disparate pieces who don't quite talk together yet fit together. And so you can help by that, by saying, hey, I'm not even gonna deal with these things. I'm gonna put everything in the cloud, okay? I'm gonna let my cloud provide and provide most of that. So that's one way, in a very viable way to do that. But there's always gonna be a component on desk, on your things that you still have to worry about. And so you'll see more and more people creating, I hate to call it a framework, because that's such an overused word, but a security umbrella that can bring these pieces together and give you a more unified approach to security. Well, and I think it's true. We do talk about frameworks a lot in these conversations. I think the hard part for people is, how do they actually operationalize that framework? Framework, you know, it's nice and you get the PowerPoints and the documentation, but then how do you put it into your operations? And one of the things, Mark, that we've been talking about throughout this whole series is the relationship between data protection and cybersecurity. You mentioned mag tape, right? And so it used to be this sort of separate thing. And increasingly they have become, well, lately they've become an adjacency and they're actually mashing together in a big way. Do you have a point of view on that? Well, I think you're absolutely right, that these are adjacent technologies that need to work well together, that have to work well together. But historically have been grown up as individual pieces, right? And everybody had their different flavor backup or data replication, things of that nature. So these things have to come together and they have to work together because they have to understand if there is a breach somewhere, how I have to begin to depend upon my data protection environment, how do I get that environment? Assuming that you have what you need, right? Assuming you've only allowed, depending on your business, I might be okay with losing an hour of transaction. I may not be able to lose a single transaction, but assuming that your data protection allows for that, how do I get up back and up and running very, very quickly, okay? And so that's been a struggle that when everybody has put all of the pieces together, right, and it's all sitting there and how do I recover that, right? How do I get it from A to B and everything from very sophisticated incompatibilities to Joe forgot a password, right? To bring it off together. And so this is that, how those adjacencies work together is how do I make sure that these are working together? I can bring them back together as quickly as possible. Yeah, so the whole conversation you often have with customers, well, how much data do you want to lose? Well, I don't want to lose any data. Well, how big's your budget? Right, there you go. It's always a trade-off, right? It's very much a trade-off. And obviously speaking with banks, right? They can't lose a single transaction, right? They just cannot lose it. Healthcare provider may, it's okay if it takes two days for me to get your CAT scan results to you, but boy, they better be the right ones. They build, boy, I shouldn't have a missing black piece in there. So the different needs and you have to assess your business and then you have to go out there and look for what's the partner, the vendor partner that has the most pieces and also has a thoughtful framework on how these pieces together and they're thinking a little further out, not like, how do I get this backup software to talk to this replication software? It's really someone who's putting a higher piece of the puzzle together. And you get things like AI, which brings in privacy, so you want a partner that actually understands those things, at least has a point of view, perhaps some technology or an ecosystem that can deal with it. I want to come back to, you know, Stuxnet really resonated with me because when it happened, it was like a seminal moment in cybersecurity. And when the word got out, it was like, you know, the bad guys like, wow, that we can really change the game here. And I remember when I was reading about it and studying about Stuxnet, I was struck by, you know, one of the commentators that was inside the whole scene said, air gaps, no big deal. Because of thumb drives, you talked about that in your book. We can get through air gaps, no problem. And so when you think about things like air gaps and immutability, it's part of the strategy, but not the whole strategy. It changes the thinking around business resilience. We see it today in Israel, where you have a number of engineers that are now being called up by the IDF to go fight in a war. And they've presumably built in resilience because they're used to being reserves in the army. And so they've got, you know, colleagues that are picking up for them. But that, it just changes the way we think about business resilience, doesn't it? It really is. I mean, it's just, if there's a listen. You know, Willie Sutton said, I rob banks because that's where the money is. Today the money's all online and IT. And so that's where people are gonna go. And then obviously we have this situation in the Middle East today is that people not financial motivations, but political motivations that we'll be leveraging technology. And of course we don't know what role technology played in this current situation over there, but I'm sure over time we'll find out, right? I'm sure there'll be deep investigations on what happened, what went right, what went wrong and we'll see where that lands. I mean, incredibly impressive piece of work. Again, restaurant in Jaffa. I would highly recommend it. You, this is your first book. You never wrote a book before. You said it was on your bucket list. You shared a presentation that you gave recently with your background. And you took learning to write courses or maybe you were suggesting them to folks who wanted to do this. And then you also researched technology even though you knew technology, but you also brought in religion, which was pretty amazing. You gave all these reference materials. You talked about your outline that you started with and how you told the story. And then the writing process, you said three to four hours in the morning, four days a week, half to one page a day. And each day you would read what you wrote yesterday. And rewrite it. And rewrite it. So this is months off and on in between drafts when you say life intervened here, but it was like really a five year labor of love. Wasn't it? It was. And then I did take a lot of time off in between drafts. And I did 12 drafts of this. But you gotta be committed. And I was a couple of years into it and I was like, wow, am I ever gonna finish this? What am I doing? And of course my wife speaks to everybody. Hey, yeah, Mark's writing a book. And of course- It's almost done. A year later I say, hey, how's the book coming? And I'm like, so one day I said, I gotta finish the thing. And I was able to do that. And at some point, you can tweak it forever. At some point you say, okay, it's done. And it's been good. And listen, these days, because of the changes in the world in publishing, anybody can write a book. You can write a book, you can publish it, you can get it out there. Amazon can distribute it to worldwide. It's all pretty good. And it's just a contact in between those pages gets a little difficult to write. But again, very impressive, especially for a first time out. Would you do it again? I'm thinking about it. I do have an idea. It has nothing to do really with, I'm not even gonna say. It's very different than that. And I do have an idea. I'm noodling it around. At some point in time I'll say, okay, I'm gonna sit down and write it. But it's not gonna take me five years. It might take me two or three. And that's a big commitment. And by, you know, what else I have to do? So we'll go there. We'll think about something like that. But this was a pleasure to do and has been received by pretty well. And it's, I guess it's rather ironic that some of the things in there are happening in the world around us today. Well, it's being very well received. You check out the reviews on Amazon. I read mostly nonfiction, but what I loved about this is it was authentic. Yes, it's fictional, but there was so much in here that was real. So 98% of what is in that book is either real, possible, or actually has been done. Very small amount of speculation and thing. And just people just don't know about it. Listen, a lot's going on in the world of cybersecurity that we don't know about because nobody wants to talk about it when they're damaged there, right? So now, to folks like you guys, the world is becoming aware of cybersecurity, what the ramifications are not, of not paying attention to it is, and you can see some of the results. Well, we talk about AI. This is 2023 has definitely been the year of AI. Cybersecurity is still the number one most important priority for IT professionals, CIOs. CIOs, it's a boardroom issue. It's a middle-out issue. Everybody, it's a whole house factor. I've seen a change in the last few years. I mean, a decade ago, everybody talked about security. Everybody wanted security. Nobody wanted to pay for it. It's just like, it's not my budget, I'm gonna pay for it. Now, when they see what's happening out there with their competitors, with their partners, with local governments, school boards, things of that nature, now it's moving on priority. Now they're spending money on it. And I think you're seeing the vendors respond with more thoughtful, broad-ranging cybersecurity and resilience technologies. And governments getting involved, you're seeing executive orders, but you're also seeing better collaboration with vendors. I mean, there was a day when people would try to keep their proprietary information. There's still some of that going on, but we're seeing data sets being shared, certainly within the technology community and within governments as well. Mark, thanks so much. My pleasure, David. It was a pleasure to see you. Really great to see you too. Okay, and thank you so much for taking some time and watching, navigating the road to cyber resiliency, the summit. Stay tuned for more conversations about the intersection of data protection and cyber. Right back.