[00:00:35] Tom Garrison: Hi, and welcome to the Cybersecurity Inside podcast. I’m your host, Tom Garrison, with me is my co-host Camille Morhardt. Camille, how are you doing today?
[00:00:44] Camille Morhardt: I’m doing so well. And I’m really excited to share my fun fact later.
[00:00:48] Tom Garrison: That’s right. That’s right. And we had some good fun facts this time. So today we’re going to talk about transformation and specifically digital transformation. We go into different levels of this conversation, but I think most importantly, when we talk about most transformations up until now, we talk about cloud; and the cloud is sort of the end point, if you will, of one end of that transformation. Like once you’ve achieved cloud, you’ve sort of achieved the majority of the goal.
But as with governments and public sectors in general, you can envision that there’s not just one cloud. And so the idea of digital transformation has to extend from one cloud to another. And how do you do that securely? And we’re going to dive into that topic today.
[00:01:42] Camille Morhardt: Yeah, I think he goes into cloud to cloud conversations, business to business when you’re talking about even transferring cloud and how do you keep that secure and how do you think about that? It’s interesting.
[00:01:55] Tom Garrison: This was kind of a crossover event for us as we had been a guest on his podcast, which we’ve done two or three times over the year since we’ve been doing this podcast, which is always a fun thing to do, we have basically two different conversations. This is our podcast with our guest from Intel who also hosts his own very own podcast, with our guest from Intelw ho also hosts his very own podcast. So let’s jump right to it.
Our guest today is Darren Pulsipher. He’s the Chief Solutions Architect at Intel, focused on the public sector, investigating effective change, everaging people, process and technology. He is also the host of Embracing Digital Transformation podcast, of which by the way, Camille and I were just guests on his podcast. So welcome to our podcast, Darren.
[00:02:55] Darren Pulsipher: Yeah, you guys are more structured than I am. I’m not used to the countdowns and all this. Thank you for having me on your show.
[00:03:04] Tom Garrison: That’s right. We aim to be professional here. Can we just start off with having you describe your background and what you do for Intel?
[00:03:14] Darren Pulsipher: Yeah. So I actually have a really strange background. I’m a software engineer by trade. After being in the dot.com boom and I’m not getting funding because I didn’t have a web startup in the nineties, but dogfood.com did; I still don’t get that one. I went back to school and got my MBA. And then I started moving into technology management where I was a CIO at one time of all things at a juice company; saw rapid growth and from there I’ve been in different industries. Got back into high-tech and now I sit at Intel where I actually talk to other CIOs and commiserate with them and help them figure out how to effectively move forward with a digital transformation.
[00:04:04] Tom Garrison: Well, that sounds fascinating to me. Like what’s on the CISO mind and where are they in terms of this whole transformation that’s happening in security? What are you hearing?
[00:04:15] Darren Pulsipher: I would say that before COVID hit the CIOs were in a quagmire of not having enough budget, timelines were too long, and confusion in direction; because cloud was starting to emerge, it really confused a lot of people. Do I go to the cloud? Do I stay on prem? COVID hits–it’s amazing what a pandemic will do to focus. Plans that they had to move everyone to like Office 365 in the next three years happened in three weeks. People were now looking at the remote work force as an asset, not as a detriment. So a lot of things changed during the pandemic.
And now that people have moved away from adjusting to this new way of working, the number one thing I think they’re worried about now is security. The number of security breaches we’ve had over the last 18 months has been astronomical. And some of that has been new breaches. Some of them have been breaches that nation states or bad actors are finally pulling the trigger on. They’ve been very patient whoever would have thought that meat packing plants would be a target for cyber criminals. That just doesn’t make sense.
[00:05:33] Tom Garrison: So is there any particular trend when it comes to the type of actions that the folks that you’re talking to are taking?
[00:05:43] Darren Pulsipher: It’s kind of all over the board is what we’re seeing–in the data center, especially; they’re trying to protect their data. I think they’re okay now because of the move to cloud so much in the last 18 months. They’re okay now if something gets infected; they’ll just shut it off, and move somewhere else. They’re concerned more about their data. Is their data going to be held ransom? Is someone going to take copies of their data and release it out into the public? So that’s one thing we’re starting to see a big change.
[00:06:20] Camille Morhardt: Are you seeing a lot of the CIOs actively planning crisis simulations or ransomware attack scenario planning, where they’re actually going through what they would do if something happened?
[00:06:33] Darren Pulsipher: They’re starting to. And in fact, I had Steve Warren our CTO of Intel Federal and a former CISO as a guest on one of my episodes. He said, “if you don’t have a business continuity plan, that includes ransomware you’re already too late because it’s not, if it’s going to happen, it’s what do you do when it happens?”
[00:06:56] Camille Morhardt: One of the things that we had a conversation in another episode on this podcast that kind of enlightened me was that some of the conversations around ransomware are not just ‘do we pay or do we not pay?’ Do we have a principled approach to this? Or how are we going to deal with it? but rather how much do we disclose other than the legally required amount that we need to disclose? Are we going to tell law enforcement? Are we going to tell the public if we’re not required to? Because the payment is really often handled by the insurance companies, making the decision.
[00:07:34] Darren Pulsipher: That’s a very good point. One thing that you should have is what are you going to do? What is the PR from it going to be as well. Think of Target. This is a great example. The attack on Target, where they stole customer data and credit card numbers, they released that information pretty quickly to let people know, and I think to their benefit. But other companies have sat on the data for some time and then released it later after they were able to plug the holes. Does that make sense?
That’s, that’s a tough decision to make, that most CIOs are not making on their own. That’s when you start talking to legal, that’s when I would. Those are big decisions that you have to talk about. But you should have a plan. that that’s the key, even as simple as writing the phone number down to the FBI–and writing it down in a book, not on your computer systems that you may not have access to anymore. You got to figure these things out.
[00:08:38] Tom Garrison: So Darren your role is Chief Solutions Architect. For those of you not at Intel that are listening to this podcast, you may wonder, what does that actually mean from a job responsibility standpoint? And I can tell you there’s lots of responsibilities for that role, but one of them is really about thinking about the future–designing solutions that will be available into three, four or even more years.
So is there anything that you can share with us in terms of what’s going to be even more important as we move forward and maybe some of the kind of cool, exciting things that people can expect to see? Maybe not just from Intel, but in general from industry players over the next coming years.
[00:09:26] Darren Pulsipher: That’s a good question. I really see CIOs moving away from being Chief Infrastructure Officers to being back to what they should be, Chief Information Officers. So I see as infrastructure becomes more commoditized and your data and your information starts living beyond the walls of the data center, you’re going to start seeing CIOs become even more important to the organization and drive better competition, drive new innovation inside the companies. And that’s only when they really start thinking that way. If they still think that they need to hold onto a server and manage that themselves and manage infrastructure, they’re going to go the ways of the Chief Power Officers in the early 1900s. No one has a Power Officer anymore, right? Because power is ubiquitous, it’s everywhere. We can get electricity whenever we need it.
And so that’s a major shift that I think CIOs need to step up to. And if they don’t, then the CDOs are going to take their jobs–the Chief Data Officer. So I think the big emphasis is on information management, information structure, and that does not mean throwing everything into one data center. There’s just too much data everywhere, so now it’s the job of the information officers to find where that data is, and it may not necessarily be their own.
[00:11:01] Camille Morhardt: When they’re looking at data, obviously privacy comes to mind immediately, and you had brought that up earlier. What are some of the surrounding kinds of things that they need to look at when they’re looking at privacy? For me, for example, I would say if you’re going to look at privacy, ultimately you’re going to need to be thinking about ethics or responsible AI. What are some of those surrounding areas that CIO’s are becoming smart in now.
[00:11:31] Darren Pulsipher: I think they have to become smart because of GDPR, for example. And also the California Privacy Act, as well. They have to understand what the ramifications of those regulations are. I think more importantly, customers are demanding it. And if you are not focused on how to manage data effectively–especially around PIP–you’re going to run into-
Camille Morhardt: That personal data.
Darren Pulsipher: Some personal data, right? You’re you’re going to start running into customers going somewhere else, because they’re going to start worrying more about their personal data. It’s funny, when I talk to individuals about privacy they get very concerned and then I see them on Instagram sharing pictures; and I’m like, “okay.” So there’s a perception of privacy if that makes any sense.
[00:12:29] Camille Morhardt: I have a follow on question to that, which is how transparent our CIOs is thinking they should be? Obviously, if you’re too transparent about where you’re storing data, what data is being housed locally vs. in the cloud, it could get you into trouble. But as you pointed out, you have this perception problem and this kind of desire for explainability and transparency among customers and even the public. So how are they walking that line or deciding what to disclose?
[00:13:01] Darren Pulsipher: That’s a tough one. I think a lot of times the CIOs aren’t walking that line; they’re looking at legal to help them with that. I don’t know that companies will have to disclose where their data is actually residing, just, is their data protected and secure.
I think we’re at that point now where I don’t think it really matters where, as much as is it following good security best practices? Does that make sense? This goes into there’s this perception that if I’m in the cloud, I’m more secure or I’m less secure, depending on which side of the coin you’re on. What people need to understand when they are using cloud resources or even on-prem resources, there is a shared security model that you need to understand. For example, if you have data in the cloud, you’re responsible for the security of that data. It’s not the cloud service provider. Which means you should be encrypting that data in the cloud–it should be stored encrypted in the cloud. You’re responsible for access management of that data. A lot of times people say, “well, I’m in the cloud now they are handling security for me.” That is not true, they’re handling parts of security for you, but not everything.
[00:14:28] Tom Garrison: It’s interesting the way that you’re describing this and really all the conversation so far has been about business to business interactions. So, an enterprise and you’re getting some sort of a cloud service from another company. How about trends with regards to business to consumer? Do you see security rising to the level of something that the average consumer is starting to care about? And how are companies talking about it?–whether it be privacy types of conversations or just data in general with the consumer.
[00:15:16] Darren Pulsipher: It depends on the products that they’re offering and the industry they are in. For example, I was on a panel with an insurance company, they insure banks like FDIC but at even a higher level type thing; they store nothing in the cloud and their data center is completely cordoned off, not connected to the internet. Everything is sneaker netted over. There is an organization that is very cautious about data security, data privacy, right? And then on the same panel, I was talking to a startup that’s just trying to get people engaged and go viral with their social media and engagement. They’re like, “we’re an open platform. We want to share everything.” So I don’t think there’s a broad brush that you can paint across; but everyone’s talking about data privacy, what are the different techniques on realizing that data privacy making it real? And that involves security as well.
[00:16:25] Tom Garrison: My point of view is that security has gone from the land of the misfits, where you had to be the security person to even really talk about it, to now it’s kind of going up this curve of now non-security people are talking about security. It hasn’t yet reached to the point where it is changing people’s behavior broadly speaking–certainly companies are; but I think we’re on the cusp where people say security matters. They say it is one of their number one criteria for selecting hardware, selecting software. But when it comes down to it, is it really changing their behavior or not? I think we’re just getting to the point where behavior change is about to happen.
[00:17:18] Darren Pulsipher: I think you’re right. And I hate to say it this way, I think we’re going to have to have a couple more pretty gnarly breaches for it to push the industry over the top to make that happen. Because I told you at the beginning, I’m a software developer by trade. I still code. I always found security to get in my way. When I’m trying to write code, I’m trying to open up sockets to have two programs talk to each other. I’m trying to connect to a service. Security was always in my way, slowing me down, right? And until the security industry starts paying more attention to how to make it easier to secure things, I think we’re going to still have problems with the development community, for sure. And if you’re not building security into the products that you’re developing and they’re bolted on afterwards, you’re still going to get these Frankenstein applications out there and security will be a constant battle.
[00:18:25] Camille Morhardt: Right, or you can’t just set up a security division in your company when you realize, “oh, we need security.” And then give them the authority to stop ship and then say, ”well, I’ve got this” all implemented and expect that to go smoothly.
[00:18:38] Darren Pulsipher: Yeah. It’s like, hey, I’m going to test security in. Okay. You run that black duck static analyzer right before you release your code. Go right ahead, that’s going to solve all the problems. It has to be a mentality change for sure.
[00:18:54] Tom Garrison: Yeah, mindset changes take awhile. And awhile is not one or two months either. It’s over years.
[00:19:01] Darren Pulsipher: But we said the same thing about remote work, Tom. We said, it’s going to take years to put the infrastructure in place to really have a workforce that can work remotely. But what did the forcing factor show us? It showed us it can happen and it can happen very quickly. And I think the same thing can happen for security. I just hope that we don’t have a Black Swan moment in security because that would be bad.
[00:19:31] Tom Garrison: You took a Black Swan event called a worldwide pandemic and for working for remote and we’ve had plenty of high profile security attacks.
[00:19:43] Darren Pulsipher: We have, and they’ve affected sets of industries. I sure don’t want to see a fire sale happen. That would be really bad. I think it could happen, I do.
[00:19:56] Tom Garrison: Obviously, Camille and I wouldn’t be doing podcasts like this if we weren’t true believers in terms of what is possible. And in our view, it takes education, so people understand what’s possible. And also how are companies. on the forefront, how are they doing it, and sharing experiences so that other companies can go, oh, you know what? I hadn’t, I didn’t think of that.
[00:20:20] Darren Pulsipher: We just have to make it easy.
[00:20:22] Tom Garrison: Yeah. I wonder if you have some of those in your engagements, there two ways of approaching this question. Do you have companies in mind that you think are doing something really innovative you can share without breaching confidentialities; or conversely, how about attacks that you’ve heard of that didn’t make the news that can enlighten people about those?
[00:20:49] Darren Pulsipher: I can talk in some generalities because I do a lot of work with the Department of Defense and the US Government. So I can. But, in general, I see a trend happening here, and I think it’s a good trend. People starting to secure their dev ops pipelines. The most recent attacks on the oil pipeline, the Solar Winds attack and things like that happened very deep in these dev ops pipelines. They all started with phishing attacks, which is really fascinating and getting an intern to divulge the build password. (laughs) That was brilliant by the hackers, right?
So we’re starting to see people look at automation as a way of enforcing security policy in the data center m errorless prone. Oh, I’m making up words now.
Tom Garrison: Error free.
Darren Pulsipher: Error-free. So security postures can happen automatically without human interaction. And the companies I start seeing doing that are having quite a bit of success in deploying new applications faster and with more security.
So getting away from the click ops mentality, where I’m clicking to deploy things to where things are fully automated. I think that’s where the big benefit will come in the data center as far as security goes. And when I say data center, I really shouldn’t say data center; it’s the multi-hybrid cloud world today. And if you don’t have that strategy, you’re already too late to the table.
[00:22:42] Tom Garrison: Before we let you go, we have a segment we call Fun Facts on our podcast. I know we’re kind of springing it on you, but we’d love to hear if you have any fun facts that you would like to share with our listeners.
[00:22:55] Darren Pulsipher: Okay. So you guys warned me at the beginning right before we started recording. I live in Folsom, California. Folsom is known for Folsom Prison of which a lot of people believe Johnny Cash served time for drug possession. He did not serve time in Folsom Prison, but he did cause a prison riot when he sang there in front of the inmates–after the warden actually told him he couldn’t sing a song. You can’t tell Johnny Cash not to sing a song. So there you go, there’s my fun fact.
[00:23:29] Tom Garrison: Nice. That’s a good one. Very good one. Camille how about you?
[00:23:34] Camille Morhardt: I had one fun fact, but as soon as we sprung the fun facts section on Darren earlier, I got a better one. So my first fun fact, I was driving through Hermiston, Oregon earlier this year, and that’s the home of the Hermiston watermelons. I thought I would look up the biggest watermelon that was ever recorded; and it’s recorded at 262 pounds. Unfortunately it was not in Hermiston. My latest fun fact, if Darren doesn’t mind me sharing, is that Darren has 10 kids!
Darren Pulsipher: Yep, that’s right!
Camille Morhardt: (laughs) I don’t know how he has a job with 10 kids!
[00:24:14] Tom Garrison: That’s an organizational effort right there. You’ve got an army.
[00:24:20] Darren Pulsipher: I do have an army, but I only have three at home right now, so the house seems empty. (all laugh)
[00:24:29] Tom Garrison: You only have three kids for now, that’s good, that’s incredible. So my fun fact is that it is estimated–by whom I don’t know, but you know, the mythical experts out there–it’s estimated that there is enough gold in our planet’s core to cover the entire earth in a 1 1/2 foot layer of gold. We call it a “rare earth metal,” but in fact, there’s a lot of gold in this earth. Just need to figure out drilling technology that can make its way through the mantle, all the mantle.
Anyway, Darren, thank you so much for joining us on our podcast. It was a pleasure for both Camille and I to be on your podcast. It’s a great topic and I think there’s a lot for us to dive into over the time.
[00:25:22] Darren Pulsipher: Hey, thanks for having me. I really appreciate it.
Stay tuned for the next episode of Cybersecurity Inside. Follow at @TomMGarrison and Camille@Morhardt on Twitter to continue the conversation. Thanks for listening.
The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel Corporation.