If It’s Good Enough for the CIA: A Q&A with Rick Tracy of Telos
In Early Adopter Research’s continuing series on cybersecurity from the RSA 2019 conference, Dan Woods spoke with Rick Tracy, chief security officer for Telos. Woods asked his three big cybersecurity questions for 2019, as well as exploring the landscape of cybersecurity in general. This is an edited version of their conversation that can be heard in full on the EAR Podcast.
Woods: Can you explain what Telos does using the NIST Framework that identifies identify, protect, detect, respond, and recover as the basic food groups of cybersecurity capabilities?
Tracy: Telos is a pure play cybersecurity company. We were founded in 1968 or 1969. And over time, we’ve centralized our offerings on cybersecurity solutions. And at a high level, we use automation to make certain security objectives easier, faster, and less complex for customers. The segment of the business that I’m most involved in is the security risk and compliance management business, where we founded a platform in 2000 that is designed to operationalize security risk and compliance frameworks, largely around the way NIST organized it. So it’s the risk management framework, the cybersecurity framework, and, more recently, we help organizations who have a desire to become FedRAMP certified. We operationalize that framework as well. And a more nuanced offering is contractors who do business for the federal government and have to comply with this new standard called 800-171 for controlled unclassified information. We also offer a solution that helps those organizations deal with that cybersecurity requirement.
It sounds like it’s not providing cybersecurity control capabilities, but more cybersecurity management capabilities.
Yes, that’s a great point. It’s more about helping organizations understand and demonstrate that they have met security controls that are needed for their systems to be operational. And so that’s particularly true as it relates to the RMF (Risk Management Framework), where there’s this notion of an authority to operate, or ATO. But the ATO requirement doesn’t exist per se with the cybersecurity framework where people recognize the cybersecurity framework based on a core set of terms called identify, protect, detect, respond, and recover. It is a voluntary framework that came about as a result of an executive order in I think 2013. The framework was launched by NIST in 2014. It was intended for critical infrastructure sectors, of which there are 16 as identified by the Department of Homeland Security. The framework has become so popular, though, that it’s not just critical infrastructure sectors that are adopting it. More than 20 countries—as I understand it—around the world have embraced the cybersecurity framework. Much like TurboTax helps someone step through the process of creating their tax reporting, the idea behind our products is to create a purpose-built workflow for RMF, something that’s slightly different for FedRAMP, something that’s different again for CSF, the cybersecurity framework. And it’s a wizard that helps people gather, organize, collect, and document the data that’s needed to come to some conclusion. You have to manage it over time using automated continuous monitoring.
My first question is about zero trust. I’ve been struggling with the notion of what it really means in practice right now. The target for zero trust is a world in which you don’t have a perimeter, in which everybody, every asset is protected by the system understanding what it is, what it wants to get access to, and then creating a custom micro segment around that asset or that person so that it can do the work it needs to do. Now most people don’t have a perimeter-less world and they’re going to have a perimeter for the foreseeable future. But people are going to be moving in and out of that perimeter. So what does zero trust mean as a practical matter?
That’s a really good question. A way to think about the perimeter is that it’s not a static boundary anymore. It’s constantly moving based on where your employees are and the assets that they have with them. So the discussion about does a perimeter exist or not is an interesting one. But I have a tendency to lean towards perimeter-less or dynamic perimeter. As it relates to zero trust, as with all things in this industry, I have become a bit jaded because the industry is heavily marketing driven. This notion of zero trust is a concept that begs for more definition. Zero trust is absolutely sure that the right people only have access to certain resources. And perhaps that means putting a boundary around those resources that require zero trust. I don’t actually know. The definition for zero trust is evolving. I also will say that it doesn’t help organizations who don’t have a lot of skills and resources. What does a smaller company that doesn’t have the ability to implement something do?
And if you think of the progenitors of this, we had Google with their BeyondCore structure, which they implemented with a very rich stack of custom-built components. Their idea of zero trust is a very full, deep, wide implementation that has considered so many different things and has a rich implementation. No vendor has all of that. You cannot buy that from anybody.
So the question is, what do you do about that observation? How many of these capabilities would a CISO need to put together before they could say, “You know what? I think I’m doing a pretty good job with zero trust.”
There’s been all this talk for years about defense in depth and all the layers of security that need to work in harmony with each other. And every year you come to shows like this and it seems like there’s another layer for which there’s another set of technologies that have to be integrated with what you already have. So the problem just becomes increasingly difficult. I have a friend who has an idea about zero trust where basically he assumes there are two types of companies: those that have been hacked and those that don’t know they’ve been hacked. I don’t necessarily subscribe to that thinking, but if you do, his philosophy is, “That critical server has been compromised within the past hour.” He doesn’t know that. He assumes that. So what he does is he assumes zero trust as it relates to critical servers, he takes them down, and replaces them with pristine images. So if someone is in that server, they’re no longer in the server because it’s being replaced at some frequency that the customer or the user identifies—15 minutes, an hour, 90 minutes, every day.
What you said about the vast sea of vendors goes to my next question, which is about portfolio pruning. Every generation of cybersecurity, you have a new set of vendors, a new set of capabilities coming out to deal with a new set of threats. Now that’s natural because the attack surface has grown. But it seems like it’s always additive. When are we ever going to get to the point where we can prune the portfolio? And what would it mean to prune the portfolio?
A lot of things that you see at shows like this, in my opinion, aren’t products; they’re features. A feature is a very important capability that probably should reside on a larger platform as opposed to being a standalone thing that the user now has to figure out how to integrate and get the most benefit from by integrating it with IDS, IPS encryption and firewalls, and the sea of security solutions that are within an organization now. Over time, what I would hope to see is market consolidation, that some of these smaller companies get bought by the larger companies, they’re embedded and integrated so that you or I don’t have to figure out how to do that.
That’s pruning at the vendor level. It’s not pruning at the capability level. Is there any other meaningful way we can prune?
I can only tell you what I do. When I talk to a vendor about their solution and what they feel they can do for Telos, the first thing I ask is what can I get rid of? What technology or technologies can you replace?
But is the answer ever, “Yes, you can replace this or that.”
Yes. We were talking to a company called Darktrace. And they identified a number of things in our security portfolio that they felt we could live without. And generally speaking, we agreed with them.
Most of the time, I see replacement happening within a capability level. But there, we haven’t pruned the capability, but we’ve pruned the number of vendors.
That’s the goal, right? To reduce the cost and the complexity of managing.
The next question I have is about cloud migration of cybersecurity. As we think about people migrating applications to SaaS and other cloud-based forms, migrating infrastructure to cloud, what are the cybersecurity implications of that?
As it relates to the cloud and security implications around the cloud, the shot heard around the world in 2014 was the CIA saying, “We’re going to the cloud.” That caused many organizations to say, “If it’s good enough for the CIA, it’s got to be good enough for us. Let’s figure it out.” The adoption has been slower than expected, but it’s accelerated, largely based on the CIA’s decision to adopt the cloud in this region called C2S, Commercial Cloud Services. An executive from the agency, at a public sector conference said, “The cloud on its worst day is better than client server technology,” and it was directly related to security. I happen to agree with that because many organizations can’t afford to invest in the infrastructure and the physical security characteristics that you get just by virtue of you putting your workloads into the cloud. Gates, guards, guns, separation of duties, access to systems and data, all of that stuff is managed by AWS physical security control management procedures and such.
At the layer of the network, the layer of the machine, a lot of those things are underneath the kind of cloud API boundary. It’s not that the issues don’t have to be taken care of; it’s just that somebody else is doing it.
Yes, from the managed service standpoint. These cloud platforms continue to innovate with security tooling. If your stuff is in the cloud, you don’t have a hodgepodge of technologies that are difficult to integrate and require a lot of resources to understand and manage. The consistency of the cloud tooling, security tooling, in particular, makes the job easier. So how much security belongs in the cloud? I think that’s for everyone to ask themselves. But I think we’re getting to the point where people are becoming increasingly comfortable.
I have three bonus questions. First is about ops discipline. Isn’t it true that most companies would be better off if their CISOs didn’t invest in another cybersecurity capability but invested in improving their operational discipline with respect to configuration management, patch management, asset inventory, automation levels, and an abstraction of all this so it can be managed at a higher level?
Yes. It’s the cart before the horse. If you’re talking about AI and ML before you have an inventory of what it is you need to protect within your organization and some vulnerability management capability that drives patch management, that’s basic blocking and tackling. Why would you be talking about advanced cybersecurity management capabilities if you don’t have the fundamentals nailed down? Why is it not addressed when everyone recognizes that it’s important? It’s more difficult. It seems pedestrian, but these things are more difficult than you might think they are.
My next question is about cybersecurity culture and training. This is another thing that is really important, but people often don’t do as well as they should. What is the secret to getting that culture in place and having it sustained?
With government agencies, they have a very important mission, but they’re not for profit. Organizations that are trying to maximize profitability are concerned about things like consultants being engaged on billable assignments. The conventional thinking around cybersecurity awareness and training is that it all takes time. It’s CBTs, auditorium presentations — all of this takes people out of the line and out of the work that they’re supposed to be doing for a customer. There’s always this tug of war between the security people in the company and the operations people who are trying to deliver on a number. How do we minimize the amount of time that we have to send people to security training? From an industry standpoint, cybersecurity training and awareness is a segment of the industry that is ripe for disruption and innovation. I don’t know the answer. It seems to me that it shouldn’t be heavy duty awareness security training for three hours on this week and then you get it in six months or a year. There needs to be some way of slow and steady, trickle charge to reinforce concepts in ways that are less disruptive.
The last question is on cyber insurance. A lot of people are being forced to buy cyber insurance and they don’t like it because they feel that it’s bad insurance. It doesn’t cover enough. But very few CISOs, CTOs, or CIOs win the argument. So how can they turn cyber insurance to their advantage and actually have it make a positive impact?
Cyber insurance has a place. Low frequency, very high impact events; that’s what we should be focused on as it relates to insurance. If you’re referring to the Zurich Insurance claim that was rejected for the parent of Oreo Cookie, where Zurich denied the claim, which was hundreds of millions of dollars because they determined that the attack mechanism was an act of terrorism or war, that stands out. If that continues, it’s going to destroy the cyber insurance industry because people just aren’t going to pay for something if they think that they’re not going to have the coverage. My advice is to work with your broker and have your broker ask those tough questions. Make sure that the exclusions and the caveats and the footnotes are all understood so that when you buy cyber insurance, you have a high degree of confidence that you’re going to get what you need when you need that coverage.