Ford Winslow, ICE’s CEO, was a guest speaker on Seamless Podcast with Mike Caroll and Darin Andersen, San Diego technologists, to discuss the current state of cybersecurity. The podcast took place on March 18th when COVID-19 was beginning to dominate social consciousness as major trade shows and events were shutting down. As everyone transitions to work from home (WFH), securing data as workloads shift from corporate networks to home networks is a major challenge. Ford gave us a glimpse into how ICE is addressing four challenges through integration and automation.
Below is an abridged transcript of the show, for the full version you can catch it on Stitcher.
Darin: And we’re off. So, Mike the happiest place on earth just announced that it’s going to close up, at least pending some new news on Coronavirus.
Mike: What that tells me is that stuff is really getting serious because when the Disney’s of the world start making changes to their bottom line, you got to figure stuff is really getting bad.
Darin: An unprecedented series of events, the NCAA postponed indefinitely, the NBA basketball season postponed indefinitely, now Disneyland, several major events South by Southwest and Coachella Music Festival.
Mike: Even movie premieres have been pushed back, No Time To Die & Quiet Place 2 just announced that they were pushing back.
Darin: We talked about in the previous show, kind of this idea of social disconnection, that this might be a case where our social networks are being taken away from us in a certain sense, the things that bring us together, maybe social network connections, we’re now being disengaged from those, the ability to congregate.
Mike: It’s going to be interesting to see if there’s a long term societal effect or human psychology effect too, just how we interact or maybe even just appreciating those times that we can gather together a little bit more than maybe we did, instead of taking it for granted for so long.
Darin: We’re back with our latest Seamless Podcast, a FutureCon series and we have our co-host, Kim. How you doing, Kim?
Kim: Good, thanks for having me. I’m excited to be here.
Darin: You’re actually out and about today driving back from your latest conference in St. Louis, sorry, in Chicago to St. Louis, and how was the drive? And what was Chicago like?
Kim: The Chicago event was great. We had a packed house. But, on average, our events usually have about 150 to 170 people, we had about 150, but we did have 300 and like 40 register. So, we almost lost 200 people that didn’t show up. But the people that were there, were happy. It was really the right kind of crowd. I don’t think we would have wanted more than we had yesterday. So, everything was still going as normal. But then I think with our president’s talks last night, it seems like today’s a whole new day. My inbox is flooded with people concerned about our upcoming events. So, it’s sad that yesterday it seemed like, there was still a lot of talk all day about the coronavirus but now I feel like in just 24 hours, the whole, everything’s just shifting and changing.
Darin: Absolutely. Well, one, I have our special guests Ford Winslow, join the conversation. Ford is the founder and CEO of ICE Cybersecurity, how you doing, Ford?
Ford: Doing great, Darin, thanks for having me.
Darin: Thanks for being here. We were together, was RSA two weeks ago now?
Ford: About that, that was February 25th. So, about two to three weeks from where we are right now.
Darin: We literally all rode up together because it was kind of a last-minute trip that we all decided to do, to get up to RSA conference and join the discussion. We had a special event and launched the FutureCon podcast from that venue. Ford, how you doing since then? You were at the show and what were some of the interesting discussions, I don’t think that coronavirus was top of mind then?
Ford: No, it’s good and the show was big and overwhelming as usual. You know a lot of the same old same old. There was some new DevOps tools and things out there. I spent about four or five hours on the show floor talking to folks and then came back.
Darin: Tell us a little bit about ICE Cybersecurity. You’ve been in business for about four years now, five years?
Ford: Three and a half years.
Challenge 1: Cybersecurity Professional Shortage
Darin: You incubated at least part time from the NEST CoWork facility, we've known each other for a long time and been in a number of battles and shared a lot of Cybersecurity information, been on several panels together. So, what's new and exciting for you?
Ford: We're excited that we're attacking the cyber labor shortage by automating a lot of the common security and compliance practices across our clients, people, process and platforms, using automation, intelligence and tools that help reduce the need for large cybersecurity teams. We're taking a different approach. We're saying, it's not a tenable solution that to have 2 million job candidates out there to fill the needs, we have to do something a little bit different.
Darin: On a recent show that we did, the number now, for the shortage of Cybersecurity experts just in the United States is about 500,000 and globally, you may have a shortage of as much as 4 million experts in CyberSecurity, the folks that are keeping us digitally safe. So, this notion of automation certainly seems to make some sense.
Ford: We think so. We think that software solutions can help build holistic Cybersecurity programs that are adaptable for a company's mission. Our approach is to be technology agnostic and leverage a company's existing resources, their people and their tools that they have to build security into their business … kind of a DevOps approach to security. We believe that companies can thrive when they're confident in their digital space. And so, in order to be confident digitally, companies must be confident in their Cybersecurity.
Darin: So, one of the things that you bring to an engagement is an all in one solution, right? So, many times a company, especially a midsize, more larger company, they want one throat to choke or one partner that can actually help them guide through that since there's so many sensitive topics around cyber, sort of digital information and remnants that are throughout the enterprise, you really do want that all in one partner, if you can, at all, afford to do it.
Ford: And that's one of the things our clients like about us and that we're not as prescriptive about which tools they're going to use, you know, to pick your firewall, pick your sim tool, pick your antivirus tool, because all of them have merit, and no two companies are built the same way. So, giving them the freedom to be able to use the investment that they already have and then create that automation layer that allows them to have a security program that's highly functional quickly. That is our unique differentiator.
Challenge 2: Cybersecurity as a Culture
Darin: What do you think there are some of the major threats that you're sort of fighting against these days, as you go from sort of customer to customer, what do you hear from customers? What do you see in customers that they need?
Ford: Most of them are confused about where to start. They want to invest in security, but they maybe don't want to invest in a single product, or in a single way of doing things, knowing that they may have to switch or invest in a long roadmap to get there, or something that involves high switching costs. So, to be able to get moving quickly, to understand what are the most important things they need to do next, and do those things next and continue on that cadence, on a month to month basis, we found has been a key to our success and the success of our customers.
Mike: It sounds like you really need to get them to first invest in the mindset of just adopting a more security focused approach to their business and their data and then from there the different tools or like you said, automation layers, you can bring that in. But first they have to be committed to the actual goal, right?
Ford: That's right. It takes a commitment to being secure. And whatever that means for the organization, not necessarily from an absolute security perspective, but to protect, to provide reasonable security that protects your business, whatever that means for you. So, be able to adapt the conversation to the customer's unique situation, and then pick on and then knock out the things that are the riskiest first and take that kind of, you know, that DevOps approach where you build a security backlog, and then you're starting to work on the things that you can do in the next sprint or the next cycle. And then continue that and build that into their continuous security program.
Mike: It's almost like you have infrastructure, technical debt, you can have Cybersecurity technical debt that you need to work through, because maybe those policies and procedures weren't in place for a long time.
Ford: Absolutely. And I'm glad you said policies or procedures because that's a major point with most companies.
Mike: It's funny, right? Because, being technologists, we kind of try to solve every problem with a tool, we just throw the right tool at it and that'll fix the problem. But especially with security, a lot of it is a people problem. And you have to have policies and procedures and enforcement, then you can find the right tools to implement them, but you have to have the policies first.
Ford: That's it, the policies and maybe even before that, it's security awareness with the people. And we bring programs in for security awareness for testing and training people, for how to build code, practical security policies in organizations that they can actually live up to, that's not just a boilerplate template, and then implementing the right technology changes, that are not disruptive to the organization or too restrictive, that allow them to work the way that they need to work.
Darin: Kim, I get the sense that these are exactly the topics that I've heard at your event, where you're actually bringing together this people component, the human element, as we talked about it at RSA, the technical component, and certainly the training of the people, implementing the right policies, and having the right and best practices in place. These seemed like perfect conference titles.
Kim: Well, yeah, most of them, all our topics are different and a lot of them are super technical. But at the end of all of our events, we have a CISO panel that we talk about everything you guys, we're not really talking technical, it's more interactive, and just talking about different things that you guys are talking about now. We talk a lot about the cyber threats and the dark web and cyber resiliency. So, that encompasses everything. So, whatever we didn't cover throughout the day, we're wrapping up from what's keeping them up at night, and what issues are they having, and it's generally, the people, controlling the people that are under them.
Challenge 3: New Privacy Laws
Darin: Understood. Ford, I'm curious to know, and you and I have talked about privacy and I think I've been on a couple privacy panels. So, how is privacy in priority, in 2020 versus 2015? It feels to me like starting and going into RSA, there was this kind of privacy resurgence?
Ford: Yeah, I think so, especially with a CalCPA coming online here this year.
Darin: And that's California new statute that actually requires new Cybersecurity practices and protection of data for anybody operating inside of California, correct?
Ford: That's right and the ability for users and customers to be able to know where their data is and how it's used and request that their data be deleted and request information about their data. And that's new to a lot of organizations. There are serious fines around CCPA We will see this year how the law actually gets rolled out, when case law starts hitting, and how the courts come down on it. It's certainly making everybody think about Privacy. Your company's defense in a privacy situation is: did you take reasonable and appropriate measures with your CyberSecurity program to protect the data and build security into your company from the outset?
Darin: Yeah. And that's carried over into this IoT legislation, which is bill 327, I believe, then that is actually requiring that anybody in California using or building an internet of things (IoT) product, deliverables, wearables, and drivable, as I like to call them, also has to bring about and implement some sort of reasonable Cybersecurity solution as part of that.
Ford: That's right. And if you've read any of the new NIST frameworks, it's all about risk based approach and saying that you have to look at your organization, make a selection of controls that are reasonable for your company and then implement them reasonably, back to our DevOps approach to Cybersecurity comment, that every company needs security, but no two company security program looks the same. It's about adapting and making a pragmatic choice of security for your company.
Mike: Is that what makes doing this at the company level so difficult? Because, there are so many different verticals or businesses and no two companies are the same. You can just slap on a boilerplate solution and you are good to go. Because different industries have different compliance, regulations; there's HIPAA, PCI compliance, etc. I work for a managed service provider that also has a cyber component to it, and we're dealing with the level of action that you need to take vary so differently. Keeping yourself trained on all the different things that need to be aware of from a service provider standpoint is very difficult to keep up.
Ford: That's right, that key word is that risk-based approach. That means you have to figure out what you need to do and make logical argument about it. It used to be that in early days of PCI, in early days of Sarbanes Oxley, there was one way to do it, you had backups, you had to have logs, you had to have antivirus, had to update this and you could check the box and comply. Now, you have to actually put some thought into your program. And the first thing in all these new frameworks in the NIST 1.1 security in the new NIST 1.0 privacy frameworks are that you have to do an assessment of your organization and assess and select which controls are appropriate for your company. That takes a Cybersecurity professional or it takes some automation or some integration that is creating that job shortage. That's one of the things that we're building technology to help companies through that selection process and help the professionals really know what to do.
Challenge 4: Not a One Size Fits All
Darin: Ford, you know, in the security stack and providing services to your customers, there must be a fair amount of variation across the business types that you're working with, different types of industries, what are some of the biggest challenges with that making adjustments sort of industry by industry as you're providing, you know, a virtual CISO service or being their security manager implementing the platforms that you put in place, what are some of the challenges there?
Ford: Really, it's in tuning the program to the individual organizations need. If you're dealing with protected health information, your health care company, there's different reporting requirements, different controls, different concerns there. If you're a construction company, it's slightly different and if you're working in schools or you're working in these other places, it's really being able to gain situational awareness quickly, about what's important to the customer so that we're not coming with a one size fits all solution because that's not realistic anymore.
Darin: As curious, Kim, as you go about traveling the country and bringing Cybersecurity programs city by city, do you come across different industry concentrations as you're in a particular market like Chicago or Dallas? Does it change noticeably, city by city?
Kim: Well, when we're in DC, obviously, in our markets, it's going to be more government. It's interesting when you're traveling all over the country, you find out that every city is made up of at least 50 big companies that are name brand stuff that we're using in our homes. And it's just interesting to see how that goes across the United States. But then there are some like Sacramento, it's a very government, Washington DC is very government. I couldn't say what city would be completely financial or educational. But I think those are the two biggest markets. But I am interested in what Ford was saying, when do you think that people are going to, since there are so many new laws out in California, do you think it's going to take people having lots of fines before they take this stuff serious, on the privacy side?
Ford: I think that fines will certainly raise the temperature for everyone. Organizations that have good legal counsel right now and are preparing them for the privacy world and the agreements that they're putting together and they take it seriously, they realize that there's teeth in this and that there are things that they need to do, and there are severe financial downside if they don't. So, we're seeing the wave of proactive companies or I guess, maybe not proactive, but less reactive companies because if you are proactive, you wouldn't be just starting now. But we're going to start seeing this get to every company, as they understand where the laws come down and where the case law and how the courts interpret the statute.
Darin: Ford, your company is national in scope, but you're based in San Diego where there's a lot of hardware tech, a real mix of things, whether it be consumer IoT, military applications, is that an area of interest to your company? How do you approach software companies, helping them provide Cybersecurity? How has that impacted your business? And how has that been going for you guys?
Ford: So yes, I would say all the above yes is an interest to us. And I think being here in San Diego in the startup community where there are lots of innovative hardware and software. It exposed us to a lot of different technologies, development, life cycles, entrepreneurs and innovators. So, when we take that outside of San Diego to companies that have SaaS platforms or are innovating products, I feel that we're much more competitive, and we're able to innovate and provide solutions that are very attractive and we can beat out a lot of bigger competitors because we've seen so much here and have been so well prepared. San Diego is an innovation factory.
Mike: What brought you to San Diego to start with, what brought the company to San Diego? Did you already identify that opportunity, there's a lot of startups and entrepreneurship going on here, this is a hotbed of talent? Or was it more serendipitous?
Ford: What brought me here was the life sciences business. I was working at Freddie Mac in Washington DC doing the Beltway thing, and I got an opportunity to come here and run an IT department for Life Sciences company in Sorrento Valley. And I said, “Man, I'm going to get to live near the beach, help people, work with scientists, and wear jeans every day!” It was great! Being in this hotbed of innovation, and compliance regulation, investment - the culture that San Diego really embraces - led to ICE Cybersecurity.
Darin: So, you've seen a lot of effort around Cybersecurity as a cluster here in San Diego, been a big part in developing that, how has it look to you, over the last 5 to 10 years as San Diego's become a Cybersecurity powerhouse? You must be proud to have been a part of that. But also, what do you see as the opportunity going forward for cyber companies in the San Diego region?
Ford: I'm absolutely proud to be a part of the San Diego Cybersecurity cluster. We get into our little bubble and we talk about cyber every day and we get to rub shoulders with 30 or 50 Cybersecurity professionals I can get them on the phone and go have coffee with them. And I take it for granted sometimes, I get out of San Diego and realize that, not every place is like this, that we truly have a special group here. I think the speed of ideas that have allowed us to stay relevant and to build services and products that our customers love allows us to drive the industry forward. This is a unique function of being in San Diego.
Darin: Well, I have to say that in San Diego, people come to solve a lot of hard problems, what are some of the hard problems that are out there that we need to be focused on? Not just the San Diegans but looking to innovate solutions across the world and be a leader in that?
Ford: One thing we do here in San Diego, is we can build just about anything with limited resources. And that I think, is one of the big challenges in cyber. If you have a petabyte worth of storage to put logs on, and you have an unlimited compute resource, you can kind of build anything you want. But if you have to figure out how to make it work on a startup AWS budget, that's a whole different problem to solve. And I think that's where I'm seeing a lot of the innovation come, is how we are collaborative with our clients so that we can leverage their investment, leverage our investment and do something truly unique.
Mike: It's funny, but having budget constraints almost leads to more innovation, whereas like, you would think having an unlimited budget, like, oh, I can, like do anything I want now, but that creativity that comes from, oh, I don't have the money to necessarily do this how everyone else has been doing it, or, you know, whatever. I think that sparks a lot of ingenuity and innovation. So, it's interesting to hear you bring that up. I see that in the film world too, you see the big budget movies, take one approach, but independent movies, can kind of be a little bit more creative.
Darin: Yeah, it definitely shows right in that result. You see the more interesting things a lot of times in the lower budget movies than what you're expected to see in the bigger budget movies.
Ford: Bob Dylan was asked early in his career, how he came up with so many good, good songs, and he said “I was gastronomically motivated”. That's when he was singing for his bread in Greenwich Village.
Mike: So, Ford, how can people find some more information about you, about ICE Cybersecurity? Where can people find you?
Darin: Awesome. Well, I just want to thank our special guest, Ford Winslow from Ice Cybersecurity and also our good partner and co-host Kim Hakim. Kim, if folks want to find out more about the current schedule for your upcoming events, I think you have one in St. Louis, is it in two weeks? It's currently scheduled? Where can we get the latest information?
Kim: They can go to our website at Futureconevents.com or you can also hit me up on LinkedIn. My name is pretty easy, Kim Hakim. So, h-a-k-i-m, and you can find me there as well.
Darin: Awesome. Well on behalf of the Seamless Podcast - FutureCon Series in CyberSecurity, I want to thank our special guests Ford Winslow, and thanks Kim Hakim, and co-host also Mike Carroll. We'll be with you next time.