ABOUT THIS EPISODE

In a federal setting, the cybersecurity stakes couldn't be higher. There are a wide array of regulations and procedures that govern federal IT practices, making modernisation difficult. So how do they adopt the latest digital technologies and stay protected against cyber risk?
We spoke to Jeff Eagle, Vice President & General Manager for Federal at United Data Technologies to discuss security-focused best practices for protecting federal IT.
English
United Kingdom

TRANSCRIPT

00:00:17I like thank you very much today to be drunk by Jeffrey Engel Navy Federal at night so what are you going to head in and introduce yourself last time the vice president and general manager for federal United data Technologies store at technology provider that died within the federal arena is primarily focused on supporting The Regulators for highly regulated Industries specifically around cyber risk management and then the clouds modernization of the the overall pie for your organization we really cover all technology domain for highly regulated Industries within the commercial sector and support quite a bit of the municipalities and other public sector indices with the heavy emphasis on
00:01:14technology modern station within the near the education arena ticket of course you know I feel federal employees that couldn't be quiet steak's ready for cybersecurity so companies looking too much noise and make changes to that sort of security service is what do employees in in the federal space need to keep in mind for employees have been particularly challenging of issues to deal with the others not the traditional Focus On Healing business outcomes within federal employee base in the same way that they're there is a measurable outcome within the commercial sector so the other there are Myriad existing policies and regulations and procedures that they govern really every activity that little federal employee does which
00:02:14modernization in and of itself as a challenge there's literally thousands of different agencies in an overlapping areas of responsibility so the employees themselves really am
00:02:30are changing the way that they're working and don't have really a deepness understanding of cyber risk a lot of the organization's themselves have cyber security capabilities and outside support but those are long-term in really focused on that specific agency and making it to wear a real bra understanding and emerging technology and the types of threats that may be interested in entering their environment isn't is on Pace as it is with the in the commercial sector where they're there is a little bit better information sharing there's a Workforce that's the Ty Lee mobile where they have brought areas of experience in different companies in different organizations that Fosters going to discuss this mindset of staying abreast of the emerging Trends in both technology modernization and emerging Trends within the ground cyber after she may be in
00:03:30incoming after the and the crown jewels in organization look like for a federal employee number of laws in the US and regulations that really require a baseline understanding 4 for cyber risk and information Insurance varies depending on what the agency's mission is in what does the type of data those employees are exposed to but above the individual employee level we have a challenge confronting but a fundamental understanding of where cyber-risk within the organization of contract
00:04:16the the need to really understand the way those employees work as your building thus the organization or agency wide cyber strategy and then based on how those employees work does in user profiles what they need in order to be successful in accomplishing their mission isn't really something that well-known and all of that contributes to this incredibly complex in Broad a tax service that is getting Yelp higher risk as there's more nobility within the federal Workforce and wouldn't in the days of me I'm sitting at a computer from 9 to 5 going home and then not having a connection to the organization since they've left
00:05:03yeah we're now at a point where employees are working from home on multiple days a week they typically the work from home environment means work from a Starbucks or their local coffee shop and that increases the attack surface or the ways that the potential adversary could gain access to critical data or system but it's not really understood that's early by that individual employee what type of data they have what the potential risks associated with that or what practices they need their insurance they put in place in order to protect the critical systems in that works and data in an adversary May exploit through there in point so it's the same time we were pushing to modernize and give more flexibility to our our federal Workforce I think it's imperative that edit agency or organizational
00:06:03but there is Clarity on that attacks surface and the potential routes that an adversary to take to get access to those those critical system ization if I T products entering the web place from Fitbit to Apple watches in a cell phone so how would you recommend federal agencies protects the threat landscaped windshield these devices do I become entry points for a malicious attack and many others have as well even within the Department of Defense and some of the more security Focus parts of the federal government i o t is the challenge where they they have to fall on their face a little bit before they start making the the right changes near with the mapping based off and some of the the fitness software
00:07:03we recently saw that's a trend that I think will continue to see because that the understanding of building insecurities to the individual profile versus building in Security based off of the broad The Irregular Tori requirements isn't something that's fully embraced by all facets of an organization it's like the analogy that I typically uses there so there's typically a disagreement between the people are responsible for sales in the the ones that are responsible for delivery and both of them look at the people responsible for compliance is that as an impediment to getting their jobs done that same Dynamic exists within the federal government says the increasing the the throughput with their their customers which are ultimately the taxpayers improving their customer experience which is
00:08:03focal point now within the federal government those things yella a CIO or an IT organization may look at and say with all these emerging Technologies we can make these things a lot more efficient and make them all connected meanwhile the Cyber risk personality information security Personnel are coming in on the back end of those initiatives and they're typically firewall so they may not even recognized that initiative is already and you know two or three years down the road before they start to actually do the vulnerability assessment exposed ultimately needs to happen is we continue to move to this this highly connected IP ecosystem is first look at the profiles and understand what's critical what's rescue potentially impact those critical systems and then what vulnerabilities would they exploit
00:09:03bus from the internal and external attack surface is we all remember the the Bradley Manning's the Chelsea Manning the Edward Snowden type of event and that internal tax services is a big challenge for for federal employees especially as we increase the number of devices that that make up that attack surface first and foremost it's having a good understanding of the the risk profiles during the acquisition process for adding these systems into the network or just a pulse on the you have the technology advancements happening that when you have those connected devices from being a personal use device like an Apple Watch to a dual use device that maybe the the phones they use during your work
00:09:56and then we need to really stay on top of some of the emerging technologies that are out there for machine learning that allow or redaction of sensitive data or geofencing which prevent someone from opening at Seattle file with sensitive data at Starbucks but they would allow Geo locate where it should be on the network access things considered data so there are the combination of really understanding the risk how people work was important and then they are leveraging some of these really high-end emerging technologies that are focused around trying to facilitate this continued advancements in the workforce dynamics that we're seeing while not in essentially sacrificing security while they do that I'm considering staying with zero clients for that desktop environment in conjunction with that cloud migration so recommendations would you
00:10:56facial that their clients are properly secured yet still allow for existing government telework policies in the consolidation of building space housing US government agencies yet no reduction in the agency wax. That's a really good question we operated that Nexus cyber risk management and Technology modernization within our organization and really what we see is this move towards strategic sourcing and consolidation the acquisition process and yeah you may Wonder well what is that technology can do that position the acquisition process is a is a key element that has to be changed in order for there to be effective security built-in to technology modernization that the still at 8 that both detecting the data secure transformation and the
00:11:56Workforce Dynamics within the federal government if you were if they were able to acquire in one shot a secure system that it builds in security with the right types of applications for their specific work profiles into that secure digital transformation then the end product will be in a much lower resource implementation from a contract in perspective and a much more secure product and what I mean by that is there within 8 then add your everything Google Cloud been all these public cloud provider is there are what your isd's are independent software vendors it created some really amazing technology to be able to securely move data into the into the cloud and still at 8 that computer networker storage
00:12:55wow machine using machine learning to redact sensitive data points to geofence where they open those devices any of those sensitive documents or to track privileged users field say you know if you have Godlike administrator administrator access or this system then everything that you do and where you do it is going to be monitored to be able to identify if there's any be any behaviors that indicate so rather than looking at it as you know we're just going to move this to the cloud and they're going to have someone else come do the security and rent have a different contractor come in and actually facilitate the required to make it functional within the cloud if they look at it from that end user profile and how they work and then build the security around
00:13:55the individuals then we'll be able to have a much lower cost in product it's a significantly more secure than the way that they acquire Technologies this point in situations that businesses in the highly regulated Industries like the federal space need to keep in mind when using that technology the other governments that regulates and the organizations that are regulated by the government and what I see is a it was a critical need is for the development of a symbiotic relationship between between industry and government when it comes to the establishment of cyber risk as a baseliners table Stakes for them operating at any high level
00:14:50what I did what I see typically is you have to build it you have to make a successful organization makes a successful business and so you can get to the point where you going to forward to building security and ultimately that is that's backwards thinking it's the financial imperative But ultimately that backwards thinking is going to just continue to create an evolved risk profiles for the industries and sells I think looking at what the government has done some of the things that have been developed and then having conversations open conversations about the types of a cyber events that they've been exposed to is something that's both a challenge for a lot of business because they don't want to expose the on the fact that they were breached or attracted to somebody happen to be on their Network for a year without them knowing it but it's
00:15:50Terry so we can start seeing those those consistent threat profiles and start putting people to work to come back in early there are now I'm not a big the biggest Advocate just put it pushing a technology solution if I think many things can be manipulated by an individual or through malicious intent or through ignorance of how things work but there is some some really amazing technologies that have been developed because they're the right person was was provided information about a zero days or hold their resources through some of these industries security council's that are notifying even if not identify who specifically the organization is that that may have been attacked but identify the tactics that were used allows you that the implementation some of those controls
00:16:50or other entities so I think that's important predictably within the highly targeted and highly regulated Industries like Financial Services health care and education R Us to have more of an open dialogue about the types of security events that are happening is the Packers are sharing all this information so we're going to be continuing to the lose this battle different tactics would have been employed but I mean it's it's fairly common to see you know
00:17:33people exploding a physical infrastructure by putting devices and they remove the malicious software yeah give me see it and I'll check in fishing and spear phishing attacks are just continuing to get more and more sophisticated there are a great great deal and very frequent attacks that you are the kind of the CFO to CEO conversation about wiring money in specific areas but ultimately what concerns me the most when it comes to the track profiles is
00:18:15expanding it ecosystem and the belief that if everyone all these third parties that happened to have access into your system that have they have similar levels of security or control just because they have you know a recognizable name so I didn't third parties provide services to you can result in the back door again to your network and then Leah migrating around collecting data and this is happening Yelp constantly where we trusted brand you know is a third party vendor and then they become the conduit for an adversary to get into our Network and exploited so that a piece of of understanding you you're allowing to access what within your network is something that I think needs additional emphasis kind of across the governor
00:19:15industry even personal cyber-security is yeah that's got it it's got to be a critical fundamental elements of our culture that you don't let people into your network without having clarity about what protections they have because you're taking on whatever risk they've accepted Fantastics tell us how companies can get in touch with you. See you know the way with the way we like to approach a cybersecurity and even Cloud technology modernization is the do the assessment first we we like to go in a sass determine whether our customers have really characterize what's critical them and were thoughtful about it and if they haven't been we can facilitate doing things like Monte Carlo modeling to quantify the level of criticality there different systems and then kind of rack and stack them
00:20:15and then understand the threat obviously that the vulnerabilities that we could potentially exploit. We take a hard look at and then
00:20:25a lot of our customers after the assessment and the remediation activities to do to improve their Iris profile like you need you to come in and just manage the security for that obviously is a much lower cost option for foremost organization it also means that you have the benefits of an organization with over 2,000 customers and visibility into the types of threats that are coming out to them on the weekend when we look at the apps that are the apps and data and business systems that are required and move what we can to the cloud that makes sense for the customer because that actually increases the level of security associated with their system Almost 100% of the time so
00:21:21yeah you getting in touch with you TT it is pretty simple it's www.etonline.com and
00:21:31the other side based on your specific industry and your specific need yeah we have a great team here within our lives of businesses and then our territories Emmanuel we can start from scratch or or provide a specific service but yeah we pride ourselves on keeping our customers long-term and that means we yeah we have to do we can to detect the juror and real respond to the name the types of events that are happening everyday wonderful thank you very much

Transcribed by algorithms. Report Errata
Disclaimer: The podcast and artwork embedded on this page are from TechNative, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

EDIT

Thank you for helping to keep the podcast database up to date.