Getting in front of cyberattacks with Beyond Compliance

Meghan Good: There will always be incidents to respond to, though. And that's part of this mindset too, is that you're assuming breach. You're awaiting it, but you already have mechanisms in place to help you in that situation.

Shaunté Newby: Cybersecurity is more important than ever. It's something we've talked a lot about in this podcast, but despite the growing threats, organizations still tend to fall back on old habits and look at security through a lens of simply meeting requirements. This prevents us from looking ahead and preparing for the inevitable breach. That's why Meghan Good and her team at Leidos are working to upgrade the cybersecurity mindset with beyond compliance.

DR. WHO CLIP: We have been upgraded doctor.

Shaunté Newby: That means taking a threat-informed approach to building security. It also means organizations working together to build the best security possible.

Meghan Good: I think the other part here is, again that collective defense, the collaborative approach. The walls are breaking down now in between organizations, and I think we're seeing it really starting to have an impact.

Shaunté Newby: Meghan Good is the VP, Director of the Cyber Accelerator at Leidos. On today's show, she takes us through why it's so important to build beyond compliant, threat-informed security, what shifts in approach that means for organizations, and the challenges organizations face when trying to modernize their security. My name is Shaunté Newby. This is MindSET, a podcast by Leidos. In this series, our goal is to have you walk away from every episode with a new understanding of the complex and fascinating technological advancement going on at Leidos. From space IT to trusted AI, to threat-informed cybersecurity, we've got a lot going on and we're excited to share it with you. So, Meghan, what are you doing at Leidos these days?

Meghan Good: These days, as part of the Cyber Accelerator, our mission at Leidos is to pull in our customers' challenges from across our groups and identify interesting technology solutions that will help them address those challenges. For me, that's around things with cyber operations, so defending large environments, actually looking at what are the weaknesses in those environments, the vulnerabilities, and then what are we doing to respond to those more proactively? It also looks at what are we doing as we're building our own hardware and software systems, and how do we make them more resilient to evolving cyber threats that we study? So a lot of my work is working with external technology partners, working with our teams across Leidos and, as a group, as an integrator, pulling those solutions together that we then talk with customers about and help deliver into their large critical missions. I think other efforts that I get to do are helping our teams to do that, so giving them the kinds of skills and resources that they're looking for in this evolving environment and definitely evolving threat environment.

Shaunté Newby: Can you start explaining, a little bit more broadly, what it means to look at cybersecurity from a Beyond Compliance lens?

Meghan Good: Sure. Beyond Compliance, to us, it really starts with kind of defining what that term means. I would say compliance within a cybersecurity landscape is there's a set of rules. It's a set of regulations. It's making sure that we have the right kind of security controls in place, the right sort of hygiene of environments, and you'll hear a lot of those terms. But I think that has often been seen as an end of compliance, of, "Oh, we did it, and we did it at this one particular point in time." There's so much dynamism in our environments. They're ever-changing. The data that we see is ever-changing. The systems themselves, what's connected? What's not connected? What's the right version? What's a vulnerable version? All of these things are coming together and there's a great amount of complexity. So this move for us to move Beyond Compliance, because that feels very snapshot in time, is talking more about what are those things that are unknown? What are those things that we know we need to react to?

Meghan Good: It's having resilience when those things happen, and then it's being ready to make adjustments within your systems. So we talk a lot about resilience, and resilience to us is about how we operate through adverse events. Adverse events could be anything that's malicious kinds of activities. It could be misconfigurations. It could be, really, where it's just not used for the right purpose. But in any case, our systems, our environments, and particularly those mission-critical ones for our customers, they still have to operate and they have to operate safely. So for us, looking at beyond compliance is about how do we really consider not just the hygiene, but what goes beyond it? What are those things that we know that this system needs to operate in a kind of environment, the kind of ecosystem, and the kinds of reactions that it needs to have?

Shaunté Newby: So this is something like always thinking about the possibilities, right? So Beyond Compliance, it's always thinking about what are the potential vulnerabilities, testing, and just what could possibly happen that you don't think would happen, but it can.

Meghan Good: It's really this engineering discipline that we're adding into, I think, what we've done for a long time around information technology, of where we're looking at the way that we would expect something to fail, which is different than what a malicious threat actor would see within an environment. We don't always know what their intent is and their way in. So we do, to your point, we have to think about what are those vulnerabilities that could be exploited, but what's really critical to us for the functionality for the operation, and then what can we do to make sure that we're sensing when anything happens to that criticality. And then, how do we respond appropriately? It's an evolution, I would say, of all of our thinking. There are a number of different approaches around it that we've seen, and we're just trying to drive that across the board, that we're building for both functionality and resilience at the same time.

Shaunté Newby: So I always try to think of a simple comparison just to see if it makes sense to me like this. And so when I think about it, I think about a comparison to structures. So you mentioned engineering, right? If we're building structures like bridges and buildings, there's, of course, compliance, right? There are rules and regulations, but then there's, "Well, we need to be prepared for if the wind happens to be a little bit stronger than it has been based on what we've seen, or what other things that could possibly happen." So a similar approach in being more preemptive, right, and just thinking about what could possibly happen. Innovative ways that this thing could get broken.

Meghan Good: Exactly. And bridges operate, now, in conditions that they probably weren't ever designed for, but there are these kinds of resiliency mechanisms built in. And so for us, I think with information technology systems, with software, with our mobile devices, with even lots of other devices, they really have been built for functionality first. We're seeing that a lot as you talk about internet of things, sorts of devices, smart devices that we have within our environments that are ever increasingly in enterprise environments, ever increasingly in mission environments for our customers.

Meghan Good: They're really getting very close to those critical assets, critical data, critical systems that are needed, and that interconnectivity becomes a weakness itself. So what we're starting to look at is how do you look at the overall system view of that and ensure that as you can with each component, you're adding in resilience, but really at that system level as well. And it takes testing, to your point. It takes trying it out, and that gets difficult, as well, to make sure that you're actually doing that as an adversarial mindset, rather than just the engineers who know how it works and you're testing things, but you're really just testing the functionality, not the pressure that would be experienced as that's operating.

Shaunté Newby: I want to take a moment to bring back a voice you may have heard recently on the podcast. Last month, we spoke to Jeff Mims, a Chief Technologist at Leidos, about Zero Trust. If you listen to that, you'll notice some stark similarities in the mindset Meghan is talking about in this episode. Here's how Jeff explains Zero Trust.

Jeff Mims: Zero Trust focuses on hardening that center, not just the edges, so it assumes there's always some sort of compromise. It doesn't matter if it was intentional or accidental. We finally accepted that while these rules, the cybersecurity policies, accreditation, all those things, they're very, very important. But no matter how strictly we follow those rules, there's always going to be a way in, and that acceptance is really the mindset that has changed the technology environment.

Shaunté Newby: As Meghan was explaining Beyond Compliance, I was curious to know how these two mindsets relate and work together. Here's what she said when I asked her about that.

Meghan Good: So Zero Trust is an excellent example of how to build a more resilient environment. The things that you talked about with Jeff are around how do you make more decisions faster based on what's actually happening within the environment? And that's really what resilience is. It's how do you sense what's going on with new sorts of visibility, with new sorts of technology, that you can use to make those decisions? You make the decisions and you respond, and that all happens, at incredible speed and scale, within Zero Trust network environments. And I think it's really the implementation of this concept when you start to look at the modern enterprise and enterprises that are modernizing,

Shaunté Newby: This is likely a good example of an area where organizations are usually reactive instead of being proactive, with the reasoning that it's going to cost a lot, right? It's a big expense. Why is it important to shift this mindset?

Meghan Good: I think for a very long time, cybersecurity has been seen as a cost. It's a big cost because it often comes at the end. So as I said with that functionality first, because that's where we see the value, that's where demonstrations are interesting. That's where proof of concepts happen, and then we'll secure it later, but the decisions that we made, in the beginning, are influencing the security in the end. So for us, it's a lot about how do we do both simultaneously? How do we tighten that loop through design, through development, through prototyping, and into when we're deploying it, so that the expense is actually over time, but it's not drastic and dramatic. It's part of the engineering process. It's part of what we're doing when we're building really critical systems.

Meghan Good: I think it's important for that mindset to shift because it's one where it affects the outcome, right? It affects the way that things are operating today, and it's actually making this an industry, right, rather than us just building the secure technology that we can at speed and scale. So for us, I think a lot of what will enable that shift is the kind of tools that help those development teams. For us, it's a lot about how do we automate some of those processes and capabilities so that they're doing that testing as part of their DevOps, or you're really making it DevSecOps, of actually doing interesting kinds of security testing as they go and making sure that it's on a continuous basis, that it is something dynamic, and that it's fed in with an outside attacker's mindset. There are a lot of components there, but it's a lot about how do we really take this disciplined approach, adding that engineering rigor into what we're building so that there's both functionality and resilience.

Shaunté Newby: So you make me think about this quote that I lived by for a long time, and I would share it with people. It is, "Pay for it now or pay for it later." And it sounds like the way you're describing this prevention costs, even though it costs a lot, it's less than the potential recovery cost.

Meghan Good: I think, right now, that is a great line. For me, with some of the work that I did for Leidos a few years ago with our commercial cyber practice, we were helping respond to these large-scale incidents and that was not cheap. It's not a great place for an organization to be. There will always be incidents to respond to, though. And that's part of this mindset too, is that you're assuming breach much like in Zero Trust, right? That way you're awaiting it, but you already have mechanisms in place to help you in that situation. So you're paying for that part up front so that later, you're ready and later, you're learning faster. You're being able to be more adaptive to out-maneuver whatever threat is there.

Shaunté Newby: Meghan, so how does an organization change to a more threat-informed approach?

Meghan Good: So there is certainly change and an adaptation needed there, right? And as we just talked about, it's a bit about how you're incorporating this in your engineering process, and the life cycle, of how you're designing and developing and incorporating in that adversarial mindset. So there's something there about the kinds of threat intelligence that you need, the sorts of things that you're gathering about the design decisions you're making. There's the tooling, itself, of how do you make this more part of the process? How do you make it easier for your developers to use? And then there's the side of it of how do organizations make this part of the process and the culture? I think? For so long, there have been stigmas about there being vulnerabilities caused within systems.

Meghan Good: And guess what if somebody wants to, they're going to find a vulnerability in your system. They're going to find a way in. There's a bit of it that's adversarial, human nature. And so as engineers, as system developers, as security-minded engineers, we have to know that and we have to be able to adapt. The fact of the matter is when new threats emerge, we're responding as fast as we can, and then we're making sure that our systems still operate through those adverse events. So it's keeping focused on what the goal is, not that these vulnerabilities are occurring over time. It's not the counts, it's the purpose, right? It's making sure that the system, ultimately, is resilient to threats that you really can't know in advance, but that you're actually making sure that it meets those compliance bars for those known kinds of threat areas.

Shaunté Newby: What shift had to happen to not make these vulnerabilities and threats feel like failures?

Meghan Good: I think as a country, even our senior government leaders certainly are talking about this now. The term they're using, which I really like, is called Collective Defense. So there has been, for a number of years, this feeling of information sharing. Share with everybody else about the vulnerabilities you see. Share about your incidents. But it's hard to know what's happening to you, if it's targeted, or if it's something that everybody is seeing. But this notion of Collective Defense kind of takes that information sharing to the next level of where you're starting to look, that there is so much connectivity between these different kinds of environments, both in government, in industries, like ours, that serve the government, and then across even broader industries that we are starting to see some similarities.

Meghan Good: Certainly, with the ransomware, a text that became very much in the news over the last year, if not over a longer period of time that we've all been tracking. It's certainly one where you can feel very victimized by it, and it can feel like there was a mistake made somewhere. And there were mistakes made. It happens, but resilience is what do you do through it, right? What do you do in response? How do you move past it? I think that shift in mindset helps. I think also knowing that there are others experiencing the same challenges helps.

Meghan Good: Within each industry, there are these information sharing and analysis centers, these ISACs, and those actually help us share information in kind of safe spaces so that everyone starts to know that, "Okay, this is happening to someone else. This might happen to me. When it happens to me, I should admit to it." I saw a stat recently, though, that only 50% of organizations admit to having had some sort of security incident. There's still work to be done on people accepting that is part of this landscape, and it's okay to say, "There was an incident and we recovered from it, and this is what we did. This is what you should do. These are best practices we follow. This is what we're doing from now on." That really shows more leadership and resilience in this shift, rather than the other side of it, of not admitting that there's a challenge.

CYE CLIP: You know what? We need to test drive it though.

Shaunté Newby: Being prepared for anything and everything means thinking ahead about any possible scenario that could arise. But like a lot of things in life, there's no better teacher than experience, and a controlled experience is much better than a surprise attack. That makes testing and research a crucial phase of security. However, testing on expensive equipment is expensive and getting access to certain technology to do that research can present a challenge. I wanted to learn more about those potential barriers, so I asked Meghan about it. Here's what she said.

Meghan Good: There are a lot of issues there and challenges with testing equipment. So I think with the testing perspective that we have, particularly around cyber-physical systems, and some of the cyber-physical systems that I mean there ... It could be things like medical devices, IOT devices, which are pretty easy to come by, but then it gets really complex as you start to look at things for critical infrastructure. Like electrical utilities, where there are only a certain number of these devices. There are only a certain number of these systems. It could be weapons platforms, too, as you look at a company like ours that works for defense. Airplanes, right? You might want to start testing the cyber resilience of it as well.

Meghan Good: It's hard to test something to the point of destruction, like what an adversary might do. People don't want you to do that on their equipment, right? They don't want you to go past a certain point and even on IT equipment with the supply chains that we've seen and the disruptions that we've seen with chip shortages and the like, there is a bit of sensitivity in how far you go in this adversarial kind of testing. So I think there's always, when you do penetration testing, rules of engagement and what you can do, what you can't do, but there's a number of other approaches that we're pursuing, particularly in different fields where it is hard to get the hardware or the software itself to test. That could be doing some dynamic testing within an environment. It could be just doing some static analysis of code to see what would work and what wouldn't work. What might be vulnerable, what might not be vulnerable.

Meghan Good: And with some of those larger cyber-physical systems, it really is taking kind of a systems view, a modelling view, and then kind of testing at the edges so that you're starting to see what could be issues underneath. And as I said, we're doing that more frequently, so some of it becomes you don't actually have to test on the thing itself. You get to test what it's doing. As you're doing the functionality testing, you can start to see if there might be any security issues or resilience issues down the road, but money is definitely a challenge there. Actually getting the equipment becomes a challenge, and making sure that we are responsible security resilience folks about it, too.

Shaunté Newby: Thinking about the approach of prevention and security checkpoints riddled through our tech, it sounds like we need to start thinking of security before we even begin building devices and software, for our tech industry is already built up. Is there a lot of retrofitting to come to in the future?

Meghan Good: So there's a lot of stuff that's deployed. I've had one colleague this week said, "There are no more green fields. You're not creating something from scratch anymore. It's probably fitting into something that's existing, no matter what." I think retrofitting is, as a concept, sure, but that's what we've always been doing. You've probably heard the terms where we've had to bolt on security at the end, rather than build it in. And for us, it's just flipping that on its head. It's knowing that we have systems that are already deployed, that probably did not have security in mind, and that definitely did not have resilience in mind. And so the best thing that we can do is start to adapt those systems as they're already deployed. We talked a bit about security. We talked about resilience in our definition there, but the critical part of this is being adaptable. It's knowing that the underlying technologies of all of these things are changing over time.

Meghan Good: Even as we start to think about critical infrastructure like electrical utilities, they're changing their technology all the time. I know on some past MindSET episodes, we talked about smart vehicles and even electrical grids and how things are being more distributed within our electrical grid. That's new tech, and that's aiming to add more resilience as we add that new tech. So it's using that same mindset and approach or hoping to use that mindset and approach of resilience here as we move forward. But I think with all of this, we work with customers through a lot of legacy systems that never had this in mind, and then what are the approaches that we can do around those systems? So how do we integrate them more securely, or how do we add interesting visibility points, and much to your conversation with Jeff Mims on Zero Trust, how do we add some of those principles as we're modernizing those environments?

Shaunté Newby: So I imagine people perceive that it saves money to work with existing and legacy, right? But are there instances where it's important to upgrade and replace?

Meghan Good: There definitely are, and it's a balance of what a customer's risk appetite looks like, as well as the criticality of their mission and the changes that they'll see. And then, the kinds of sophisticated threats that they're exposed to while that's operating. So there's a bit of a calculus that needs to be done there, and we definitely work through what needs to be upgraded and replaced.

Shaunté Newby: There are some non-negotiables usually, right? This has to be upgraded.

Meghan Good: There's a lot of things operating today that when they were built, they probably were never envisioned to last as long as they have, and so we can say maybe that's resilience, too. They've operated through adverse events like changes in technology, but then they're interacting with other devices. They're increasingly more connected and communicating, and that, we need to re-look. And it's a systems-level view of how we modernize those overall systems and how we make them more resilient.

Keith B. Alexander: I think as you look at cyber, it is an element of national power. It will be used in this conflict against countries. It's already being used against Ukraine. This is a new form of warfare, where the public and private sectors have to work together.

Shaunté Newby: That voice is general Keith B. Alexander, who is the former Commander of the United States Cyber Command. That comment was part of an interview on CNBC discussing the dangers of cyber war in relation to the Russia and Ukraine war. His concerns are echoed by many, and it's part of the reason why cybersecurity has become such a huge priority for organizations and the country as a whole. The idea that wars being fought differently today than in the past is also something that Meghan spoke about. I ask her to explain more about it and why it makes the shift to beyond compliance so vital.

Meghan Good: So wars are fought differently today than what we probably learned in school, and as we look backward, right? There are so many more things that are connected. It's that command and control has changed. It's not a person saying something to a set of troops. It's not moving in a physical battle space all the time. There is this digital component, right? There's this connectedness of, again, as we were just talking, those legacy platforms that were built for a different era that are still being used today. There's the rise of the information kind of warfare, as well, that we see actively as part of the great power competition and that we see in an active conflict, like what's going on with Russia and Ukraine. There's the data side of it, right? There's the influence side, but then there's also the physical side. There are things that are on the ground, and all of those are really interconnected in our world.

Meghan Good: And so with this, it's a lot about the information, and maybe I just see it that way because I'm a computer scientist and I'm about the data and what we can do with it, but there is data that's driving these operations across the board. The security of that data, the use of that data, the integrity of that data, the availability of that data in the right moment, that makes it so critical. So really, as these wars are being fought, the software that's interpreting that data we want to make sure is secure, the systems that are then actioning what is being determined, we want to make sure that they stay up and running, that they're resilient in the face of things that are happening within an active battle space.

Meghan Good: The operational environment is constantly changing with new threats, with different intents from different kinds of actors. It just becomes more and more complex. And with that complexity, again, it just reinforces this need to be ready, to be resilient, to understand that your system will continue to operate through. So it does change. It changes our mindset as much as I think all these systems have changed over time.

Shaunté Newby: What about the future in this area has you excited?

Meghan Good: So I think the future of this sector, the things that are really exciting to me is how much everybody is actually talking about this. This is becoming part of our thinking in a more mainstream way. My kids are in elementary school and they understand what cybersecurity is. They don't share passwords, and maybe that's thanks to school in COVID times where they all have laptops and that, but they don't share passwords. They'll ask for someone for them and they'll be like, "You really shouldn't tell me that," so I like there's that start of awareness very early on, and that has me excited because they're going to think about this in a completely different way. They'll be, like we talk about with digital natives, or we did a while back, they'll see solutions to challenges that we didn't see starting off and I think that's pretty neat. It becomes part of what is expected in software and hardware in years to come.

Meghan Good: I think the other part here is, really, again, that Collective Defense, the collaborative approach. It's one that's been ongoing over the course of my career, and it's something that I think the message has been there, that we need to really work together. But the walls are breaking down now in between organizations, and I think we're seeing it really starting to have an impact, and the capabilities are there, now, of ways to share, and the technology is changing to speed that up and to make it much more scalable than where it was so manual in the past. I'm excited at that maturity, right, the change there. I also see a lot of the emphasis being on building secure technology itself, right? So building it in, not bolting it on in the future, not thinking only about retrofitting of that it will be built in years to come. I'm excited to be part of that challenge from what we saw in the beginning to where we're headed and to make an impact and push us along on our own transformation journeys.

Shaunté Newby: On the topic of the future, something that's really exciting is that diversity in the cyber industry is growing rapidly. This is something you're in tune with, given your work with the Cyber Guild. Can you tell me a little bit about how this stands to impact the industry going forward?

Meghan Good: I am really excited that diversity is increasing within this industry, and I think when I joined the industry and joined my team, I really was the only woman on the team. I was the younger one on the team at the time. I tell some great stories about that group of former military guys that I was working with, and then some folks had only been private industry, who had different engineering kinds of backgrounds, and we were all together. One of my first incidents where we were responding to something that had a Facebook message in it, and I was the only one who knew what Facebook was at the time, and where you're like, "Oh!" Being that younger voice was really helpful to making sure that response went well and that reaction was good, that analysis was actually something on point. But I think with all of that, it's how does all of this come together, and how are we forming these really interesting teams that can look at problems from all angles and start to solve the challenges that we're experiencing with different customers and with different mission areas?

Shaunté Newby: Yeah, and I can see that the increased awareness of cybersecurity, it's attractive work to me, so I can see how that could make people want to be in it. And then, there are so many ways that you can play in this space, right? So you mentioned it, mechanical engineering. Of course, we talked about testers, we talked about people that are architects of some sort, or that preemptive thinker, right? So there are so many opportunities in cyber, still.

Meghan Good: I want to say there are more than 50 categories of kinds of jobs around what we need in the cyber workforce. There's something for everyone. There are certain of those jobs that I have never done, and there are others of where I am so thankful there is somebody who does that piece of the puzzle for us, and how we all work together as a team to deliver on a solution.

Shaunté Newby: Because they all require different mindsets, I'm sure.

Meghan Good: Different mindsets, different capabilities, level of details, big picture. It's a mix of us all.

Shaunté Newby: Well thank you, Meghan, so much for your time today. I really enjoyed our conversation.

Meghan Good: Thank you, Shaunté, me too. Appreciate the time.

Shaunté Newby: Beyond Compliance is such a crucial mindset for organizations to take on as digital risks continue to grow. In the case of cybersecurity, as Meghan shared, being proactive is much more beneficial and cost-saving than being reactive. If you still want to learn more about beyond compliance and threat-informed security, you can visit leidos.com/cyber. Thanks again for joining this episode of MindSET, a podcast by Leidos. If you like this and want to learn even more about the incredible tech sector work going on to push humanity forward, make sure you subscribe to the show. New episodes will be live every two weeks. Also, feel free to rate and review. We're always excited to hear your thoughts on the show. My name is Shaunté Newby. I'll talk to you next time.