Ep.148 Cybersecurity Defenders Unite: The Do's and Don'ts of Protecting Real People in Real Time

Joe Toste [00:00:00]:
Hey, what's up, everybody? This is Joe Tofki from Techtables.com and you're listening to the public sector show by techtables. This podcast features human centric stories from public sector, CIOs, CISOs and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind the mic look at the opportunities top leaders ears are seen today. And to make sure you never miss an episode, head over to Spotify and Apple podcasts. Hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves. Today we have Dr.

Joe Toste [00:00:35]:
Chris Mitchell, CISO for the city of Houston, Ryan Murray, interim state Siso for the state of Arizona, and Jeremy Decker, VP of sales for us south at Sentinel one. Chris, Ryan and Jeremy, welcome to the public sector show by tech tables. Thank you.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:00:48]:
Yeah, thanks for having us.

Dr. Chris Mitchell, CISO, City of Houston [00:00:49]:
For having us, Chris.

Joe Toste [00:00:51]:
Since we're in Houston, let's start with you. For those who don't know you, let's kick off with your background in the United States Navy as an operations specialist, surface and aviation warfare. Your current work with the city of Houston, and your PhD research focusing on leveraging AI and ML to mitigate cyber skill shortages and more. Love to hear the background on that. Now a quick word from one of our brand partners. Nagarro is a leading provider of digital government services, partnering with state, local and federal clients on some of their most strategic technology projects. Nagarro offers expertise in digital services, legacy modernization, case management, data and AI service desks, cybersecurity and more. Check out Nagaro.com.

Joe Toste [00:01:31]:
That's Nagarro.com.

Dr. Chris Mitchell, CISO, City of Houston [00:01:34]:
So, as you stated, go. Navy spent just under ten years active duty. I know I have some Navy folks in here. As an operations specialist, primarily working on the Aegis platform. And from a war fighting capability. Aegis is the most sophisticated platform that exists within the navy. And then to transition. My role as CISO, or the city of Houston, is to provide cyber defense and protection for 23 departments, ensure that the city can carry out its mission and objectives.

Dr. Chris Mitchell, CISO, City of Houston [00:02:07]:
And then from a research perspective, there's been quite a bit of discussion around skill shortages, right. And vendors are coming out of the woodwork touting products that will solve all of our problems.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:02:23]:
Right.

Dr. Chris Mitchell, CISO, City of Houston [00:02:24]:
But how thoroughly are we testing the claims? So what I decided to do one. I'm focusing on building my own from a departmental perspective, right. So I fresh out who are hungry, ambitious and smart. The focus is to build them because I can't compete. We can't compete with the private sector salary wise. But what we can offer, especially within cyber, is to give them an experience that they can't get any other place. So, for example, them going to a big firm, for example, JP Morgan, as a tier one Soc analyst, is triage all day. That's not the experience here.

Dr. Chris Mitchell, CISO, City of Houston [00:03:04]:
So I will allow them to go as far as their aptitude can take them. So you're not boxed in, you're not siloed in. So going back to the research question, because realistically, that's the way the city of Houston has been able to survive, right? We have some of our systems whereby we process upwards of 20,000 events every second. The city of Houston is the only city in the country that can make the claim that all 16 sectors of critical infrastructure are represented here. So there's lots of interest. We've got the largest medical center in the world. We have NASA Johnson Space center. We have one of the largest ports, busiest ports in the world.

Dr. Chris Mitchell, CISO, City of Houston [00:03:40]:
So there's lots of interest. So what I wanted to do was to focus on dwell time and dwell time as all of us. The amount of time an attacker has been present in your environment before detection. So depending on your source, that ranges from 21 days to 205 days. Six years ago, some were saying 400 days. It depends, right. But when you look at the trajectory, the numbers have decreased. So folks are getting excited we're doing better.

Dr. Chris Mitchell, CISO, City of Houston [00:04:08]:
I'm not necessarily in agreement with that because what's happened in the same span of time is the threat vector has changed, ransomware is dominating. It won't take you 21 days, 205 days, 400 plus days to figure that out. So it skewed the data. Right. So there's still lots of work to do. So I took a couple of use cases and I wanted to test dwell time from a detection perspective all the way through full containment and eradication. And the first measurement, the detection was made definitively in just under 9 hours, meaning all of the enrichment had taken place. We pulled in all the ancillary intelligence to make sure we knew, okay, this is certainly a thing.

Dr. Chris Mitchell, CISO, City of Houston [00:04:52]:
And you look at containment and eradication, took us about 13 hours to eradicate the entire incident, scope it, it was contained, et cetera. So that was enough to give me data now to really substantiate some of the claims, at least for these use cases, those things are legitimate. And already I had set a fundamental goal to automate at a minimum, 50% of our responses to common threat events, such that my analysts, which are few in number, could focus on bigger things.

Joe Toste [00:05:23]:
Thank you for that introduction. That was fantastic. Ryan, is it okay if I skip the introduction for you, since the man.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:05:29]:
Who needs no introduction.

Jeremy Deckert, SVP, SentinelOne [00:05:30]:
Yeah.

Joe Toste [00:05:31]:
The man, the myth, and the legend. Jeremy, could you just give us a quick intro on yourself, and then we'll jump into it?

Jeremy Deckert, SVP, SentinelOne [00:05:36]:
I just heard that, and I don't.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:05:37]:
Know if I want to give.

Jeremy Deckert, SVP, SentinelOne [00:05:39]:
No, actually, long story short is I fell into security by accident. I worked for a company, large database company, got brought into an eight legged sales call, and this was about 15 years ago, and I got the opportunity to actually, I was exposed to security people. And I thought to myself, I looked across the table and across the table, everybody was saying, help me understand why can't we do it this way? And I was sitting with the folks that had been doing database analysis for 20 years, and their answers were, because that's how we do it. And so I looked at it over about a four month period. I became really good friends with the security folks. And then one day, the gentleman asked me, hey, are you looking for a job? And I thought to myself, I've made it. I'm going to be a security practitioner now. He goes, no.

Jeremy Deckert, SVP, SentinelOne [00:06:23]:
He goes, we have a job at one of our partners, and we'd like you to fill it. So I actually went over, and that's how I started in security, and then realized that not every problem can be solved the same way. And I think the opportunity to watch people think out of the box and security is amazing. And so that's why I'm here. I've been doing it for 15 years now and love it.

Joe Toste [00:06:43]:
Awesome. Thank you. Ryan. Congrats on what looks like from the outside is the successful Super bowl cybersecurity experience. I don't know. I'm not on the inside like that, but I'll take it.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:06:52]:
I will take it, too.

Joe Toste [00:06:54]:
Yeah. What were some of those lessons learned when reflecting back on what I think is, like a once in a lifetime experience?

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:06:59]:
Yeah, for sure. Obviously. Yes. It was a successful Super bowl. Right? Nothing got blown up. No major cyber attacks. Game went off without a hitch. The Rihanna concert was amazing.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:07:08]:
Right. So obviously, bonus points there. All of that was months, almost a year in preparation. And I feel like this is an ongoing theme that I keep talking about. Right. Is none of that would have happened successfully without the community we had in Arizona to build it all, to bring it all together, to make it successful. So working with the NFL directly, working with all of our local cities and counties directly at the state level, at the national level, with DHS and FBI and our other federal partners, everyone was getting together on monthly and or weekly basis trying to get this together, understand what are the threats we're potentially going to face. Obviously, this is not the NFL's first rodeo.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:07:46]:
Maybe a weird mixed metaphor there, but you get the meaning. They've done this a few times before, right? So they know what they're doing. They've seen a lot of the threats, they understand a lot of the struggles. So taking direction from them and understanding what that looks like, and then infusing our perspective from a local Arizona viewpoint and understanding how those two things cross over and then taking lessons learned from previous years, previous Super Bowls. One of the big things that we heard about several other previous events was that just communication paths broke down. And being able to understand who are all the key players in this? Who do we need to know to talk to when it comes to a major cyber event? Or maybe there's a major law enforcement engagement that happens in one of the cities. How do we make sure all those people are talking to each other? So we had multiple command centers, multiple emergency operations centers set up specifically devoted to each of the operations that needed to occur. So having the main multi agency command center stood up, where law enforcement was, there, federal agencies were there, a representative from each of the cyber teams, the intelligence teams, all there in the same place, and then connected to each of the other operations centers.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:08:51]:
So the one in Glendale, at the game at the stadium, the intelligence operations center run by the FBI and pulling in all the intelligence side of all the federal partners. Our cyber command center, run out of our department of Public Safety, and our fusion center, bringing in all of the cyber intelligence that we were getting from federal and local partners, and then making sure that was both a two way street, bringing in information and sending it out where it needs to go. So the big lesson learned is just the one that we keep harping on continuously. Communication, collaboration, and community.

Joe Toste [00:09:20]:
Those are, like, my three favorite words. That's what I'm talking about.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:09:23]:
Love that. It's your love language.

Joe Toste [00:09:26]:
And anyone who's married, you need community, collaboration. All y'all are shaking your.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:09:33]:
Yeah.

Joe Toste [00:09:33]:
Yeah. Chris. A big theme that I'd love to talk about is cybersecurity collaboration. Man, it's like, you all read. That's crazy. Yeah, man, all of you. And the pledge to work closer together. Texas has a lot of people in the state, but the bad actors, they just don't care.

Joe Toste [00:09:50]:
They just don't care. Could you maybe just talk about the mission of protecting the citizens here in Houston, especially during large events like the final four.

Dr. Chris Mitchell, CISO, City of Houston [00:09:58]:
So, fortunately for us, Houston is accustomed to hosting major events, right? So standing up, preparing ourselves, it's what we do. Right. But for me, when it comes back to the threat, we have to know exactly where the threats are. Who are the threats? And when I see folks approach this, you have to start with a risk assessment. But we're not defending against ghosts. Right. So our focus has been to determine the threat actors who are interested in one, our industry, who are interested in the data and system types that we have, for example, a Siemens plc, or you name it, and then start to look at the ttps of how these threat actors actually attack and formulate our defensive posture based on that information.

Joe Toste [00:10:55]:
So that's our general approach, I'm pretty sure. But I could be wrong. Has Houston hosted an Olympics before?

Dr. Chris Mitchell, CISO, City of Houston [00:11:01]:
It would predate me. I don't believe so, no, they should.

Joe Toste [00:11:05]:
The Olympics are coming in at LA 2028. I'm just going to keep coming back to Houston. Yeah. World theory. I'm going to be coming back to Houston.

Jeremy Deckert, SVP, SentinelOne [00:11:13]:
Actually, LA has already had one. But you weren't born yet.

Joe Toste [00:11:16]:
Was that 92?

Jeremy Deckert, SVP, SentinelOne [00:11:18]:
What is 84?

Joe Toste [00:11:19]:
I wasn't born yet. Dang it all. You all making fun of me. Just a quick follow up. Chris, what would you like to see in the city of Houston from an esprit decor that you experienced in the military, that you would like to see here happen at the local level?

Dr. Chris Mitchell, CISO, City of Houston [00:11:34]:
And that's a great question. Pride and ownership, right? In the military, everything is about a competition. When you think about it. You go to basic training, you're competing against your brother and sister companies, as we call the in the Navy, for academic flags, for marksmanship flags, you name it. Right. It would be nice to see our city. We are the largest city in our state, the fourth largest city in the know, for everyone to approach what we do, wanting to be the best at what we do. And from my perspective, when you think of Texas out here, Austin first, Dallas, San Antonio, oh, and the.

Dr. Chris Mitchell, CISO, City of Houston [00:12:17]:
There's Houston. We should be first.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:12:20]:
Yeah.

Joe Toste [00:12:20]:
I love that, having that pride and ownership in your work. I think there's some lost traits right now, but I think it's, like, super important. And I know you're a Navy man. There's a great book out there, extreme ownership by Jocko Willink. And I got two bands, so I've got the get after it, and discipline equals freedom. And actually, I had the honor of interviewing JP Denell, who was a lead sniper for Jocko during the Battle of Ramadi in Iraq. And just, it was a fantastic, I'd recommend everyone go listen to that podcast episode because he really shares just his life path and journey, but both from war and just in family life. And yeah, I think having that pride and we teach that to our kids also who are four and 13.

Joe Toste [00:13:04]:
And it's funny to see like, the shaping of a kid, right? Because Jack man is four and he's like taking pride with his fake kitchen. Right now you got a little fake kitchen and he's doing that. Right. I love that you brought that up, Jeremy. A big theme in cybersecurity is that machine speed attacks require a machine speed response. Morgan Wright, the chief security advisor at s one, shared a term with me in Orlando that I absolutely love. He calls it left of boom, which is the US military term used to describe disrupting insurgent cells before they can build and plant bombs. I'm always a fan of preventing crises before they happen.

Joe Toste [00:13:41]:
Can you talk about how Sentinel one's cybersecurity philosophy around being left of boom or getting in front of the problem before it happens?

Jeremy Deckert, SVP, SentinelOne [00:13:47]:
The funny thing with that question is, I had to Chat GPT last night, the left of boom. I was like, okay, left. If you talk to Morgan and you guys have had the opportunity, I know you have.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:13:58]:
For 3 hours.

Jeremy Deckert, SVP, SentinelOne [00:13:58]:
For 3 hours. Yeah. His whole goal, when he talks about it, is one of the great things about Sentinel one is having the advantage of getting rid of the noise, right? Basically taking all the noise out. And then when you have an actionable threat or something comes along the wire, the fatigue from your folks online, they're actually looking, they understand it, they're looking at it, and they know they need to take actionable defense for it. And so when I started at Sentinel one, I didn't come in for the endpoint or the EDR. Everybody has an endpoint. Everybody has an EDR. I think the goal was they sold a vision, and their vision was, hey, at the end of the day, it's not just about the endpoint.

Jeremy Deckert, SVP, SentinelOne [00:14:36]:
It's taking in data from the cloud, it's taking in data from identity. Both credential theft 80 changes daily. How are we supporting that? And then there's also deception, right? There's things around deception of making sure that you don't have insider threats or you're being able to watch lateral movement. But the biggest is around data, right? We bought a company, and the whole goal of security is we buy all these tools, but none of them, they don't talk to each other. There's 15 or 25 different tool sets out there. And so we've gone about, and that vision now is taking in not only our data, but data from third party security data, bringing it and ingesting it, enriching it, overlaying it, applying security context to it, and then having action, whether it be orchestrated or it be manual on that data. So I think when you look at that, it's, yes, can we get left of boom? Yes. Can we do it at machine speeds? Yes.

Jeremy Deckert, SVP, SentinelOne [00:15:34]:
But it's going to take time. And I think that vision is still coming under. We've got three different product sets. We don't have one product set that does all. But I think it comes down to it is the ability to interact with your alliances, with your partners and take that data and scrub it.

Joe Toste [00:15:50]:
Thank you. That was great. Also, thank you for your honesty with the chat. GPT. All y'all need to go listen to my three hour episode with Morgan Wright. It is really good. Chris Winnick. Yeah, Chris Winnick here in the suit, he listened to it and he texted me, quote, this podcast was lit.

Joe Toste [00:16:05]:
Can I say that? Yeah, it was great. It was great. It was fantastic. Morgan is a. And Morgan actually hosts his own podcast. He's not actually employee of Sentinel one, so you get a really great perspective. He hosts a podcast called the Game of Crimes, and it is a really good podcast. He's a previous detective and just has a fascinating background.

Joe Toste [00:16:22]:
So we did a three hour podcast and he actually, he wasn't bored of me yet. Came back and we did a 90 minutes podcast with him and Jamie Grant, which was awesome in Orlando. Chris, can you talk about building a strong cybersecurity intelligence apparatus and posture for the city of Houston? And I'm using quotes because I love it, because you said this to me when we met over the phone. I don't want you to give away the secret sauce, but from a 30,000 foot overview, like, what does it look like to have a strong cybersecurity posture? You've touched on it, but for the fourth largest city in the nation.

Dr. Chris Mitchell, CISO, City of Houston [00:16:52]:
So I would say the first thing is to first understand what intelligence is. Right. Intelligence is not a threat feed. Intelligence is not iocs. Intelligence requires analysis. Right. The best source of threat data by which to formulate one, a hypothesis and two, to go and make sure you're pulling in the right data sources to conduct the analysis is within your own environment. So it's making sure that as you collect data off the network, you're collecting from the right sources.

Dr. Chris Mitchell, CISO, City of Houston [00:17:25]:
Noise doesn't equate. Right. And there's a cost to that. Now there are storage costs, et cetera. Right. So it's that a threat intelligence platform is not going to solve your problems either. That's just yet another source by which you can enrich the information that you're already collecting. And also going back to the threat model.

Dr. Chris Mitchell, CISO, City of Houston [00:17:45]:
There are 41 threat actors that we focus on and knowing exactly how they plan to take the fight to us because remember, we're not taking the fight to them. They're coming to our domain. And that goes back to a spree decor. Would you just allow someone to just walk into your house uninvited, unannounced and be okay with that? So that's the same approach and mentality that we have to have as defenders as well.

Joe Toste [00:18:08]:
On the basketball court I talk about, we're not going to let these people come into our house. I love that. I love that a lot. Ryan, love to hear your thoughts on building a strong cybersecurity posture from the state level.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:18:17]:
Yes, I mentioned it previously when we talked that we're really struggling and seeing this borne out day after day, that there are haves and have nots when it comes to cybersecurity. And we've tried to do something in the state of Arizona where we've tried to level that playing field a little bit. Right. And it shouldn't be based on your revenue, it shouldn't be based on your tax base just to continue to exist as a government entity. And we've tried to provide a lot of those services for those local cities, counties, k twelve s that can't really do that for themselves. We talked previously about just, basically just doing the basics. Right. We don't necessarily need all of this fancy machine learning stuff.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:18:52]:
It helps. It's fantastic. It helps respond to machine based threats at machine based time. But when you're not patching those Windows XP machines that still live on your network, when you're not teaching your users and your people that work for your organization about what the threats are that exist out there and how not to click on a phishing email and how to report these things to someone that can do something with them, all that fancy machine learning goes out the window. Right. It just doesn't really help. So being able to understand what the threat is, understand where your vulnerabilities are both in your systems and your people, we've talked a lot about seeing people as the weakest link, and I really hate that terminology. I want to think of it as they're the most vulnerable.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:19:33]:
They're the ones that we need to spend time and effort and patching those vulnerabilities in people just as much as we do in systems. So how do we test them? How do we train them and make sure that we understand where those vulnerabilities exist and how do we actually fix them in a way that makes sense? But also sharing the information we're getting, right? This shouldn't be stuff that just goes into a void somewhere. Every phishing email I get, every IoC I collect, someone needs to be doing some amount of analysis on it and sharing it out with the other communities in a way that they can ingest, because just throwing more noise at people is never going to solve the problem. So how do we take that information in and use the tools that we have, the high powered analysts that we have, to be able to enrich that information and turn it into actionable intelligence in a way that we can give out to, say, a small city or a k twelve school district that doesn't have an analyst, doesn't have these high powered tools, we should be able to turn that into something that they can do directly with it, whether that's blocking it in their firewall, sharing it with their users, turning it into something that they can get just as much defensive capability without having to buy high powered tools to do it.

Joe Toste [00:20:38]:
No, that's great. Jeremy, can you just round us out? You've got experience on seeing a lot of different customers come across. What are you seeing that differentiates those that have strong cybersecurity postures from those who can learn from.

Jeremy Deckert, SVP, SentinelOne [00:20:51]:
I think Ryan just hit it on the head. Sharing is caring. Right? It's a people first process, security in and of itself. I laugh because I wish I had the tool that I can just press a button and I bring it in.

Joe Toste [00:21:00]:
Staples easy button.

Jeremy Deckert, SVP, SentinelOne [00:21:02]:
Yeah, that's it. I've seen them. I see them on desks. But what I would say is that especially in the public sector, you know who your peers are in your groups, and it's taking those peers and going out and going. You see them at all the different events, they're all talking to each other. They're not keeping things close to the vest and investing in your people. I think from the public sector perspective, there's so much talent that moves over to the private sector for the dollar. We have all this funding, these mechanisms that are coming in, we have to drive that funding to people.

Jeremy Deckert, SVP, SentinelOne [00:21:34]:
Because if you look at some of the funding, the TA funding that's coming out now around cybersecurity. It's all about buying something from me. Please don't we record this because I want to make sure that my boss doesn't see this. But at the end of the day, we're recording about investing. It's about investing in your.

Joe Toste [00:21:49]:
And I'm going to send this to your boss podcast. Right.

Jeremy Deckert, SVP, SentinelOne [00:21:52]:
I was kidding. But it's about investing in the people and keeping those people in the positions. And I'm going to give kudos to Dr. Mitchell here because I actually met him. I think you were about two weeks in, three weeks in, we had a conversation and he said, I'm going to build this and I'm going to teach my people show to hunt. I came back six years later, he's built it. He's got some of those same people there. And there's a reason.

Jeremy Deckert, SVP, SentinelOne [00:22:16]:
Right? It's a leadership. It's investing in your people. And I think I don't have to tell you all, you do it every day and as you keep doing it, obviously you're going to continue to thrive.

Joe Toste [00:22:25]:
That was fantastic. Let's get the mic ready for anyone who has not asked a question yet.

Summer Xiao [00:22:30]:
Dr. Mitchell, would you tell the group a little bit more about your observations? Houston being the largest city in this region, but much like what Ryan has about the smaller communities around this region, what are your thoughts about how the big cities can help?

Dr. Chris Mitchell, CISO, City of Houston [00:22:49]:
Okay. I think we should have an obligation to help, and I think we should be proactive about offering the help as well. I've made effort and some strides in reaching out to smaller municipalities around us, as well as even some of the smaller counties. And I wouldn't say we have frequent conversations, but we do have conversations. And as long as they're open to receive the things that we can offer to help them, then we will graciously do that.

Summer Xiao [00:23:25]:
So this question is, and I'm asking because Dr. Mitchell helps me on the daily and I have access to Dr. Mitchell. I'm sure not everyone has an access to their own Dr. Mitchell, even within the it field, let alone in the general public. Lots of people want to get into cybersecurity, but people don't know how to start, where to start, right. Either you're fresh out of school, you're in school, or you already have an established it career. Like I could be a project manager that's really interested in cybersecurity.

Summer Xiao [00:23:53]:
But if you ask any of my PMS, they don't even know where to start. So interested to getting all of your thoughts on how to start a cybersecurity career and how to get into it.

Dr. Chris Mitchell, CISO, City of Houston [00:24:05]:
So I get the question a lot, because cyber is popular. It's hot, it's exciting. It's also misunderstood. Right. One of the things I tell folks is this is one of the most misunderstood disciplines that exist, because within the discipline of cyber, there are at least 40 different subdisciplines, and you can't be great at all of those. So knowing exactly what interests you, do you want to become a Sim engineer, a reverse malware engineer, a system security engineer? These are all completely different skill sets. So knowing that first and then going back to look at the types of traits and characteristics that are required to do this job, and this is not the type of job to where there's an end. Right.

Dr. Chris Mitchell, CISO, City of Houston [00:24:52]:
I remember years ago when I'm going to date myself, I guess broadband to the house was becoming a thing. And one of the first organizations out of the gate was Time Warner with Roadrunner. Right? And I remember this commercial where this couple, they're sitting in their bedroom, and the husband is on the computer, the wife is reading a book, and he's on the computer and he clicks and he says, wow, I just cruised the entire Internet. Right. There is no end to this. Right. This is a constantly evolving and revolving process. So if you can't commit yourself to that and you have to ask yourself the tough questions, then this is certainly not the space for you.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:25:36]:
I'll go next. I also want to piggyback off of that because I have a book that I found in goodwill that's the O'Reilly book of the whole Internet from 1995. Literally every web page that existed in 1995 was printed off and put in a book. So that's amazing. It's only about two inches thick, too. So that's awesome. I'll say you guys have already touched on this a little bit. Right? The roads to cyber careers are wiggly.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:25:59]:
There's all kinds of ways to get into this, and it depends on what you're interested in. To your point, it's highly misunderstood. Everyone thinks cyber, and they think it's the hoodie guy hacker in his basement. And that's all cyber is. But we talked about it earlier. It's project management, it's legal teams, it's SoC analysts, it's security engineers, it's compliance and legal people. It's all of the other ancillary things that come together to make systems secure, whether that's the systems of technology, the systems of people, the systems of critical infrastructure, the systems of our legal system. All of those things are capable of being hacked.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:26:35]:
Our elections. Right. Maybe that's a little too hot button topic right now. Our elections are capable of being hacked. Right. How do we put protections in place for all of these systems and build that into the mechanism of how those systems function? And we're going to need people from various backgrounds, diverse ways of thought. It's not going to be just everyone that's come up through a four year cyber degree or it degree. It's going to have to be from across the board.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:26:59]:
How do we bring those people together? And I think that the true goal is that cyber is not just a field in its own. It's built into everything that we. Every developer is going to have a cyber background. Every it person is going to have a cyber background. Every legal person is going to understand cyber to some degree. How do we get to that vision, that future state where everyone has some sort of key piece into playing into supporting cybersecurity efforts and securing all the things that we do?

Jeremy Deckert, SVP, SentinelOne [00:27:25]:
Yeah, I think piggybacking on what you just talked about, I think getting into cybers is what I'm watching as folks go in and look at multiple different areas. Because, listen, at the end of the day, work is work till it becomes a task, and then you don't want to do it. So what ends up happening is there's a lot of folks that are coming out of school that I have kids daily saying that I'd love to come and work for sentinel one. And then my question is, okay, what do you want to do? And I want to be a part of cyber. And I say, great, what part? And then they're like, what do you mean? There's more than one part of it? Exactly. There is. And so one of the things I will say is that there's a lot of programs, especially around junior colleges, middle schools. All vendors have some sort of outreach, and if you have contacts within your vendors, talk to them.

Jeremy Deckert, SVP, SentinelOne [00:28:12]:
I was part of a company that we did free training. We went out to the small municipalities, we went the out to the small isds, and we went in and we actually did a cyber day. And from that we garnered two or three folks that wanted to come in, and there's still one or two left at the company that I worked at that are actually now engineers. It took them eight years, but at the same time they were doing something else before they came in.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:28:34]:
If I could just reiterate, too, the impostor syndrome is real in the cyber field, and it field. A lot of people, even, that have been doing this for a really long time don't think that they are cyber professionals. So for those that are trying to get into that career, let them understand that it can be from many different paths. And once you're there, you are a cyber professional. Regardless of whether you're a project manager or a legal person. You are just as much a cyber professional as someone that's sitting and hacking on things and pulling technology apart. I think we need to make sure that we're reinforcing the people that are in the career field, that are part of this community, as much as we want to bring in new people to it.

Joe Toste [00:29:10]:
Take pride in that work.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:29:11]:
That's right.

Joe Toste [00:29:12]:
Yep. Any last questions? Yeah, Brady.

Jeremy Deckert, SVP, SentinelOne [00:29:16]:
Ok, this question is for Dr. Mitchell. It was previously mentioned that when you took your position, you were going to, quote unquote, teach your team how to hunt. So, one, how did you do that? How did that play out? And the two, what advice would you have for other Cisos who want to maybe change the mindset of their team or teach them how to hunt?

Dr. Chris Mitchell, CISO, City of Houston [00:29:36]:
A couple of different ways I can approach that. So in terms of teaching them how to hunt, it was a combination of formal training and as much OJT as they can tolerate. I've been doing this for some time, and with a few exceptions, of some things that I could never disclose or teach or discuss, everything else is open. So exposing them to models, the proper application of models. For example, when I hear folks talk about the cyber kill chain and I listen to them describe it, I recall I was interviewing a candidate once, and he brought a whiteboard to the interview, and he was going to show me exactly how they applied that model within their organization. And I couldn't allow myself to let him leave the same way he came. So I said, who taught you that? So let's dissect that and talk about it. And in terms of advice to other cisos, for those who know me, one thing that I will frequently say is that I am not at all a compliance driven CISO.

Dr. Chris Mitchell, CISO, City of Houston [00:30:46]:
I'm an operationally focused CISO. Compliance is not security, it's compliance. Right. So don't get fixated on checking boxes only to walk out, go home, patting yourself on the back and you're owned. It's about truly moving the needle. Don't get fixated on boxes.

Joe Toste [00:31:03]:
Okay. Yep. A name company question.

Todd Lovvorn, Enterprise Account Executive, Qualtrics [00:31:08]:
Todd Lover, and I'm with qualtrics, you guys. We've actually heard quite a few questions and just comments around people and the importance of people, not only to the overall, the agency itself, but now into security. And so my question is really surrounded by, or really comes from this idea that if people are your greatest asset and you're bringing people in, and we're also talking about security, you involve process and those processes that may impact behavior and the behaviors that impact process. I'd love to hear, from your perspective, how you guys are assessing, maybe even from the onboarding process of bringing somebody new into an agency, into your practices and your policies and that process and how that might impact the behaviors you guys are wanting to at least elicit inside of the community or inside of the agency itself, and then maybe even how you're assessing those outcomes as an ongoing process. And that's a loaded question and a lot, but I just wanted to hear your thoughts on that.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:32:11]:
Yeah, I'll say again, we've had to get creative with a lot of this. Right? We've had people that have come into the career field from diverse backgrounds and getting them up to speed in the processes, in the methodologies, in the structures of what being a cybersecurity person means. It's a lot of on the job training. It's providing an outlet for them to be creative in their thought processes. It's something I've talked a lot about with some of the older cybersecurity professionals in the field, is that mentality, that hacker mentality that used to exist back in the early 2000s, before cyber became a truly defined career path. People had to figure out, show all this stuff worked, take it apart, break it, put it back together, and then figure out ways to secure those things so bad guys couldn't do the same things. We've tried to foster that mentality of go forth and learn, be creative in the way that you're doing these things. Yes, we have an objective.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:33:05]:
Yes, we have a mission we have to accomplish. But there's so many different ways to get there. We don't want to stifle that through saying, this is your runbook on how you respond to this specific incident. And if you divert from that, you're doing it wrong. We want people to be able to come to it with some amount of creative thought and say, look, yes, this is what the runbook says. I ran through it, but I missed this thing. So how do we incorporate that into it the next time this thing happens? I'll also piggyback off of what Dr. Mitchell said.

Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:33:31]:
A big part of threat hunting is that creative thought process of going, that looks weird. I wonder if that is actually something I should dig into. And then what does that actually mean? How do I dig into that detail? How do I find where that thing got there, how it got into my environment? Should it be there? Is this something that actually exists in the environment for a reason? Or is this a true threat actor doing bad stuff and being able to foster that creative over and over again? That analytic process is something we've really tried to drive home with our teams.

Dr. Chris Mitchell, CISO, City of Houston [00:33:59]:
And from my perspective, if I'm evaluating a candidate for potential hire, I'm really focusing on digging deep to determine their motivations. Why is this something that you desire to do? I want to know how they think, so I give them scenarios. It's not so much about them getting the exact answer that I'm looking for as much as it is how did they arrive at the conclusion? Because based on that path, now I really have something to work with. Right. Integrity is big because within this space, from an insider threat perspective, you never know who you're going to be investigating and for what. And I'm always asked a question like, what are some of the differences between working in the federal space compared to working at the local level? People talk more at this level, right? So it's figuring out ways to control that, to let them know that, okay, your relationships with people have to shift a bit if you're going to do this right.

Joe Toste [00:35:10]:
Thank you for coming on the podcast we're going to sign this fall. I appreciate it. Thank you, everyone. Hey, what's up, everybody? This is Joe Tafti from techtables.com and you're listening to the public sector show by techtables. This podcast features human centric stories from public sector, CIOs, CISos, and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind the mic look at the opportunities top leaders are seeing today. And to make sure you never miss an episode, head over to Spotify and Apple podcasts and hit that follow button and leave a quick rating.

Joe Toste [00:35:47]:
Just tap the number of stars that you think this show deserves.