As technology advances, so does the threat posed in cyberspace. In this episode, Mark Weatherford, the SVP and Chief Security Officer at AlertEnterprise, navigates us through cyberspace and how AI and Government Policy impact change in cybersecurity threats. There is a monumental shift in positioning, treating, and regulating CISOs within the company, and generative AI has contributed much to the continuous change in the security environment. Mark shares his insights on how we can surf through this change. Learn more from Mark as you tune in to this conversation.
Listen to the podcast here
Navigating The Intersecting Worlds Of Cybersecurity Threats, AI, And Government Policy With Mark Weatherford
Welcome to Friendly Fire, the cybersecurity show dedicated to mitigating unintentional human risk. We equip you with the tools and insights to safeguard against digital threats arising from unintended human error. Join us as we delve into cybersecurity threats and government policy with Mark Weatherford. Mark is the Chief Strategy Officer at the National Cybersecurity Center. Friendly Fire gives you the knowledge to defend your digital realm. Welcome to the show, Mark. How are you?
I’m doing well. Thanks for having me on.
This is one of the conversations I was excited about and looking forward to. In our pre-interview, we talked a little bit about our histories overlapped. We come from similar backgrounds. I can’t wait to hear more about yours. Why don’t we open right up with a little bit of background? Help me understand where you come from, a little bit of your history, and how you got to where you are today.
If you start way back at the beginning, I joined the Navy. The Navy decided that I would be a candidate in the intelligence community. That’s where I began my career. I was always on the technology side of things. In the early days, I was a maintenance guy working on cryptographic equipment. I took a different route and ended up going to grad school in the early ‘90s. I wrote my grad thesis on information assurance in the early ‘90s. As you can imagine, there weren’t a lot of people talking about or doing anything about information security back then, so it was a novel idea in the Navy.
My last couple of jobs in the Navy were running fairly large cybersecurity programs and standing up cybersecurity programs. Back in the early days, we were making stuff up as we were going. There were no guardrails or guidelines around what we were doing. That’s where I started. I got out of the Navy. I’ve had a few CISO jobs in the public sector and the private sector.
I’ve been kicking around this arena for a long time. Like you, I’ve seen a lot of things change. I’ve seen a lot of things go out of fashion, come back in fashion, and go out of fashion again. I primarily spend my time working with some startups, advising them, and helping them get through the hurdles of becoming a real company, which is fun. You see the same things over and over again with young entrepreneurs as they try to figure out how to start a business while developing their technology. Having seen it and done it a few times, they get a little bit of value out of me hanging around with them.
That’s amazing. During our prep call, we talked about how we go back to similar times. The mid to late ‘90s for me, even mid to early ‘90s for you in some ways, and coming up through the Navy postgraduate school. I distinctly remember when I went to my first DEFCON in 1997. One of your folks was speaking at DEFCON. I can’t remember. Stephen Northcott maybe was the guy I’m thinking of. It might be him. He was presenting at DEFCON and you guys had such an amazing reputation back then.
What did you learn? What were the key things that you think you took away from Navy postgraduate school and the work you did in cybersecurity in that era? Compare and contrast what it was like to learn then versus what it might be like for someone in that same age bracket as you were at that time going through something today. How drastically different were those from ‘93 until now?
Things have changed so much. I was in the middle of grad school when Netscape and Mosaic came out. I was thinking at the time, “This is so life-changing. It’s unbelievable.” You made me think of something. When I wrote my thesis, it was on a very specific topic, but my primary source of reference material was the Orange book from the Rainbow Series. I wish I still had a copy of that series of books. The Rainbow Series way back when was the Bible of everything. It had a little bit of everything from physical security to cryptography. It had a little bit of everything.
I’m certainly not the first person to say this, but when we started, you had to read a book. To learn something, you had to read a book. There weren’t a lot of resources to go to. This was pre-Google, so any research you did, it was you go and you find an FTP site. You find some of those old sites that had information. Everything was manual. You learned everything from the command line. There were no GUIs to go to.
You probably have similar stories. I blew up my computer a million times. I had to rebuild it or a floppy disc thousands of times because I did something wrong. Things are so much easier and so much more efficient today to do almost anything like that. It’s good and bad. It’s good because it’s a lot more efficient. It’s bad because I don’t think people learn technology the way we learned technology back then. You had to dissect stuff.
Today’s technology is good because it’s much more efficient, but we don’t learn technology the way we learned before.
For sure. I remember distinctly setting a computer on fire because I plugged a ribbon backward. It happened to be my mom’s boss’s computer, which got me in a lot of trouble. We didn’t have any way to learn back then. Plugging the ribbon in backward, who knew that particular daughterboard would go up in flames on my bedroom floor? There are so many drastic differences.
When we think about the human side of cybersecurity and think about from the mid to late ‘90s until now, and we’re in the early 2020s, there are so many themes of human impact and insider threat. Some things can come from humans making nefarious decisions that the attack scenarios are largely the same. Am I crazy in saying that, fundamentally, not much has changed there and it is how we tackle the problem?
Certainly, technology has changed how attacks happen. You’re right. The methodology and mindset behind them are pretty much the same. I don’t mean to bring up anything too controversial, but Kevin Mitnick died. I have been reading a lot of stories about him. I had my interactions with him. He was intellectually curious, and that’s how he got in trouble. He may have crossed over some lines that you and I didn’t, but he was intellectually curious and trying to figure stuff out.
I read a weekly newsletter. I published it about twenty minutes before doing this recording. In that newsletter, I put my commentary on Mitnick’s passing. It was similar to your commentary. He had a massive impact on cybersecurity. Whatever you thought about the ‘Free Kevin Movement’, whether it was good, bad, or indifferent, is irrelevant when you think of the positive impact that he ended up bringing to the cybersecurity community over time.
A lot of that was focused on the human aspect of cybersecurity. He focused on how people learn. He focused on how people can be convinced of things that they may not otherwise be convinced of. Those attack models worked for him in the ‘80s. Those attack models are what we’re seeing in ransomware attacks in 2023.
You are exactly right. He was a hacker. He was really smart and understood technology, but his real forte was social engineering. The same tactics that he used back in the ‘80s are still working today on a different scale in many cases, as you said with ransomware. The things that he did are still happening today.
For sure. You went to Navy post-grad school and then became CISO for the state of Colorado. Correct? Was that the next time? Am I getting the order right here?
I got out of the Navy and went to work for a defense contractor for a few years. I ended up living in Colorado, and then I ended up getting hired as the first chief security officer for the state.
That’s amazing to be able to do that at a state level. Let me jump forward again for a second. You also received a call from the Obama administration and became the First Deputy Undersecretary for the Department of Homeland Security. You’ve worked in the government Navy post-grad school level. You’ve worked in government at the state level. You’ve worked in government at the Federal level.
If we were to look at all three of those as a cross-section, are there big deltas in the human aspects of cybersecurity at those levels impacting change, let’s say at a local, state, or Federal level versus a Federal level? Are there differences in the potential risks of insider threat? Are there differences in the chances of those risks occurring? Are there differences in how we implement change at those levels? Maybe there isn’t. Maybe this is a question where you’re like, “It’s about doing these three steps.” Help me compare and contrast that a little bit.
You have to remember that those were 25-year gaps between the different jobs. Fundamentally, people are the same. The scale is massively different. When I was in the Navy in the Department of Defense, it was an insular culture. You have a focused mission. Whereas in state government, it’s completely different. Colorado was a fairly small state. After Colorado, I went to California and worked in the Schwarzenegger administration. I went from having 24 state agencies in Colorado to over 160 agencies in California.
People are relatively the same. There’s a difference though in the culture between the public sector and the private sector. The private sector is much more innovative in a lot of respects and a lot more open to taking risks than the public sector is for some good reason, in many cases. What has always been one of my frustrations working in the public sector is to break out of that risk-averse mentality. I get the reason why people in the public sector are a little bit more risk-averse than they are in the private sector. The cultures are completely different, but the technological challenges are virtually the same.
It’s a scale difference predominantly more than anything else, but it’s the actual steps to have to get things done. I want to double-click on one thing before I even ask this next question. What was it like to work in, around, or anywhere near Arnold? I have to ask. The audience wants to know. Do you have any wonderful funny stories about Arnold Schwarzenegger that you can share with the audience?
I wish I did. I don’t. I interacted with him a few times. It wasn’t like I briefed him on a weekly or even a monthly basis. I met him a couple of times. The one thing that I wanted during my time in the administration was to go to the cigar tent in the garden area inside the capitol. That’s where he would go smoke cigars and meet with people. It was on my dream list to go have a cigar in the cigar tent with Schwarzenegger, but I wasn’t able to social engineer my way into making that happen.
Maybe if Arnold tunes in to this, he might call you in for one last favor.
There you go. Maybe. That’s fine. I’ll jump on a plane anywhere to go do that.
I would do that in a heartbeat.
I still think very highly of him. Not only is he a good governor, but he’s a good person. He was trying to do the right thing in a very difficult environment.
From a human aspect level, that’s exactly what we would want to see. It is doing the best we can with the resources we have to make the world a better place. Let me go back to the real questions, not the fun ones. In the government, how do policy decisions occur at the state or Federal level? How do those get rolled out? Is that a massively long process? Are these policy decisions dictated from on high? Does it come from individuals at your level who say, “Here is a smart policy decision that we should be rolling out to the world to enforce X or to get more buy-in on solving problem X.” How does that occur? Help us understand a little bit about that process.
There are a couple of different ways it happens. Certainly, from the executive branch level, people have ideas, thoughts, and desires on how they do something that’s going to impact the government. In Colorado and California, that would be coming out of the governor’s office. When I was there, cyber was still an issue that nobody understood. There was not a lot of guidance coming out of the governor’s offices. It was me pushing it up and saying, “We need to do this. We need to think about this.”
The other way is from the legislative perspective. Both from the state level and the Federal level, it has changed quite a bit in the last twenty years. If you look at what’s happening at the Federal level, there are several hundred different pieces of legislation working their way through the process that have cybersecurity attached to them or somehow associated with cybersecurity. At the state level, the same kind of thing is happening.
Those are the two primary ways. Somebody has an issue or a concern. Even a constituent gets the ear of the governor or the cabinet secretary and says, “We need to be doing something about this.” That way, it starts the ball rolling. It is a very long process. Every congress is two years. In some of these legislations, they will carry over from one Congress to the next Congress.
I can remember the first piece of legislation I worked on was in Colorado with Senator Ron May. We struck up a relationship. I was trying to advocate for establishing the chief information security officer role and codifying it with a budget in the state government. He thought that was a good idea, so he got a couple of his legislative colleagues on board, and we wrote a piece of legislation. This was back in 2006. It was probably a year-long process to write this policy like, “Colorado is going to have a state CISO. Here are the responsibilities. Here is the funding that’s going to go along with it.”
It’s a fairly long process even in the private sector. You don’t just go out and write a new policy. You have to make sure that the General Council is involved, there’s funding attached to it, the CFO is involved, and the government. There are always political concerns. Who are we going to make angry on the other side by doing this? It’s a little bit different today, but up until the last few years, cyber has been fairly bipartisan. It’s an issue that affects everybody. Getting bipartisan support is important because if you don’t have it, then you’re not going to get legislators to move it forward at all.
I’m going to go a little bit off-script here and ask a question. Feel free to say you don’t want to answer it if you don’t want to. The concept of nation-state attacks came to bear and became a thing during our lifetime. This is not something that in ’93, the nation-state attacks existed. This is something that’s been in the last X number of years.
That changed the political nature. This may be what you were alluding to a little bit when you said it had changed. Has that changed how the politics around policymaking for cybersecurity in government occurs now? There is some worry about these nation-state acts or the impact of what this policy may say on this particular nation-state act. Is that what you’re alluding to when you say it’s becoming a little bit more political?
It is not just nation-states. Everybody wants to have their name attached to a piece of legislation that’s going to be successful. Specific to the nation-state issue, this is something I’ve been talking about for years. You’re right too. This has come about in our lifetime. Thirty years ago, if there was an attack by Russia, China, or anybody, it was the sole domain of the US government, primarily the Department of Defense, to respond to that.
Today, it doesn’t matter if you are the government, a Fortune 500, or what I call one of the Unfortunate 5000. If you’re a small or medium-sized business, you face the same risk as everybody else does from a nation-state. That’s one of the things that has changed. It’s one of the things I find myself advocating for. It’s not fair to expect some small businesses to be able to have the same resources to combat nation-state actors as Fortune 500 companies or as the government.
It’s unfair to expect some small businesses to have the same resources to combat nation-state actors as Fortune 500 companies or the government.
The proof is in the pudding. We still have Federal government agencies getting attacked, breached and compromised all the time. For the Federal government to say to every small and medium-sized business, “You need to have all of these controls and have all of these people that do all of this,” when the government is still having issues with nation-state actors, is a little bit disingenuous. That’s probably not the right word, but it’s not a fair fight, is my point.
The nuance there is important in how things are changing within the government on how enforcement occurs. It is making smart decisions at both a political level and a true cybersecurity enforcement level.
There is one thing I would add to that. The third dimension to this is that if you’re a private sector organization in the US and you get breached by somebody when you have a ransomware event or whatever the security event is, not only do you have to respond to that and you bear the cost of responding to that, but you also have the Federal government, whether it’s the SEC, FTC, FBI or somebody, saying, “We’re going to come after you now. There are compliance and regulatory issues that we are going to apply against you because you got breached.” It is a triple jeopardy scenario where private sector companies have to worry about the government coming after them when they are trying to fight the battle against bad guys.
I’ve been saying that a CISO job is one job I will never want to have. I should never say never, but it is fraught with peril. It’s exactly what you’re talking about. If a breach does occur, the risks at an individual, as well as a company level are massive to CISOs. They bear so much risk.
Look at what’s happening with SolarWinds. Tim Brown at SolarWinds got this letter saying, “We may come after you now for what you did or didn’t do post-SolarWinds.” We’re getting ready to see a monumental shift in how CISOs are positioned, treated, and regulated with their own companies.
I’m going to ask a specific question about insider threats. The theme of Friendly Fire is the insider threat, so we want to make sure we get that message in here. I have a very legitimate question. You had the pleasure of working in government at the state level and the Federal level. We haven’t gotten to it yet, but you also were the CISO at the NERC, which is the regulator for all electric utilities for all of North America. You were a consultant for Chertoff Group for several years. You also worked at vArmour as a startup.
Talk to me a little bit about the differences between a CISO and a security-minded professional in those organizations. Does the insider threat risk level change? Does how you handle it from a technical, tactical, and procedural policy vantage point have to change for each of those styles of roles between healthcare, government, commercial, and consulting?
Yeah, it does change. We are responsible for regulating the entire electricity industry in North America. I still think of it as the most critical of all critical infrastructures. These utility companies across the nation have relationships with many other countries. They have employees, interns, and consultants from all over the world. It was a big deal for them to think about this from an insider threat because of the consequences of their industry. At the Chertoff group as a consultant, I was on the other side of things. This time, I’m advising CISOs on policies, procedures, protocols, and technologies that they could deploy to identify, alert, and respond to insider threat incidents.
The one thing that hasn’t changed, and it doesn’t matter what industry, whether it is the private sector or public sector, is around technology and identity and access management. How are you managing who gets access to what? How are you validating that people are who they say they are, and that they have the credentials and the authorization to access information data that they say they have? It’s different when you’re in different industries. Different industries have higher levels of risk tolerance than others do. For critical infrastructures, the bar is much higher.
My last big security job was at Booking Holdings. Booking Holdings is the largest online travel agency in the world. They own Priceline, Agoda, Kayak, OpenTable, Booking, and a bunch of these travel brands. The amount of fraud associated with potential insider threats in that industry is profound. It’s mind-boggling because everything is online. Every transaction is an online transaction. That’s how that industry generates revenue. Insider threat is a big deal in those kinds of industries.
That industry is very susceptible to things like price scraping, competitive attacks against other companies, insider threats, and direct hacking and compromise of data credentials, usage patterns, and locations. All of those things become a massive risk. If you could say to a new up-and-coming CISO, “Here is the 1, 2, 3, or whatever number makes the most sense to you, the most important lessons I’ve learned over the last 20 to 25 years concerning impacting change and cultural change around cybersecurity inside of business,” what are the couple of biggest tips you would give to a rookie CISO up-and-coming?
There’s a lot.
You can only have a couple.
I have a lot of scars from learning lessons like that. It’s probably not surprising, but as a technologist, I can’t even imagine saying this twenty years ago. It’s about developing relationships both internally and externally with your organization. If you don’t have those relationships ahead of time when you need them, it’s too late to make those relationships. That is a big one.
The other is communication skills. I’m not the first person to say it, but being able to communicate is important. A lot of us as technologists don’t grow up learning how to communicate well. We are very insular from that perspective because we grow up in dark rooms and our hands on the keyboard. Being able to communicate well is important for a CISO. It’s become more important in the last several years. That doesn’t happen today. If you’re in a Fortune 500, you are talking to your board probably a couple of times a year. Being able to communicate in business terms to your board of directors is important.
I have a story I tell. I wrote about it one time. A friend of mine asked me to come to a board meeting with him. He was going to do his regular quarterly brief to the board, and he wanted me to give the board a threat presentation. I did mine first. He was giving his pitch to the board and the chairman started asking some questions.
Some people, when they detect a weakness, laser focus on that weakness. This board chairman detected a weakness and he started asking a bunch of questions. It got very uncomfortable for everybody in the room. It got uncomfortable because the CISO was getting flustered. Pretty soon, the chairman said, “You don’t realize how this company makes money, do you?” It was incredibly embarrassing to everybody in the room. I was scooting away from him. I didn’t want to be sitting next to him when the bomb went off.
That’s important as a CISO. Certainly, we have to understand the technologies, but we also have to understand the business. We still have to be considered experts. We want people to look at us and say, “This person knows cybersecurity. They understand their job.” If you don’t have that, you have no credibility with anybody.
The most important piece of that is understanding people and understanding relationships. It is taking it back to the human aspect of cybersecurity. As we run out of our allotted time here in the next 5 to 7 minutes, I want to shift gears a little bit and discuss AI and generative AI. There is a massive fear going around that AI is going to put cybersecurity people out of work. You read this rhetoric all the time in some of the trade rags that cybersecurity is going to put people out of work.
Can you help me understand what impacts AI and generative AI will have on cybersecurity in your eyes? I know you are intimately familiar with this area through some companies that you’re working with the advisor roles and board seats that you have. Maybe provide a little bit of data around how the human side of cybersecurity copes with the change that will come on the back of generative AI.
The first thing is we need to recognize it. Trying to ignore it and think it’s not going to impact the world is very naive. That’s the first thing. They say the first step on the road to recovery is recognizing you have a problem. We all need to understand that. We need to understand that the security environment that we live in now is not the security environment we’re going to live in 24 months from now. It’s changing as we go. I moderated a panel with five CISOs. It was amazing to me the conversations that these guys are already having integrating Gen AI into their environments. The impact is going to be a matter of two things, efficiencies and scale. Those may be the same thing. I’m not sure here.
The biggest change is going to be wherever there’s a lot of brain power required for security on the research side and analyst side, those are going to be done by Gen AI. Those jobs are not going to go away completely, but I’m not going to need twenty SOC analysts anymore. I’m going to need 1 or 2 SOC analysts that can ask good questions. That’s one thing we need to be prepared for.
The other thing is we’ve got to be prepared. The Gen AI and the large language models that we’re seeing today are being built upon the data that we’re giving them or the data that they’re being fed. There’s going to be a time when we’re weeding out. Not to sound cliché, but there’s still a lot of hallucination happening. There is still a lot of fake stuff in the feedback we’re getting out of these Gen AI products. It’s an interesting time. It’s a fascinating time. I wish I was twenty years younger so that I could grow with this Gen AI world. It has incredible opportunities for security people to mold and make the environment that we live in better.
With this Gen AI world, there will be incredible opportunities for security people to mold and make the environment we live in today better and better.
I agree. It’s going to allow human beings to take an order of magnitude more importance in the way that they think. It will allow a lot more of those rote tasks to be controlled by intelligence other than ourselves. In the last 30 seconds we have here, do you have any upcoming events you’ll be speaking at? Is there anything you want to plug in for the audience? Are you writing any books or any interesting research? What can we talk about on your side to make sure the word gets out?
No books. I’m still writing a little bit now and then. I’m speaking at the USEC Con in November 2023. I am speaking for the Society of Automation and Engineers in Colorado in October 2023. I probably have another dozen speaking engagements at various places around the country over the next six months. I have a couple of themes that I hit on. AI being is one that I’m working on. I still talk a lot about security convergence, the convergence of physical and IT, and OT security. Finally, that is happening in a real way. My goal is to help make people a little bit better. I’ve always been working with people and trying to help people become better CISOs.
I appreciate that and I appreciate you coming on here as a guest.
Thank you very much. I appreciate you being here.
We have come to the end of another episode of the Friendly FIre, presented by Elevate Security. I would like to extend a heartfelt thank you to our incredible guest, Mark Weatherford. Your profound knowledge and passion for impacting cybersecurity change is truly inspiring. Your insights into mitigating unintentional human risk will undoubtedly empower our audience to safeguard their digital lives.
Remember, everyone, cybersecurity is a collective effort. Every step we take to fortify our self-defense counts. Stay tuned for more compelling discussions on cybersecurity with the Friendly Fire presented by Elevate Security. Until next time, stay vigilant and stay secure. This is your host signing off. I’ll see you soon.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Mark Weatherford – LinkedIn
- National Cybersecurity Center
About Mark Weatherford
Mark Weatherford is the SVP and Chief Security Officer at AlertEnterprise and also serves as the Chief Strategy Officer and a Director on the board at the National Cybersecurity Center.
Mark has held a variety of executive-level cybersecurity roles including Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation, and the first Chief Information Security Officer for the state of Colorado. He was also appointed by Governor Arnold Schwarzenegger in 2008 to serve as California’s first Chief Information Security Officer, and in 2011 he was appointed by the Obama Administration as the nation’s first Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.
Mark is a former U.S. Naval Officer where he served as the Director of Navy Computer Network Defense Operations, Director of the Navy Computer Incident Response Team (NAVCIRT), and established the Navy’s first operational red team.
Mark is an investor in cybersecurity start-ups, a Board Director, and on the Advisory Board of some cybersecurity technology companies where he has a successful track record in helping startups from founding to acquisition.