ep.168 Racing to Get Left of Boom: How CXOs Stay Steps Ahead of Nation States like China and Russia with Jamie Grant, fmr. CIO, State of Florida & Morgan Wright, Chief Security Advisor, at SentinelOne

Jamie Grant, CIO, State of Florida [00:00:40]: I feel good. I think your audience is probably sick.

Joe Toste [00:00:42]: Of me, but Morgan, welcome back to the podcast.

Morgan Wright, Chief Security Advisor, SentinelOne [00:00:45]: Chairman Toste, ranking member, secretary, I feel like this is a congressional panel is like, I had no prepared testimony.

Jamie Grant, CIO, State of Florida [00:00:53]: I apologize.

Joe Toste [00:00:54]: Yeah. And for those of you who don't know, Morgan's been on the podcast. We did a kind of a long form three hour podcast, which is fantastic. We trimmed it down to, I think 2 hours and what, 28 minutes.

Morgan Wright, Chief Security Advisor, SentinelOne [00:01:04]: You didn't tell me that.

Joe Toste [00:01:05]: Yeah, we trimmed it down.

Morgan Wright, Chief Security Advisor, SentinelOne [00:01:06]: Probably cut out my good jokes.

Joe Toste [00:01:08]: Yeah, we cut out all the great jokes, Morgan. So let's kick it off first with you. There's a term that you shared with me that I loved and that's left of boom, which is a us military term used to describe disrupting an insurgent cell before they can build and plant bombs. I've always a fan of preventing crises before the happen. Can you talk about Sentinel one's cybersecurity philosophy around being left of boom?

Morgan Wright, Chief Security Advisor, SentinelOne [00:01:30]: Yeah, and I'm not going to do a product pitch. I mean, this is more philosophical. This is the philosophy I had before even working with Sentinel one. But I was in the Reagan building on 911. We're supposed to be in the Pentagon. Meetings got flipped. We're in classified environments. We didn't know what was going on for a little bit.

Morgan Wright, Chief Security Advisor, SentinelOne [00:01:44]: But I remember walking across the bridge and seeing the smoke come out of the Pentagon. And then that night I couldn't even get to a phone for 4 hours. So my wife had no idea. She thought we were supposed to be in the Pentagon and then listening to the combat air patrol at night first. I mean, I live next to Dolos airport, northern Virginia, but you can tell the sound of fighter jets, they are distinctly different. And then come to find out the seat of government in case something happens which they thought the White House was going to be attacked is mount Weather, which is in my county right there. So it's a FEMA facility, 1500ft in the ground. So the reason I'm kind of prefacing that is that it made a fundamental shift in how I viewed the problem.

Morgan Wright, Chief Security Advisor, SentinelOne [00:02:23]: And then I ended up doing a lot of work at the Department of Justice on information sharing. I mean, 16 of the 19 hijackers had prior contact with law enforcement. Noahf al Hazmi was stopped in April, written a ticket by the Oklahoma highway patrol and put into a state department watchlist in August. Why would you put somebody on a watch list who's already in the country? Makes no sense because that's the wrong watch list. They were looking for people coming into the country. So I had the privilege and the honor of working inside department of Justice. A lot of the work we did was to prepare the attorney general Ashcroft, the deputy attorney general Comey, for testifying before the 911 commission. And one of the biggest failures out of 911 was failure of imagination, failure to connect the dots.

Morgan Wright, Chief Security Advisor, SentinelOne [00:03:03]: You were talking about connecting the dots earlier. Well, you can't connect the dots unless you collect the dots. And the dots all have to be in a place to where we can make sense out of the dots. Steve jobs actually said it really good. He said, you can't connect the dots looking forward. You can only connect them looking backwards. Well, that was the problem. We'd had too many silos.

Morgan Wright, Chief Security Advisor, SentinelOne [00:03:18]: Dennis Miller told a joke one time. He said, the only thing the CIA share and the FBI share is the letter I in their name. And that was true. You're talking about information sharing. One of our biggest challenges, and we're just having this discussion before we started, is how do you share information between 18,000 federal, tribal, state, and local law enforcement agencies? Right. So this gets into left a boom. The thing we realized, too, is we went in, as we started having these discussions, we were having the discussions with the wrong people, and we got that changed. They started off as a technology project, said, it's not a technology project.

Morgan Wright, Chief Security Advisor, SentinelOne [00:03:46]: It is a mission problem. We have a mission to how do we connect people to do a better job together. So to get to left to boom. So when I was doing work for the state department, I was in Pakistan. Turkey. Pakistan, one of those places where when you were a guy that looked like me and you're walking around, you were a target. So we had areas we had to stay within, and that was left a boom. We were working with the Islamabad Capital Territory police, the Federal investigative Agency, Special investigative group.

Morgan Wright, Chief Security Advisor, SentinelOne [00:04:11]: They were responsible for protecting President Musharraf from the Taliban, which, by the way, their inner services intelligence organization in Pakistan created the Taliban. So you want to talk about how do you get left to boom when you have adversarial agencies who are in your own government working against you? So the whole idea about left to boom is if you are reacting to it, it's too late. The cost of response goes up. The cost to people goes up. And so whether it's cyber, whether it's a physical attack. Right. How do we get to left a boom? And left a boom means we have to start looking at in the cyber world now. We start looking at behaviors.

Morgan Wright, Chief Security Advisor, SentinelOne [00:04:46]: What is this thing, whatever it is, trying to do? Is it code? Is it an application? Or is it a person? What is it that they're trying to do? And what is it that they're trying to access? And as we look at the use of artificial intelligence, as we look at the use of autonomous systems, things that can think for us based on machine learning, so we can think faster about the problem using machines to scale, how do we prevent these things from happening? So there's some models, you'll see them where it's like, I think Gartner has a 110 60. If it lands in there, you got 1 minute to do this. Well, the minute one piece of ransomware lands in your environment, how long do you think it takes for it to spread? I mean, in the half a second you're owned at that point. And by the way, the attackers. I do a lot of stuff around Russia. I do a lot of stuff around China. One of those things, if the public only knew, right, what these guys are actually capable of doing. But they don't care about your models.

Morgan Wright, Chief Security Advisor, SentinelOne [00:05:37]: They don't care about your policies. They don't care about your frameworks. They could care less. What they care about is, how do I attack you? How do I think differently than you? So, left a boom. The way adversaries won more often than not against us was, everybody's heard the term, right? Think outside the box.

Jamie Grant, CIO, State of Florida [00:05:52]: Okay?

Morgan Wright, Chief Security Advisor, SentinelOne [00:05:52]: Who knows where it came from? What does it really mean to think outside the box? You'll hear people say, well, let's think outside the box. Well, what does that really mean? Well, gestalt psychiatry had this thing called the three dot problem. So you put three dots, all equally separated in three rows. So you had to look like. It looks like a grid. Now connect online dots with four straight lines. Don't take your pen off the paper. And the problem with people, we're right, of boom thinking.

Morgan Wright, Chief Security Advisor, SentinelOne [00:06:17]: We play within. We color within the lines, right? So you cannot solve the problem by staying within the box. The way to solve the problem is to go up and outside the box, come down and across the box, back over here and up to here. There's two places when you do it where you're truly outside the box. Now, we have to. Jamie knows this, too. You have to act within the rules. Right? But that doesn't mean you can't think outside the rules if we were going to be attacked.

Morgan Wright, Chief Security Advisor, SentinelOne [00:06:39]: In fact, I was doing this exercise yesterday. Don't think that I'm weird, but I walked down a boat ramp because we're going to take the boat over I'm looking at it go, how would I get around know? I'm sorry. Two guys making minimum wage with the security screener and they're talking. It would be so easy to get stuff around that, right? So I think differently. But a friend of mine that retired as the associate director at CIA science and technology director, he had a great saying. He said, if the rules of the game aren't working for you, change the game. We have to change the game on adversaries. We have to get to the point to where we create an economic barrier.

Morgan Wright, Chief Security Advisor, SentinelOne [00:07:13]: In other words, as you spend, you should be able to spend down risk. So as I build my economic barrier up, I can extract a cost out of the attacker. That's why for us, getting to left a boom, if you're not investing in getting to left a boom, then you're investing in response, and that's okay. Sometimes you need response. You can't control the fact that a hurricane comes. Not in Florida. You wish you could, right? I know you guys tried to outlaw hurricanes at one time. It did not work is my understanding.

Jamie Grant, CIO, State of Florida [00:07:35]: Right.

Morgan Wright, Chief Security Advisor, SentinelOne [00:07:36]: But you can prepare for it, right. So that when boom happens, you are quicker, faster, better in your response. But what you can prepare for are attacks. It's inevitable. How many attacks does the state of Florida get on a daily basis?

Jamie Grant, CIO, State of Florida [00:07:46]: Until you can tell me the denominator, I'm not prepared to answer it. Right. Like, I can give you the numerator.

Morgan Wright, Chief Security Advisor, SentinelOne [00:07:50]: Just give me the numerator. Hundreds of, I mean, in all different levels. Right? So you cannot say, oh, we have intelligence, so and so is going to hit us. But what you do know is your threat actors are out there. You've got Russia, you've got China, you've got North Korea, you've got Iran, by the way, who's the fifth country now that's kind of become a top tier adversary? It's Venezuela. Venezuela. We're seeing a lot of things coming out of Venezuela, and we're seeing these folks think differently about the problem. So when we think about the problem getting to left to boom memes, we want to look at the behavior of things of code and of people.

Morgan Wright, Chief Security Advisor, SentinelOne [00:08:21]: And as they get closer to your environment and as we're assembling those things together, when we detect that behavior is bad, we stop it. One of the things we've had a really good track record on is stopping ransomware from even getting into an organization. When Sunburst happened, the solar winds, if you guys remember what happened with solar winds, SolarWinds was an intelligence operation designed by career GRU officials in Russia to exploit the way we thought about the problem, how they got to right a boom and we missed left a boom, is they didn't attack the national nuclear stockpile agency or the State Department directly. They went after SolarWinds. SolarWinds is not a cybersecurity company. They're a network management services company. For network management service to work, you have to give it access to what? Everything. Right.

Morgan Wright, Chief Security Advisor, SentinelOne [00:09:05]: What they did was they got into the. Which was rather trivial. They put a piece of code in and they let that code propagate to see does anybody detect it. That was the first step. Then when nobody detected, then they built their malware packages and then they put it out. Because you folks out there implicitly trust the updates that come from you. When's the last time? And I challenge any one of you to tell me the last time you took an update that came in from Apple or Microsoft or even Sentinel one and reverse engineered it, Fuzz tested it, looked at everything to say, is there anything malicious in there? No, you go, it's digitally signed, we're okay. Put it into our environment, watch it for three days, and if nothing bad happens, then we move it into our production environment, and we keep telemetry data for, like, two weeks, and as long as nothing bad happens, we move on.

Morgan Wright, Chief Security Advisor, SentinelOne [00:09:44]: Because storage is expensive, right? I mean, who enjoys getting their splunk bill every month, right? Yeah. So I'm joking. That was a cheap shop, and I have to do it. It's in my contract. But the reason I say that is that the reason we've gotten to left the boom is because what we've done is we looked at how do actors think and about how do they work and how do we stop that from happening. So, with SolarWinds, the reason I bring that up is even though other people got compromised, including other companies in this space, when they popped their digital periscope up and they looked and they said, who's in this space? And they said, oh, you're in this space. We can tamper with you. We can turn you off.

Morgan Wright, Chief Security Advisor, SentinelOne [00:10:18]: That enabled our adversaries to get to write a boom when they popped their periscope up. And this is documented in the Senate select committee on intelligence. The testimony before Mark Warner, Senator Marco Rubio, who's the ranking member on the SSCI, it's actually in there. When they looked up and they saw Sentinel one, part of their code was said, do not execute. They could not execute because we were able to detect Sunburst and the associated bad things that went with it without having to have an update and operate it, even without connectivity to the cloud. So the only reason I say that to get to left a boom is you cannot think out the problem the same way you've always done. Henry Ford said if I asked my customers what they wanted, they would have said faster horses. Right.

Morgan Wright, Chief Security Advisor, SentinelOne [00:10:55]: What did he do? What did Steve jobs do? He didn't say, who wants an iPhone? Nobody knew they needed an iPhone until they needed an iPhone. He didn't do focus groups. He got to left a boom in the market. He got in front of everybody else and preempted all the competitors by doing stuff like that. So I'll wind this up. I'm going to give you a run for your money. That was his saying. He said that earlier.

Jamie Grant, CIO, State of Florida [00:11:15]: I never said that.

Morgan Wright, Chief Security Advisor, SentinelOne [00:11:15]: What do you said? That? I have it on a recording.

Jamie Grant, CIO, State of Florida [00:11:19]: You're one of the few that I believe that from.

Morgan Wright, Chief Security Advisor, SentinelOne [00:11:21]: It is Florida open records.

Jamie Grant, CIO, State of Florida [00:11:23]: Fortunately, we're a two way update. We got some lawyers in the crowd, and I don't know the lawyers.

Morgan Wright, Chief Security Advisor, SentinelOne [00:11:28]: Oh, there's something about anyway, but we just call them sales prevention. No offense, in some of our. No, but to finish up. So the reason what happens is the way people get to write a boom and make you respond is because you're thinking about the problem in the square. They're thinking about the problem out here on the fringes, in the border. So what happened with solar winds is the Russians didn't out code solar winds. They didn't out framework you. They outthought you.

Morgan Wright, Chief Security Advisor, SentinelOne [00:11:52]: And what they said is that you wait three days in the sandbox and then you put it in. We're just going to wait 14 or 15 days, and then we're going to execute. They out thought you, and because they did that, that supply chain attack was able to be carried into agencies that have very sensitive information. And so that's the right of boom. Now we deal. What right of boom triggered massive new regulations, executive order from the president. You have to modernize. Actually, it's good because it made them modernize.

Morgan Wright, Chief Security Advisor, SentinelOne [00:12:17]: Got to get away from traditional av, start using artificial intelligence, machine learning. But if you keep doing things the way you've always done, you'll keep getting what you've always got. So we had to really rethink. So for us to get to left a boom and stop stuff from happening, so we had to look at behaviors. We had to look at the behaviors of people. There's no reason why, you know, impersonating somebody should be accessing, I think you were talking about active directory, right? Joe's a sales guy. What's he doing? Touching the active directory component of the organization. Right.

Morgan Wright, Chief Security Advisor, SentinelOne [00:12:45]: So you also have to look at. So there's the people issue. So I conclude my remarks. I think my 5 minutes is up. I yield back to the chair.

Joe Toste [00:12:53]: If you want more of Morgan, I know we skipped his background. He also hosts a fantastic podcast called the game of crimes. We went 3 hours. I think we spent the first hour just on his background in his previous life as a detective. That's on the website. I would highly recommend. I know you're like, 3 hours is crazy, but go on a walk, rack up 20,000 steps. But you'll love this podcast with Morgan.

Joe Toste [00:13:14]: Jamie, moving on to you. Can you just talk about the importance of taking preventative cybersecurity measures being left of boom against nation states like Russia and North Korea that are looking to take down an ever increasing high profile state like Florida.

Morgan Wright, Chief Security Advisor, SentinelOne [00:13:28]: Yeah.

Jamie Grant, CIO, State of Florida [00:13:28]: So I first want to thank you because one of my rules in hiring is hire people that make you look stupid and inexperienced at what they do, and you've now extended that to a podcast where my stories are way less.

Morgan Wright, Chief Security Advisor, SentinelOne [00:13:37]: Cool or the ones you can tell anyway.

Jamie Grant, CIO, State of Florida [00:13:39]: That's true. I do have some good ones. Hr would call, no jokes aside, we have a buddy told a joke one time in the office. He said, I told a joke so good, hr wanted to hear it, and they thought it was so good, legal wanted to hear it. So, look, I think if you simplify down to the dummy level, left of boom, it's understanding the vulnerabilities of your defense and predicting or anticipating what the adversary is going to do to take advantage of that. So if we stick with kind of the coaching theme that you and I love to talk about a lot, it's like, look, any defense I call has weaknesses. A great quarterback knows where the ball is going before the snap happens, can anticipate what they're going to see, and see one or two moves from a safety to understand what coverage they've got and the ball goes. Peyton is a great example.

Jamie Grant, CIO, State of Florida [00:14:25]: Like, Peyton Manning is arguably mediocrely talented physically. When you look at the last 20 years of starting quarterbacks in the NFL, he's unrivaled at knowing what was going to happen before the play happened. So when we think about left of boom, I kind of break it down to just somebody scored a touchdown on you and you watched film. That's right, of boom. Like seven points on the board. Too late. Left of boom. Was preventing points going on the board.

Jamie Grant, CIO, State of Florida [00:14:49]: Right. And so it's part of the reason that, from a strategic perspective for us, the chief data officer should be my offensive coordinator. I need them to go put points on the board. I need my defensive coordinator to make sure the Russians and the Chinese and now the Venezuelans and others aren't putting points on the board. For us, strategically, it's get back to the single data element, because if you're really going to understand what defense you're running and what vulnerabilities there. Know, when I first took this job, one of the things I said publicly, a lot of, is it felt like Helen Keller doing security because you couldn't see it, you couldn't communicate it, and you couldn't hear it, and yet you were supposed to protect it, and you had no idea what it was or how many it's there were or where they, you know, kind of step one is like, understand the field, understand what's on the field, and you can break that down a thousand different ways. But when we go back to the core principles of how you build an organization, when we say, find people that anticipate and are reliable, like anticipation means getting to left of boom. Reliable means once they anticipate, they actually did something about it.

Jamie Grant, CIO, State of Florida [00:15:49]: Right. Like, I need both of those things for it to work. And so I don't think there's a question of the importance of getting people to start thinking left of boom. I think the challenge for us in this ecosystem, quite frankly, more than anything, Joe, in my experience, is getting that translated down at a level where you didn't have to have experience in a skif or the NSA or with a TSSCI or understand what the technical components of it is or are, but instead to be able to go to executives and say, hey, look, here's the vulnerability. Here's why it matters. Here's two options. Here's what we would recommend. When you start getting in that cadence, you find that most people want to be left of boom.

Jamie Grant, CIO, State of Florida [00:16:30]: I think they're just completely overwhelmed in not understanding how to get to left of boom. And so find the people that don't want to get left of boom and get them away from everything, and then find the people that do want to get to left a boom and support them on it, and then ultimately, scorecards. Right, like I've said it before, but when you want to figure out how you're doing left or right of boom, it's not just did you get owned. It's not just were you shut down for one study I saw the other day, the average time to identify, isolate, and respond to a ransomware attack, 287 days in America today. Imagine being on paper for 287 days. That's just a brutal circumstance. And so scorecards get you there, right? Because the ability to start articulating number of unpatched devices, number of unmanaged devices, number of end of life, number of unsupporteds. You don't have to be in this space to understand that if the person who wrote the software no longer writes patches, that it's bad for me in government to have that.

Jamie Grant, CIO, State of Florida [00:17:28]: And Jeremy talked about one of our little sayings earlier on our episode, but another one is honeypot as a strategy, because in some places we are so draconian in legacy and government that the bad guy is like, I'm not going to fall for Windows 2003. Turns out, like, really?

Morgan Wright, Chief Security Advisor, SentinelOne [00:17:42]: Windows XP isn't legitimate.

Jamie Grant, CIO, State of Florida [00:17:45]: And so the number of times we have averted major disaster because the threat sector had no idea what they were actually close to is staggering. And so I'm not going to say any more than that, but getting left of boom to understand the importance of being left of boom from a culture and a mindset to start rooting out. This goes to some of the workflow stuff we were talking about earlier. You got a lot of people who don't want to embrace new because they're scared of what the consequences are. They're saying they want to stay right a boom. They're not going to wear the t shirt, they're not going to get the tattoo. But if they're saying if I move to cloud, I'm going to lose my job, or if I embrace SaaS, then what are my developers going to do? They are saying out loud that they believe in and live right of boom. And it's going to be your problem to clean up when they didn't do the things to lead your business unit.

Jamie Grant, CIO, State of Florida [00:18:36]: Left of boom. Yeah.

Joe Toste [00:18:37]: No, that is fantastic. Going back. I know Morgan's like, no more sports analogy. We're going to be lots today, Morgan. Lots today.

Jamie Grant, CIO, State of Florida [00:18:44]: He tried to take us to like NSA, Pentagon stuff, but we brought him right back.

Joe Toste [00:18:48]: I know. We're bringing him right back. We're bringing him right back in the gym. When you go to prep for a game and you have that locker room time, a lot of coaches will write out what their emphasis is. And a lot of times that's based on the game tape that they've already watched. Coaches, we watch game tape during the season. We sit the kids down and we watch it with them. And we want, especially crosstown rivalry games.

Joe Toste [00:19:11]: I know you're like, oh, high school, how can you get. You go, crosstown rivalry game. We tell these kids, like, the Crosstown school, San Marcos, no mercy, they do not care. The freshman team got blown out by 70. And we're telling these guys on the JV level, like, you have to come out in the first quarter or they are going to. And you come out, you compete, and you got to follow the game plan. Number one, hey, we're going to have fun. But after that, it's like, no turnovers.

Jamie Grant, CIO, State of Florida [00:19:35]: Also, winning is fun.

Joe Toste [00:19:36]: Winning is fun. Winning is fun. Kids, when they lose consecutive games, not a good team to coach, right? And you kind of have to push through that a little bit. They get unhappy, and that's like, they want to win, right? And so they want to have fun. Yeah, but winning is fun, right?

Jamie Grant, CIO, State of Florida [00:19:52]: Anybody in the coaching game, the eye and this guy don't lie, right? And so one of the things I kind of laugh about is you go back to high school days or college days, and it's like, my mom, lover. But we finally, in high school, had a pow wow because she would say, you played the best game ever. And I had categorically played the worst game of my life. Like, by every statistic, it was an atrocity. And Bev was just like, you were fantastic. And I was like, mom, I'm going to keep you. I tell you what, you're allowed to tell me you enjoyed watching me. You're allowed to tell me you're proud of me, but you're not allowed to tell me that I played a good game when I did one, two, three and four, because now I'm not going to hear anything.

Jamie Grant, CIO, State of Florida [00:20:28]: And if you really boil down, like, the Venn diagram between Morgan's world and our world, the tendencies don't lie either. Right. The reason the film works is because you've shown me by a set, by motion, by something, what's coming. And all of us who hacked our way through calculus to graduate, I definitely hacked it. Yes, 100%. I'm not going to tell that story until I leave government. But I had some help from a tutor, and I might have gotten my cryptologic start stealing sign signals. So it's still expressed as a percentage in our world, right? Like, if you strip it down to the dummies that couldn't get invited to the places you go, we're still going to say on third and seven.

Jamie Grant, CIO, State of Florida [00:21:10]: This is the tendency.

Morgan Wright, Chief Security Advisor, SentinelOne [00:21:11]: Well, it's like Moneyball. If you think about what it was. They would look at things. But let me use the sports analogy and I'll tie it into what's going currently. I'm the adult in this conversation. Apparently. I got to bring it back. No, just kidding.

Jamie Grant, CIO, State of Florida [00:21:22]: Everything's relative.

Morgan Wright, Chief Security Advisor, SentinelOne [00:21:23]: Everything's relative. Well, if you're in Arkansas. Sorry, I'm a canadian.

Jamie Grant, CIO, State of Florida [00:21:27]: Tuscaloosa.

Morgan Wright, Chief Security Advisor, SentinelOne [00:21:28]: Yeah, Tuscaloosa. Family trees don't fall. Okay, coming back around again now, but when you were talking about. Let me give you a coaching example, and then I'll turn it into what's happening exactly right now. So you remember the game, I think, was it the Super bowl game? Right, the Eagles versus the Patriots, right down there by the goal line. The Patriots had their defense up. They said, the Eagles are going to do this. And what do the Eagles do? Ran a play counter to everything.

Morgan Wright, Chief Security Advisor, SentinelOne [00:21:50]: Everybody thought what they got is they got left a boom. They thought outside the box. They looked at the tendencies for the Patriots to do certain things. They got comfortable in their defense. We're getting comfortable in our defense right now because now there is a new series of attacks that are going around even though they were predicted. This came out of a classified project I'd worked on with Lucent government solutions. So I can talk about it now, but it's called code Guardian. But we were looking at the firmware.

Morgan Wright, Chief Security Advisor, SentinelOne [00:22:12]: We were looking at the updates to routers and switches and firewalls and what is being attacked now. China's launched an entire campaign. They're going against the things that don't have the embedded protection, which are things like the firewalls and the routers, and they are exploiting those things. So you're seeing some things with Fortinet or some other companies have got that. Cisco, same thing. You're seeing updates come out now to patch things. And you know, it's bad when the NSA comes out and, you know, there's this vulnerability over here that tells you they've been exploiting that vulnerability, which was windows SMB, when they came out and disclosed, hey, Microsoft, you got a huge vulnerability in Windows SMB. Same thing North Korea used to launch the attack.

Jamie Grant, CIO, State of Florida [00:22:52]: Because I think that's a fantastic point, but I think there's another one that Pete Carroll, I think if he was sitting here today, still doesn't have a problem with the play call that quote unquote, loses a Super bowl. Right? The same reason that the Eagles did what they did to win a Super bowl is the exact same reason Marshawn lynch doesn't get the football and an interception happens, and we have this culture where Pete Carroll, I still maintain, made a great call. Execution didn't work. But the recourse to that could be like, okay, well, now we just have to go with the traditional. Everybody knows you hand it to Marshawn in that situation, rather than saying, hey, what is the adversary expecting? And every now and then, it's Sun.

Morgan Wright, Chief Security Advisor, SentinelOne [00:23:31]: Tzu and cyber, right?

Jamie Grant, CIO, State of Florida [00:23:32]: It's like, hey, the reward for getting left of boom should maintain whether or not execution bore out success or not, just because we tried to go left of boom and do something that was outside the box and it didn't work. In this one instance, we cannot let that take us backwards into, well, we better get back inside the box, because that one guy who got outside the box lost a Super bowl, and he probably wins the Super bowl if he would have just stayed inside the box.

Morgan Wright, Chief Security Advisor, SentinelOne [00:23:59]: So let me give you guys, let me bounce off that real quick. Remember when the TSA changed their things? Now it's three one one 3oz of this. Do you guys know where that came from? Came from Richard read, an unsuccessful guy who was left a boom, tried to go left a boom, but they had built TATP, one of the explosives, into his shoes. I was in Orlando here. I got a call from one of my buddies at the state department, said, hey, you may want to get out to the airport early, which I did, because they changed all the rules. If you had a bottle of water, remember, you could bring a bottle of water on. No, that's also got to be because, to your point, we should reward, because part of it was kind of disrupted by british intelligence. But he was not able to execute on left of boom.

Morgan Wright, Chief Security Advisor, SentinelOne [00:24:38]: He was able to execute on the theory and the strategy that, had it worked, it would have brought down an airliner, but it wasn't successful. But too many people in the government, especially in the intelligence community, get so risk averse. I don't want to do anything. It cost me my job. Well, dude, it cost you your job, but you might save 10,000 lives, right? Have you thought about that? I mean, who here would have raised their hand to say, I'm willing to lose my job if we could have stopped four airplanes being hijacked? By the way, I passed one of those sons of bitches that morning. I was driving in from. I live in out by Dulles airport. I drove by for the hijackers that morning going into the Reagan building, and they were operated in my area.

Morgan Wright, Chief Security Advisor, SentinelOne [00:25:14]: I mean, it starts becoming personal at a certain point, and you want to do what you can. But that's the example I was thinking of, is like, you still make the same play call, because guess what? You cannot make people so risk averse that they're back to thinking inside the box and drawing inside the box. Great progress is made by people who are willing to take the risk. But if you penalize risk takers, then what you've done is you just ensured that you will always think and operate inside the box.

Joe Toste [00:25:39]: Yeah. No, I love this. And on a whole nother podcast, separate, the entrepreneurial kind of aspect is thinking outside the box. And I love the concept of thinking about the problem. Jamie and I, the other Jamie, my wife, we think about this all the time of currently, how people in the marketplace think about community relationships, public sector, and we want to break that mold. And that's how you have to think about the problem. So, again, side note, and that's a totally different podcast, but maybe on your next tour of entrepreneurialism after state government, we'll have to have another podcast. Jamie, the governor and lieutenant governor have prioritized workforce education development.

Joe Toste [00:26:19]: So who's caught any of the Twitter? You can just kind of throw your hands up. But the state of Florida has been going on quite the roadshow lately. Has anyone listened? Is it just me? Am I the only one on Twitter that's, like, liking every time? Is it okay, just me? And the lieutenant governor has talked a lot about building a pipeline to train today's students for the industries of tomorrow with high paying jobs in cybersecurity. Some of you are like, oh, hey, I get on twitter and follow us right now. According to Lieutenant Governor Jeanette Nunez, she expects Florida to be number one in the country by 2030 with cybersecurity shortages in the workforce north of 20,000 today. And actually, there's a podcast, but we had Rob Maine, who he just retired from the state, and Jim Weaver. They've got north of 28,000 jobs they're trying to fill in, say, North Carolina right now. On the cybersecurity front, Jamie show, are you looking at automation in terms of both supplementing today's workforce and defending the state of Florida as its profile continues to grow?

Jamie Grant, CIO, State of Florida [00:27:13]: You can't scale without it. Right? The other thing I'd say, and we talked earlier today about kind of incentive structures and looking at it, there's no one company that can take on what Florida is turning on from two years ago to today. So there's not a single MSSP in the world. And quite frankly, if one walks in our office and says they can. I'm not giving them any business because I no longer trust anything they're talking about. The reality is, you talk about the number of threats that Florida faces. You can break that down a lot of different ways. The state level, the local level, the private sector level, but it's in the billions, if we're really going to be honest.

Jamie Grant, CIO, State of Florida [00:27:46]: And then when you start looking at OT and understanding what operational technology means, I think the blessing for us in some regards is that the threat is so real and the adversary is so significant that cyber is becoming one of those areas where nobody cares about political parties or genders or any other breakdown. We just kind of holistically. While we can't agree as a society what day of the week it is, we can agree that cyber is important. We can agree that cybercriminals are bad. And so you start to have. We make the analogy, and I'll get to workforce here in a second. I know you asked me workforce, I promise I'll tie the bow. But there's a reason why I start here is if you can cast the vision and the mission for everybody to kind of pick up the pitchforks and muskets, which is where I think we started before we had the capabilities that we had, right? Like, when I was recruiting Jeremy, we didn't have uniforms or weapons and ammo.

Jamie Grant, CIO, State of Florida [00:28:38]: We had, like, pitchforks knocking on doors, going like, hey, the Russians are out there. Let's go.

Morgan Wright, Chief Security Advisor, SentinelOne [00:28:42]: Your offices aren't.

Jamie Grant, CIO, State of Florida [00:28:43]: It actually is confession several ways. We're not a group you want to try and breach physically. We have a heavy population of people that can compete in that space. But if you set that up and then you say, hey, look, I want partnership. I want to consume. I need you to come in and do what you're great at. And I'll go back to an example I used earlier. If the analogy was basketball instead of cybersecurity, and a company comes in, they say, hey, we play basketball, but I really need a point guard, and they offer me Shaq, we have a problem.

Jamie Grant, CIO, State of Florida [00:29:10]: But if I can tell them, hey, I need you to give me a reliable dominant center, and there's a ton of business to be won if you can give me a reliable dominant center and just do that over and over and over again. So we've really stressed the same way I talked about earlier, whether it's the employee and the workforce development of identify what you suck at, get to what you're great at. And so we stress really hard with companies that come in. I don't want to hear the watch salesman in New York City with the trench coat going, I got ties and I got flowers and I got this. I want to hear what you're great at, what you'll bet your last name and your company's name on to solve as a problem for us. And if you do that and you align your greed to exactly what I need, align it to exactly what I need. It'll be a very lucrative thing for you in a 200 plus billion dollar infrastructure enterprise when you get to the local level. So how you start to develop is a to acknowledge that the workforce, it's a flawed premise to say I need 28,000 jobs.

Jamie Grant, CIO, State of Florida [00:30:05]: No offense to our friends in North Carolina. We have a volume of tasks we have to tackle. And I'll take private sector partnership, I'll take FTE. I'll take university students. Jeanette constantly jokes that I'm always recruiting. It's my number one job. We will take tours of service. I never get Jeremy to move out of IBM up from South Florida to take this job or Leo Scoonover to come from Jacksonville area to take this.

Jamie Grant, CIO, State of Florida [00:30:31]: Like if my universe is just Tallahassee and just full time government employees, we are going to lose this geopolitical war full stop. If my addressable market of talent expands out to anybody in the private sector that's willing to buy in and partner with us to take tours of duty that say you don't have to sign up to a career in government to come work for us. You can come do work that you can do nowhere else in the world. My friends ask me all the time, why the hell are you still doing it? And I'll go back to stubborn. That's number one. But two, there's the selfish aspect of it is nowhere else in the world do you get a blank canvas to design something this big and move at this pace to do work this important. So if I was working for Jamie Dimon instead of being Jamie Grant, I'd be bored. In an ecosystem of an infrastructure that's already built out and you just kind of be operating.

Jamie Grant, CIO, State of Florida [00:31:19]: Turns out there's a lot of people who are really talented operators who are interested in the public and private sector to taking on this mission if they can just find a team where the kind of design is there to do it. So I think you have to make the accessible market or the addressable market of talent as broad as you possibly can and maintain the tasks. But quit counting heads and start counting like the scorecard stuff that says this is what I need to accomplish because I have these threats out here. And while there's great differences between the public and private sector, pipelines and scorecards, I have proven, our team has proven do translate, they got to be different. They're not measuring the same thing. But pipelines and scorecards absolutely work in government. We've seen the state agencies are our biggest challenge, right? They like to maintain their own autonomy and do their own thing. We started scorecard and we started funneling, pipelining our team.

Jamie Grant, CIO, State of Florida [00:32:10]: Our team got a lot serious, a lot more serious about how many implementations when they knew those implementations were on the scorecard. And some seats at agencies started getting a little uncomfortable when their executives are going, hey, how come we're in last place? That stuff still works. But Morgan touched on it right at the end of the day, and I told Jeremy this, we had dinner kind of the last meeting, recruiting him, I said, let me just make you a promise. We're going to fly this plane really fast into or over those mountains. The good news about flying the plane over the mountains is you've done something nobody's ever done before, and that's pretty cool. The decent news about flying the plane really fast into the mountains is people will pay you for a long time to write a book and talk about how not to get fired. As a ciso of 100 billion dollar enterprise, don't make the mistakes we made, right, but lean into that culture of that. And I think that's where you start to say, look, I'm not going to have these people forever.

Jamie Grant, CIO, State of Florida [00:33:07]: That creates its own challenges in documentation and succession planning and pod structure and those kind of things. But I think we're really screwing up bigly if we say recruit and retain. If you think recruit and retain in this space, especially in the public sector, is one thing, you have sentenced your organization to tragedy at some point. Recruit and retain are two different things. There's a lot of people I'm not trying to retain, and I don't mean that because they're not good assets to the organization. I mean that because I know I can't. Any number of the companies here can show up and go, hey, I'm going to give you x dollars. Less stress, less pressure, all the different things.

Jamie Grant, CIO, State of Florida [00:33:55]: And at some point they go, I've done the mission, it's time for me to leave. My job is to recruit a team that everybody else wants to sign in free agency. And I think as executives we make that mistake all the time. We think we're supposed to hold on. If people aren't trying to recruit my team, I should be fired. And I think we have to just own that in our space to say, like, look, if people aren't trying to recruit our team, you didn't build a very good team. And if your job is to build the team, you should go find a new job.

Morgan Wright, Chief Security Advisor, SentinelOne [00:34:22]: Let me add one data point to that, too. By 2025, 75% of the workforce is going to be millennial. The number of public sector jobs available is going up. The number of people applying for public sector jobs is going down. So when you guys were talking about how to be unfirable or invaluable people, if they embrace automation and AI, they actually become more valuable to an organization, because you need to have people who understand, how do I scale and get more work done in a day without doing more work? How do I get 16 hours of work done in a day but still work the 8 hours? And that's going to come from the people who understand, and to use a Steve Jobs term, grok. I heard him say grok one time. I had to look it up. What the hell does Grok mean? But basically, if you intuit, if you understand, you become more valuable if you are able to manage bigger things through the use of the deliberate application of technology to achieve the outcomes you want, right.

Morgan Wright, Chief Security Advisor, SentinelOne [00:35:15]: I can tell you right now, you cannot hire your way out of your skills gap. You have. You cannot hire your way out of.

Jamie Grant, CIO, State of Florida [00:35:20]: Your people gap, and you may make your communication problems worse.

Morgan Wright, Chief Security Advisor, SentinelOne [00:35:23]: Yep. So what you got to do is figure out, do I deliberately apply technology? How do we get people in with the right mindset, who want to be hunters, not farmers, and go out and kill something? You eat what you kill. Right? So how do you get that mentality? But it's by giving people the challenge. They want to have ownership of something. Give them the challenge to say, you own this now let's go build this. Right? Bring in the tools that you need, and let's make fire.

Jamie Grant, CIO, State of Florida [00:35:46]: And I think that's where the scorecard matters so much, right? Like, if you put the right things on it, to your point, it's, hey, look, pre AI, we could close x number of cases or solve y number of crimes. Poor choice there. But to make it something quantitative, right? Like, I can close this number of cases in a day, in an eight hour day. Well, if I can now close that by a factor of ten using AI, it's not that my job went away. It's that the constituent finally got the service they deserved for the last 250 years of government. It's that we actually start delivering government services in a way that we consume them in every other space. And the only thing in our way to get there is for folks to understand like, hey, I'm not working my way out of a job by handling more cases more efficiently. And it's an obsession I have right now to try and solve.

Jamie Grant, CIO, State of Florida [00:36:37]: And I don't know that I'm smart enough to do it. But like the government private sector paradigm where the government employee does not have to worry about enough revenue coming in and can't receive a spiff on closure rate or meantime to respond or anything else. So you really have to find people on mission that say, I'm here to keep the state safe, that are really incentivized to go, I'm winning the race of mean time to respond. And it's why we'll eventually, and it's why we've said we're going to scorecard the agencies and start posting a leaderboard. The secretaries deserve to know where their team is on a leaderboard to ask the question and go, hey, you can sit there and say the miter attack framework is good or not good, but why are we in last place? And if you have that, you start to find people are motivated by being in last place, or you start to find it's like maybe time to make a change.

Morgan Wright, Chief Security Advisor, SentinelOne [00:37:27]: Well, if you're comfortable being in last place, I think final point for me here, but it goes into one of those things too, is that there was a huge disconnect too between the way you think about the problem. Because in government, and I can tell you this from the federal side, if you turn back money, that's a no no, your baseline goes down. You don't get that same amount of money next year. I can't tell you how many projects are awarded in the last 30 days of a fiscal year in government. We got 10 million to spend, received a couple of those projects. It's some big ones where on the private sector side, it's how efficient were you with your resources? How much did you save the company? Right? And so that's been one of the big disconnects too. It's just the financial tier point, incentives. The financial incentives are fundamentally different.

Jamie Grant, CIO, State of Florida [00:38:04]: Even if you gave, and I think this is one of the charges I try and give to the CIO community around the country, is like our job, our role was at a fork in the road. It will either figure out how to be part of the business unit because it adds to the P L and it adds to the balance sheet, or it will go away, right? So the ability for people who historically have been a cost suck to the board because they want more whiz bangs, more things to plug in and more things to do if they're not able to articulate it as not just cost avoidance, but like actually modernizing to move. So trying to get folks to understand, like, hey, what's a baseline? Like third grade level of cost of goods sold calculation? If they understood the cost to respond to an incident and you started letting them understand the economics of like a simple third grade multiplication formula, you start to see behavior change as well, right? Because they go, hey, what the organization cares about is like closing a threat investigation. So have we remediated what that threat is? How much does it cost us to remediate a threat? And am I driving that cost down or am I driving that cost up? And then, oh, by the way, when drive that down, I'm doing good work. But I can also talk to you about cost avoidance. We've, I think, historically led with cost avoidance. Like, if you don't do this, bad things are going to happen. And that might be true, but we have to figure out, to your point, Morgan, like, how you start getting people to understand how to add value on the offense side.

Jamie Grant, CIO, State of Florida [00:39:27]: And I think if we succeed, your new coo, your new CEO, had to be capable of being a CTO, a CIO or a CISO in the next decade. I don't believe that folks like corn ferry are looking for chief executive officers or coos that don't have the ability to have been a CTO, a CIO that understands the business and the consumption. Because to your point, the incentive structures, you get that $10 million at the end, you make a big capex thing to a systems integrator that committed you to 300 million in ten years. That project was going to fail the moment the contract was signed. It's just that the death sentence and the execution were ten years apart. But the design of the project doomed it to death. At the beginning, it was just that. If I give the money back and what you've actually done is move us all further backwards because it was foolishly designed, the ITN may as well have been written in italian for an english speaking audience nobody understands.

Jamie Grant, CIO, State of Florida [00:40:28]: The private sector has no idea what government's trying to buy. We get asked to review these RFIs and itNs. We then go back and go, hey, what's the problem you're trying to solve and what is the solution? And if we don't know it, as the leader of the enterprise. I can guarantee you the private sector doesn't know how to design for it, but somehow they can stand up in the legislature and say, for $300 million in ten years, we'll fix it. And nobody's even defined what it is.

Morgan Wright, Chief Security Advisor, SentinelOne [00:40:52]: Well, last thing, in the words of Yogi Bear, when you come to the fork in the road, take it, Joe.

Joe Toste [00:40:58]: Yeah, no, I love everything you said. Tim Romer's been on several times. He's going to come on the podcast and he's going to come to Houston. He's the former state Arizona Ciso, and he's really close to governor, or I guess not the former governor, Doug Ducey. And one of the things that, Tim, that I just really resonate with, too, is just moving at the speed of business. And so, Governor Ducey, for those of you who don't know, ran McConnell's ice cream. We have McConnell's in Santa Barbara. So I do like McConnell's.

Joe Toste [00:41:23]: And this concept of moving at the speed of business, I know it makes folks a little bit uncomfortable, and I think you have to embrace that. I know the entrepreneurialism from Jamie with other CIOs across the country rubs people a little bit the wrong way. And I love it. And I love it because you need to be able to have someone who's going to push you a little bit. You're not disrespectful, and you are pushing with a great heart. And you need someone on your team who's going to push you out of your comfort zone. Right. And we do this with the kids all the time.

Joe Toste [00:41:59]: And it's like, it's hard, but you've got to push. And we push them a know work on communication and you name we. And you spent all season and then stuff like, by the way, these events, you're like, hey, how did these events even happen? Well, I was talking to a CIO in California, Rob Lloyd, who's now the deputy city manager there. And I was, I got these, I do these van rides with these high schoolers. And he's like, you should do a podcast, but just like, not in a van. And I was like, that's a great idea. We should do in a hotel room, not a van. And it was like, right during COVID And he was like, Chandra put up.

Jamie Grant, CIO, State of Florida [00:42:29]: A sign out there. It said free candy.

Joe Toste [00:42:33]: Yeah, free candy. Here's the ice cream truck.

Morgan Wright, Chief Security Advisor, SentinelOne [00:42:36]: Right?

Joe Toste [00:42:36]: Yeah. And so this is the type of stuff that you want to bring. And we would bring people together, and this is how you bring the relationships together. But we love being able to just gently push each other a little bit. And this is kind of what you kind of need in order to get stuff done. And so I love that we're bringing this up, and there are real life implications, right. You talk about driving past the guys on 911, and when it gets personal, you get a little bit more motivated. Right.

Joe Toste [00:43:01]: And we talk about sex offenders, and you can't get a simple API call done. It's real life. Right. And so we need to push the Moat dragons. Did I get that right? The moat dragons.

Morgan Wright, Chief Security Advisor, SentinelOne [00:43:14]: Kick them out.

Jamie Grant, CIO, State of Florida [00:43:15]: Slay them.

Joe Toste [00:43:16]: Yeah, slay them. Slay them all.

Jamie Grant, CIO, State of Florida [00:43:17]: The moat dragons.

Joe Toste [00:43:17]: Yeah, slay them all. Maureen, let's continue with the theme of automation in terms of defending the state of Florida against nation states. I love this language. We previously had either on the podcast or you were just talking to me, but it was, how do you secure and defend today while at the same time planning on how you protect tomorrow? Tell us a little bit more on that.

Morgan Wright, Chief Security Advisor, SentinelOne [00:43:37]: So many people get wrapped up in dealing with the urgent. They forget to work on the important. So it's this report. My TPS report is due. I got to do another TPS. It's due. But we work on the urgent, but forget about the important. And so we cannot lose sight.

Morgan Wright, Chief Security Advisor, SentinelOne [00:43:54]: There's three levels of knowledge. Donald Rumsfeld talked about it. He was kind of excoriated for it, but he was actually right about it. Said there's three types of knowledge. There's known knowns, things we know we know, love this. There are known unknowns, bad things we know there it exists. We just don't know exactly where they're at. And then there's the unknown unknowns, things we're not even know about.

Morgan Wright, Chief Security Advisor, SentinelOne [00:44:15]: Zero day is an example of an unknown unknown. You have no idea it exists. And so the way to solve that problem about securing and defending today, you have to do that, but you have to be able to protect tomorrow. And to use a football analogy, right, it's like, how do I protect my passer at the same time giving him enough opportunity that he sees the play developing down the field and he can put the ball where it needs to be. It's like Wayne Gretzky said, you don't skate to where the puck is. You skate to where it's going to be. Well, how do you change that level of knowledge so that you can do a good job of securing and defending today, but how do you protect tomorrow? And it goes back into the way we think about the problem. So think about this.

Morgan Wright, Chief Security Advisor, SentinelOne [00:44:51]: We're sitting in Florida right now, and my room faced the water, and so I was able to watch the sun go down. Then I was able to see when the sun came up. Right. And if we equate that to thinking about levels of knowledge, I can't see what's on the other side of the globe right now. So I can do one of two things. I can remain static and wait for the world to turn and wait for the light to start illuminating, because then pretty much I can see, oh, there's somebody in the corner. That's Omar. But I can't tell it's Omar yet until, oh, wait.

Morgan Wright, Chief Security Advisor, SentinelOne [00:45:16]: Now there's enough light. Now I know what I know. There's a known unknown. There's somebody in the corner. I just don't know who it is. And when it's dark, I don't even know anybody's in the corner. So you can wait for the earth to revolve and get that level of knowledge or what? I said give you an example. Anybody here ever play checkers? We all play checkers, right? How do you play checkers? This is going to sound weird, but do you play it with the board where you're looking at the board at eye level, and all you can see is a red and a black checker? Here, you can see the pieces on there, right? But you don't know where the other pieces are, and so you can't formulate a strategy.

Morgan Wright, Chief Security Advisor, SentinelOne [00:45:49]: So you can either wait for moves to happen, or what you can do is change the way you view the problem. So that's why I'm a big fan of think outside the box. So what happens if you're playing checkers like this, but then you turn the board, and you looked at the problem now from top down, what's coming next? What's coming next? Now, I have a strategy that says, I see where the pieces are. I now know what my next two moves would be. I know where my adversary is. I can now see the problem differently. But when it's viewed in two Dimension, you get a two dimensional response. So how do you change that? The way you change that is the type of information you pull into your environment to think about.

Morgan Wright, Chief Security Advisor, SentinelOne [00:46:22]: How do we think about this differently? I like what you guys were talking about. The indicators of compromise. Actually getting them and not waiting for the government to deliver them to you is standing static and waiting for the earth to revolve and for having somebody come in and say, you get the holy music. We now have an ioc for you. And you go, oh, thank you. It's Monty Python all over again. Break out the holy hand grenade. We want to do something right.

Morgan Wright, Chief Security Advisor, SentinelOne [00:46:47]: I'm sorry, no Monty Python fans.

Jamie Grant, CIO, State of Florida [00:46:49]: I was going to cling the coconuts.

Morgan Wright, Chief Security Advisor, SentinelOne [00:46:51]: While you rode the horse, but coconuts. What's your shrubber? I need a shrubber. Just merely a flesh floor. What's your favorite color? We can do this all day long.

Jamie Grant, CIO, State of Florida [00:47:00]: But I mean, there's a lot of an african swallow.

Morgan Wright, Chief Security Advisor, SentinelOne [00:47:02]: African or european?

Jamie Grant, CIO, State of Florida [00:47:03]: I don't know.

Morgan Wright, Chief Security Advisor, SentinelOne [00:47:04]: Okay, but when we go back to defending. But, so that's the thing is you can remain stunned how fast we digress. Not coconuts, but we can think about. By the way, Monty Python was outside the box humor, right?

Jamie Grant, CIO, State of Florida [00:47:16]: Yeah.

Morgan Wright, Chief Security Advisor, SentinelOne [00:47:16]: They thought about things differently. Right. They weren't traditional Lenny Bruce tell a joke, so. But there's a lot to be learned about them. But when you think about tomorrow, so it's either remain static and wait for the world to come to you or what you're doing. I mean, you change the envelope, you change things. The way to protect tomorrow now is to meet the adversary on their terms. There's another thing, too, when you look.

Jamie Grant, CIO, State of Florida [00:47:34]: At counter, because I think you misstated that. I don't think you meant what you just said. At the risk of sound, the way to beat the adversary is beat the adversary on my terms.

Morgan Wright, Chief Security Advisor, SentinelOne [00:47:42]: No, follow me. Follow me. You beat the adversary on your terms, you've lost. You have to meet the adversary where they are. You have to think about the way the adversary thinks about the problem, but then you have to beat them at the way they think about the problem.

Jamie Grant, CIO, State of Florida [00:47:54]: Agreed? Okay.

Morgan Wright, Chief Security Advisor, SentinelOne [00:47:55]: See, that's, if you just roll with me here, I'm going to get to the point. I'm tying it together like you do, man. You go around, but then you bring it together. So I'm bringing it together now. But see, the thing is, so one of the lessons we learned about al Qaeda and Osama bin Laden, and I actually have a story for this. He came out with this fatwa, and people said, oh, that's, you know, that's this, that's that. They didn't understand the Quran. They didn't understand the structure of the Quran.

Morgan Wright, Chief Security Advisor, SentinelOne [00:48:17]: They didn't understand what is considered to be abrogated and what is considered to be current islamic law. But what Osama bin Laden said was actually factually correct. And we did not take him at his word that that's what he was going to do. And then what happened? We had 911. We had the plan. You had Cleikh Mohammed. You had all of these things. Happening.

Morgan Wright, Chief Security Advisor, SentinelOne [00:48:36]: So when the weight to defeat your adversary is to meet the adversary where they are, believe that your adversary is going to do what they say they're going to do, but then your job is to how do we think differently about, how do we pre amp them now? How do I get to left a boom and actually outthink the way the adversary is thinking about out thinking me? A lot of that's very strategic. It takes years to come about. Some of it's very tactical. We're seeing a lot of that play out in the Ukraine war. So what I was going to tell you about Osama bin Laden, one of the things, when I was the senior law enforcement advisor for the 2012 Republican National Convention down here in Tampa, actually, we came out, and part of the work we had to do was classified briefings, and we went out to St, got to meet the guys. The major general there, Carl Horse, got the challenge coin, which is all fun stuff, but the funnest stuff was going into the room and looking at about even the military, how they think differently about the problem. But we walked into what's called the CPOC, the central point of command, and you walk into what's called the FPOC, the forward point of command, and there's a table there, and you press a button, and out of that table come phones. And I was working for Cisco at the time, which is really cool because it's all Cisco equipment at that point, but hear phones.

Morgan Wright, Chief Security Advisor, SentinelOne [00:49:35]: And he says, this was the room where they launched Operation Neptune Spear from the operation to get in bin Laden. And I said, which phone? He goes, that one. So I touched that phone. I didn't wash my finger for like six months. I'm going, hey, smell that? Smell of freedom, right? We're very good about getting to left to boom, because when you looked at what CIA did, you looked at what our devgroup did, SEAL team six, folks like that. We actually had one of those rare opportunities to protect tomorrow by getting to left a boom before he could get to left a boom. And even though he was living in fear, he did not expect SEAL team six to show up at 03:00 in the morning. But, you know, the first report of that attack, you know what it came in over was a guy standing out there tweeting from Pakistan going, oh, I see some helicopters.

Morgan Wright, Chief Security Advisor, SentinelOne [00:50:24]: Something bad's about to happen.

Jamie Grant, CIO, State of Florida [00:50:26]: It was live tweeted on seeing, but.

Morgan Wright, Chief Security Advisor, SentinelOne [00:50:30]: How do you protect tomorrow? So part of that way gets back into is that you still got to do what you have to do today. But if all your thinking is consumed. I'll give you an example. As a state trooper, I used to work lots of accidents. This will make sense in a second. And you folks in Florida don't really know what ice is, right? Driving on ice.

Jamie Grant, CIO, State of Florida [00:50:47]: Yeah. Red clay. It's the same red clay.

Morgan Wright, Chief Security Advisor, SentinelOne [00:50:49]: Right. But if you're going down the road, one of the worst things you can do when you start to lose control is to hit your brakes because you lose all braking and actually, you lose all steering capability. A lot of times they have to do is steer into the slide. If you're consuming all your energy into braking and defending today, you've got no ability to steer and protect yourself from what's coming next from tomorrow. Right. And this is your job, too. You guys have to make that balance between what do we protect and defend today, but what resources do we look at so that we don't have to fight them tomorrow? We don't have to fight that adversary tomorrow.

Jamie Grant, CIO, State of Florida [00:51:27]: I think we actually agree on this. My point of wanting to play the adversary on my field is I can't get them on my field.

Morgan Wright, Chief Security Advisor, SentinelOne [00:51:33]: No, that's different. Playing them on your field. You want them on your field where you have the advantage. I agree with that. What I'm saying is that you got.

Jamie Grant, CIO, State of Florida [00:51:38]: To think like them to get them there.

Morgan Wright, Chief Security Advisor, SentinelOne [00:51:39]: You got to think, like, into the deception technology. How can I lure them into believing, oh, it's Windows XP or Windows. Windows.

Jamie Grant, CIO, State of Florida [00:51:47]: I want you to call this play, because I've got this play. And how do I get you to call this play?

Morgan Wright, Chief Security Advisor, SentinelOne [00:51:51]: Right to your point, how do I lure you in so that I can learn about your techniques, so that I can understand and do a better job about preventing? Because one thing cyber actors will do, and this is how you were able to fingerprint cyber actors, is they tend to use the same trade craft and tools and technology. If it's successful, like, you have a lot of plays that you run, whether it's basketball, football, baseball. You don't reinvent your playbook every week and say, well, we're pairing up the playbook. We're going to something new. What you do is you get really good at running the plays. You're really good at running. Right. But what we get really good at finding out now is we're starting to look at behavior because there's people behind the keyboard job, because our whole goal was to get to left a boom.

Morgan Wright, Chief Security Advisor, SentinelOne [00:52:27]: And the way to do that is to think differently about the problem, bring it all together. So.

Jamie Grant, CIO, State of Florida [00:52:30]: So two really quick things. I know you have some other questions you want to get to Joe, but.

Morgan Wright, Chief Security Advisor, SentinelOne [00:52:32]: It doesn't matter because we're running the show, right?

Jamie Grant, CIO, State of Florida [00:52:36]: Two things that I think are really important. Number one, you can't set your team up for failure, right? So one of the things when I looked at, and one of the reasons I believe in charts is not for hierarchy, I actually think they're a disaster that way. But it should give you an indication of what the business does and what the different people do, right? So if you need something, where do you go to get that something? And one of the things, when I got appointed, I looked at a sheet of paper, and there was a bureau of strategic planning and project management. And I thought, well, that's one of the dumbest things I've ever seen. Because if you're in the business of looking out at the horizon, you're probably not in the business of looking at where every single step goes, right? So it was an entire division that had this bipolar.org chart of, you care about strategy, but you also care about execution today. So when Jeremy and I were designing what cyber looked like, there's a reason we have a deputy for tomorrow and a deputy for today. Technically, it's ops and incident response, and then strategy and planning and governance and risk and compliance. But what we're really saying is you're empowered, Warren, to go look at the horizon.

Jamie Grant, CIO, State of Florida [00:53:36]: I don't want you looking at every blade of grass along this journey. I want you telling us what's coming in the next three. 6912. Leo, you run ops, you run incident response. Your job is to make sure that today goes okay and that we get to tomorrow. Right. So I think a lot of times it's actually empowering your team to understand. Here's your function, here's your definition of success.

Jamie Grant, CIO, State of Florida [00:53:57]: And you are either strategic or you are operational. And anybody that tells you they're great at both is a liar or just lacking tremendous amounts of self awareness. You might be medium at both and great at neither. But I have never met somebody that is a fantastic strategic thinker and also an operator. I'm not going to call myself a fantastic strategic thinker, but if I am ever the PMO, we have a problem in the organization because projects are going to start to struggle. So I think that's one. And then I think two is when you talk about how that looks in the real world. One of my favorite little anecdotes, because we're just not going to get away in the middle of game day from sports stories like Florida State fans were whining over and over and over in 2013, after a game they won about Damien Craig stealing signs.

Jamie Grant, CIO, State of Florida [00:54:43]: Damien Craig had been a quarterback at Auburn, had been an elite quarterback at Auburn, had been on the Auburn staff, had then gone and been on the Florida state staff, and comes to Auburn now. We would change our signals regularly if somebody on the opposing sideline had, a year ago been on our team, because they kind of knew the language. And it was fascinating how you'd watch these people just in the most rudimentary world, go, that guy knows what that sign means, and you didn't change it. And somehow that's our fault. And cyber is no different, right? The things get rid of.

Morgan Wright, Chief Security Advisor, SentinelOne [00:55:16]: They're holding up the signs for everybody to see. They're broadcasting it. Hey, here's money. Python and a frog and a four leaf clover. What does it mean?

Jamie Grant, CIO, State of Florida [00:55:24]: But if you have the code for it, shame on you for not changing the code. And it's no different, right? Like, people are lazy. We will always take the shortest path to success. So whether you're a cyber actor or somebody else, if you can get to yes fast, turns out you do it. And if you do it over and over and over, the same way, you start to develop the tendencies you're describing. And now we can start profiling and going, hey, look, when I see this, look, this is what the defense is going to do, or this is what the offense is going to do, and I know how to solve that. I won because I knew what was coming, not because I could react in real time. Very few games are won with on the fly reaction.

Jamie Grant, CIO, State of Florida [00:55:59]: Like, there's moments, right, that we look at. If you go watch game tape and you go, hey, man, that was a moment where somebody just did something exceptional, and there's athletes we could rattle off or intel community that are just exceptional, that did something where something was at the tipping point of going one way or the other. But statistically speaking, the best plan is a plan. Now, the best teams have an ability to react when they get punched in the throat and go, okay, the plan's out the window, and what do we do? But we at least came into it, looking at it to Morgan's point, going, what is the adversary going to do? What is the adversary trying to do? And what intel can we gather to.

Morgan Wright, Chief Security Advisor, SentinelOne [00:56:37]: Predict what they're going to do?

Jamie Grant, CIO, State of Florida [00:56:37]: Because it turns out it's a lot easier to do our jobs if we know what the bad guy's trying to do.

Joe Toste [00:56:41]: Yeah, I'm going to put a bow in this so we can get to the audience. Q and A, pick up the pace a little bit on the podcast on behalf of Morgan. Yeah, no, and I think what you said, this is great because especially with cybersecurity, a big part is we as humans are the weakest link. Right. And so understanding that, that's why there's such an emphasis on cybersecurity training and awareness. And you only rise to the level.

Jamie Grant, CIO, State of Florida [00:57:06]: Of your training, of your preparation. I love. Preach it. We talk about it all the time. The notion that you rise to the level of the situation is a bunch of bull. We tell ourselves that to feel good. You arrive at the level of training and preparation you have. And you better hope you have enough of it.

Joe Toste [00:57:22]: Yeah. And the last thing I'll say is, there's nothing more that happens in kind of in real time on a high school basketball court, is when you take kids in practice and you go to game time, and it's radically different because you start to figure out they might know this in practice and during the game, and it's a training exercise of, like, they need more reps in game time. And when the pressure is on and you're not going to rise, you've got to be prepared. So I know we could do a three hour podcast with these two right here, but we're going to pick it. We'll take one audience question from someone who hasn't asked a question already.

Morgan Wright, Chief Security Advisor, SentinelOne [00:57:58]: Hey, well, if you're not going to. Let me just. 30 seconds, just to tie in one big thing that we need to think about. And even though it was a question, it was identity.

Jamie Grant, CIO, State of Florida [00:58:05]: Okay.

Morgan Wright, Chief Security Advisor, SentinelOne [00:58:05]: Right. I mean, one of the biggest attacks now, again, it happens to, how do they think it outside the box? Lapsis, the hacking group from last year, one of the big ones, went after Nvidia and Samsung. How did they get into it? They advertised on Telegram and signal, we want to buy your credentials. And then what? They would get credentials from other people. Then I get Jamie's credentials. Jamie would be getting these two factor authentication requests. I'd pretty soon wear them into submission if I go, whatever. I just want this thing to go away.

Morgan Wright, Chief Security Advisor, SentinelOne [00:58:30]: And that's how they got into these business. So your big threats are not just system based and actor based, your people. The identity is about 80% of the attacks we're seeing right now.

Joe Toste [00:58:42]: Thank you. I know intentionally or I cut that out, but only because we run out of time. But thank you for bringing up the idea.

Morgan Wright, Chief Security Advisor, SentinelOne [00:58:47]: Well, it's in my contract. I had to put it in there.

Joe Toste [00:58:50]: Debbie Montgomery. So I'm with Verizon.

Jamie Grant, CIO, State of Florida [00:58:54]: This question is for you, Jamie.

Joe Toste [00:58:55]: So can you kind of talk a little bit about how the state plans to rely more heavily on automation, AI and machine learning as it relates to the network?

Jamie Grant, CIO, State of Florida [00:59:07]: The state's network man. So, yes, thank have. One of the ways that I have one of the most unique jobs in America is I think I'm the only CIO in America that doesn't operationally control the network or the infrastructure, and yet is responsible for securing both. So for those of you not aware, and I know you are from your experience with the state, but the division of telecommunications is separate from the digital service. It has a contract with a private sector company to have what is essentially like one big fiber ring around the state, which can get really interesting because we've had a couple of situations where we're not sure if we've had the largest ransom attack in state history or a squirrel got hungry or a backhoe was aggressive. Right. But we know all these ips are down, so it's a problem. The network is something that I know Secretary Linde, as the head of DMS, is super focused on.

Jamie Grant, CIO, State of Florida [00:59:56]: It's something that both of us, along with our teams, have identified as wanting to kind of design the future of. I think it's years after I'm gone before that goes live. By the time you get through the procurements and all those things, we want to set in stage the motion of what micro networks look like and being able to limit the blast radius at a network level the same way we can at an infrastructure level. And the reality, one big network is horrifying for a lot of reasons, because the stuff we find on a daily basis that we can't talk about if in that network and if domain trust or if another way of lateral spread occurring gets really scary. And so we look forward to engaging every capability we can. And Hypergator is something I'm really looking forward to getting now to a place where we can dive in a little bit with their capabilities. You know, I think the world's fastest supercomputer in higher education sitting in Gainesville a couple hours away with some real people that want to play. And so I do know we're not going to build or deploy AI and ML from inside government in a cap x model.

Jamie Grant, CIO, State of Florida [01:01:03]: It's impossible. And I'll close by going back to something you said here, because I think this touches whether it's network or anything else. Talk about playing with tempo. We like to think Nolan Richardson was slow. When you look at the way we move at the digital service. But one of the things that has been a real fight in that friction that you talk about when we tried to figure out how to go faster, how to do so, the network is obviously a much bigger purchase, but through running into all the moat dragons and just saying how come? Why not? What next? What if? What does it take to get to yes, we discovered something that I didn't know as a legislator, and shame on me, called alternate contract sources. And this is a vehicle where the government has explicitly authorized the ability to purchase something because it has already been competitively procured, whatever that thing is. So there's now a ceiling on what that SKU is.

Jamie Grant, CIO, State of Florida [01:01:51]: And that SKU is maybe network services. It's an endpoint detection, whatever it is. I'll say a few things. One, I have yet to find a single thing we need at the digital service or have wanted that is not on an alternate contract. Source NaSpo GSA, Texas, where we've historically had some relationships and our teams are working together on dir right now. So all the different alternate contract sources teams have the ability to go run a proof of concept, prove it works, and buy. So then I started asking myself like, why would you torture yourself with lawyers and auditors and grant managers and purchasers to go put out Alphabet soup of an RFI or an ITN or an RFP that's going to take 6912 months to come back in and allow for protests and all the things that people are trying to do to thwart progress because it's in their best interest to thwart the progress. The only thing you really need to move forward in the space, at least at the state level, is an understanding of what problem you're trying to solve, identifying the people who can do it, running the budget exercises or proof of concepts, and if it works, buy it.

Jamie Grant, CIO, State of Florida [01:03:02]: You really just have to know what you're trying to do and have the courage to take the risk to say, I'll buy that. And I'll close here by saying the moat dragons. Sometimes they're different than the moat dragons. We got to come up with a name for them. And like every population, there's very helpful ones and very unproductive ones. So I don't care whether it's lawyers or doctors, but in this case, we're going to talk about lobbyists. My favorite story of my tenure is a lobbyist who dropped a manila envelope off at the governor's office trying to get me fired for using alternate contract sources, saying that it was a violation of law and all sorts of shady things. Anybody want to guess how many alternate contract sources that lobbyist clients, just the lobbyist, not the firm, had in that same calendar year, throw it out.

Jamie Grant, CIO, State of Florida [01:03:43]: Like how many alternate contract source transactions do you think this lobbyist had? 1434. So if anything, I'll tell this story. I'm not fired yet. Might happen. But that was months ago. When people try and slow down the speed, they're hoping that the lobbyist who has the connections and can scare the CIO into if you do this. So when we ask the question, why are the agencies not going faster? Some of them just need encouragement. Some of them need to have the shield behind them and say, look, if it fails, we'll be there.

Jamie Grant, CIO, State of Florida [01:04:16]: Some of them just need a better team, and we need to help build that team as folks retire out and move on and what that looks like. But at the end of the day, the ability to go fast in government at the state level is already there in this space. We just need more people that are willing to kind of look at some of the moat dragons and adversaries and go, we're comfortable saying this is the solution we need. Judge us by the outcomes. Now I'll tease your next podcast, because one of the things I didn't know until recently was the local governments aren't allowed to do this in a lot of jurisdictions. So I have cios at the local level going, hey, I'm not allowed to use NASPO or GSA. And so we're building agency term contracts with cooperative purchasing powers so that any jurisdiction in Florida, state or local, can buy off of the same contract that we buy off of. Because as one gentleman put it, he's a CIO of a county, I think it was, or a large city.

Jamie Grant, CIO, State of Florida [01:05:09]: He has to rfp out for an office 365 license while he's already an office customer. So whether you're a workspace or office, nobody can convince me that it's an efficient use of the tax dollar you earned for us to run a procurement process, to get ten new licenses when you know what you need. And if it's true of the productivity environment, it ought to be true of the data environment, it ought to be true of the network environment, and we should collectively be going to war against procurements and for proof of concepts, and we should be rewarding and empowering people that are willing to have a laboratory approach to prove it works and to go fast. And if I get fired, then, well, good luck to the next one. But we've demonstrated what has been done at the digital service every single thing we have bought at the digital service has been off of an alternate contract source. We have not run an RFI, an RFP or an ITN in our tenure. And I couldn't be more proud of our team for doing it because they say, this is what I need. Find out who does the best, and if they do the best, we'll buy.

Jamie Grant, CIO, State of Florida [01:06:10]: And I know that's a soapbox, Joe, but, man, when you talk about the pace of government, sometimes the tools are there for us, and it's easy for us to blame like some other boogeyman, when really we just have to have the courage as leaders to compel our teams to move forward.

Joe Toste [01:06:26]: I love that. With that, the moat dragons. And then, if anyone is a stranger things fan, the mouth breathers. Thank you, Jamie. Thank you, Morgan, for coming on the public sector show by tech tables and.