Adopting Zero Trust: Cybersecurity Innovation

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.

For more than a decade, Zero Trust as a concept has moved from a philosophy and now into a practical architecture and strategy that organizations can adopt. While Zero Trust encapsulates much of what has gone well in cybersecurity for the past 30 years or so, does it truly offer an innovative approach or just iterative change? Is the concept positioned well so others can adapt it to their needs and prevent greater cyber-related risks? While we know it’s certainly not a silver bullet, and use cases are still reasonably immature, there is a firm argument for it helping to drive cybersecurity innovation forward.

This week on AZT, Neal and I chat with Andrew “AJ” Grotto, current Stanford University Fellow and Director of Security at Turtle Rock Studios (makers of Back 4 Blood and other popular video games). Prior to his current roles, AJ was an advisor at NIST and was the Senior Director for Cybersecurity Policy for The White House National Security Council. As a practitioner and academic who danced the line between public and private sectors, AJ is well suited to help us navigate the question of what drives innovation around cybersecurity if the federal government is behind the curve or creates chain reactions, and where policy comes into play.

So what drives or holds organizations back from maturing their cybersecurity capabilities? For the U.S. government budget constraints, legacy IT systems, layers of legal and regulatory requirements for procurement and management, and inertia are the largest factors. The government has made some progress in improving cybersecurity, but there is still much work to be done, and the government needs to continue to prioritize cybersecurity as a critical part of its overall risk management strategy. Fortunately, between the National Cybersecurity Strategy and agencies like the FDA whipping out the stick, it’s clear this is top of mind. In the past administration, efforts around recapitalizing Federal IT and modernizing legacy systems also better positioned them for the road ahead.

Editor’s Notes

Headed to RSA? Neal will be poking around, so feel free to reach out and say hi. He will be doing some onsite interviews for future episodes, too, so email us at elliot at elliotvolkman[.]com, and we’ll get you scheduled.

CISA also published their updated maturity model, which we’ll be digging into in a two part episode after RSA.

Key Takeaways

  • Understanding the unique IT environments and management cultures within different sectors is crucial when it comes to implementing cybersecurity strategies like Zero Trust.

  • Budget constraints and legacy IT systems are some of the challenges faced by the government in innovating around cybersecurity.

  • Leadership and culture change are essential for organizations to foster a culture of cybersecurity awareness and ensure that cybersecurity is integrated into the overall risk management strategy.

  • Zero Trust offers significant benefits for organizations, particularly in the context of cloud environments and remote work, but requires significant investment in IT infrastructure and culture change.

  • Ongoing innovation and investment in cybersecurity are crucial to keeping up with the evolving threat landscape.

Weekly Zero Trust Headlines and News

Most of the content about Zero Trust is opinion-based, but here are some impactful news stories from the past couple of weeks.

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Yeah, whatever you prefer. We can do a audio only version. We do publish a YouTube version as well,

AJ Grotto: oh, sweet. Okay. Yeah,

that’s, that’s, 

Elliot: generally listen instead of like, yeah, I’ll, I’ll just turn some these into like preview clips

Neal: They can always stare at this so much before they get sick and tired of it. So it’s

AJ Grotto: Yeah. Yeah. Cause you know, I like our, Yeah, there you go. Yeah. I get like, we have, I, despite being in Silicon Valley, our internet connection is crappy. We have awful, awful broadband. Partly you could just partly cause this particular spot I live, we have Like, I live up on a hill and behind me there’s like an open area, and then a, a pg e or a local utility has a substation back there, and all the poles have to go through the pg e facility, which means like no one wants to string fiber through because they gotta, you know, deal with the utility.

So we have, we have Xfinity, which like, like, just, just not, you know.

Yeah. It just isn’t reliable. 

Neal: They’re not fiber to the door. Fiber to the node. Happy note, I have fiber to my house. So, 

AJ Grotto: That’s sweet.

Neal: get in, one last little thing, you live in the tech hub of the world. I live with 180 acres worth of cattle and literal bird shit all around me. I have one fiber internet.

So with that, 

AJ Grotto: That’s sweet. 

Neal: it off.

Elliot: Oh man, this is gonna be the weirdest intro ever because we are already having the conversation. So welcome to adopting Zero Trust or a z t today. As with you’ve probably noticed to our wonderful listeners, we’re constantly changing up the format. This week. We have. Academic, someone with an intense background on the federal side.

And really we’re gonna hone in on, I don’t wanna say in a pessimistic, don’t, but maybe a lack of innovation in government around cybersecurity. So that’s the focal point of what we’re gonna be chatting through today. But So AJ comes to us with a significant amount of background. He’s currently a fellow over at Stanford University. He’s a director, lead Cybersecurity over at Turtle Rock Studios. And for you gamers out there, if you’re familiar with Back For Blood and Leer Dead, that’s those folks.

Did a stent with NIST and of course a security director of cybersecurity policy with the White House. So just a few things. I probably heard of some of. Probably has a really good understanding of that divide between high tech organizations who need to be on the cutting edge and then also the federal side.

So that brings us back to our conversational focal point today. Which again, is really about what innovation in the federal government space around cyber security looks like. Which is fantastic because right now we are running off the tail end of the new cyber national cyber security strategy.

Which puts some of the onus on software developers, vendors, service providers to be more secure. So they’re taking more of a potential carrot versus a stick approach. But what that also does is also. Emphasize how much energy and focus needs to be put into cybersecurity. So they’re clearly extending either that sticker carrot, they’re trying to build those partnerships even greater with the private sector.

But that’s, that’s where we are today. So aj I’d love for you to give yourself a little bit of an introduction, making sure that I don’t accidentally call up the wrong school again. Yeah, let’s learn a little bit more about.

AJ Grotto: Yeah. No. Well, thanks for having me guys. It’s good to be here. Yeah, as you said, I, I lead a, a research and teaching program on, on cyber policy at Stanford where I’ve been camped out since 2017 after moving west from Washington DC where as you indicated, I had a, a bunch of experience in, in the federal government, including Capitol Hill.

I worked in, in the Senate, on the Senate Intelligence Committee staff, and know, fairly typical DC fashion. I worked at Think Tank too, so I’ve kind of, you know, hit, I’ve got like, you know, the concert tea, you know, DC experience with all my stops, you know, on, on the back. And yeah, now, now I focus my time on, on research and teaching, and then I do just do some consulting here and there for companies who are, who are thinking about some of the problems that we’re gonna talk about today.

Elliot: Excellent. Love it. So just kind of jumping straight into it if you had to sum up the current systems and your understanding based on your experience interacting with that federal side, you know, how, how realistic is it to say, That there is a pure lack of innovation versus it’s just such a monstrosity of a beast to be able to move things forward in regards to cybersecurity and infrastructure around that.

AJ Grotto: Yeah. Well, I would say there’s an awful lot of innovation. It. Oftentimes happens at a slower pace. It could be difficult to scale, right? So, you know, one agency or another agency may have, you know, some great idea for how to, you know, streamline their, their IT operations, you know, bring new services to customers and stakeholders defend their systems more effectively.

But you know, it could be difficult to scale that learning across the federal enterprise. And then the biggest reason why is inertia. You know, it, it’s, it can be easy to pick on government for being, you know, slower than the private sector. Although I think in many cases the private sector’s not always, you know, not always fast.

When it comes to adopting technology, it really depends. But the federal government has, you know, this, this, this, these, these layers of legal and regulatory requirements for how. Procures it. How it manages it. How it pays for it. And so, you know, the, the people who are, are making procurement decisions, the people who are operating it and ot I should say, you know, within the federal enterprise, they have a really hard job.

And and so, you know, it, it’s, it. And inertia has an awful lot to do with it. Again, there’s just a lot of, of requirements of bureaucracy oftentimes imposed by Congress that that the executive branch, federal government has to navigate.

Neal: So real quick on that note some of the things you’re talking about, about speed and, and ease or lack thereof of change from the government side and vice versa. You know, it, it’s. Spot on having a government background myself and having certain many things to see this, but I still find it. It’s always, it’s always amazing to me that the industry, the private sector, could come up with some good ideas.

There’s a couple of early adopters, obviously early, you know, getting things going, but nothing really starts to get towards that wonderful s-curve, economics of adoption power curve there until the government itself comes down and starts making it a buzzword. Right. I, I think that’s probably partially.

Indicative of our, our larger scale, economic actually being tied to government procedures in general. Right. Whether we claim to be or not. But you know, point in case, like with Zero Trust as a whole, there’s been companies for a couple years that have been touting the construct, even pre. Co-executive order but nobody’s really paid much attention to it until the executive order came down and really said, Hey, this is a concept.

And I mean, you and I both know it’s still gonna be years more longer before the government officially validates what that truly means across the globe. Minor standards now, major things later, but, you know, kind of your thoughts on, on that adoption curve. You know, the government may still be slow, but once they decide to take some kind.

Notice of whatever that new thing is, regardless of how long it takes ’em to get there afterwards. You know, I, I personally tend to see the private sector ramp up massively quickly. Your thoughts on, on kind of that take on business, once the government says go, the whole world snaps to or not.

AJ Grotto: I, I think, yeah, I, I think you’ve gotta distinguish big companies from rural companies. In terms of how quickly they adopt technology and also the, the, the particular sector that a company is in. All those factors can all affect how, how readily they can, they can and quickly they can adopt new technology.

So, you know, in some areas like financial services for example, which is highly regulated sector, you know, we just had, you know, a couple banks collapse here in the United States, including one, you know, in our neighborhood out here, Silicon Valley Bank. It’s a reminder. You know that, that as frustrating as, you know, regulations can be.

I mean, they, they, they, you know, when, when done properly that they, they do serve a purpose and. Banks because of that regulatory overhang are more conservative when it comes to adopting new technology. Cause they have to make sure that new technology is going to allow them to continue to comply with, with the various laws that they’re subject to.

So, for example you know, record keeping requirements that that exist to, to, to police insider trading you know, a bank that wants to adopt a new technology has gotta fig under figure out, okay, how do. Is this consistent with, you know, can we adopt this new technology and still have it be consistent with our legal requirements?

Other sectors that, you know, aren’t as, as regulated, you know, have a lot more freedom. So you think big tech companies that, you know, they, they, you know, they’re, they tend to be quicker adopting new technology, partly because of their management culture, but also because they’re just less regulated and have more degrees of freedom.

And then, you know, in terms of. That that’s, you know, just a sector comparison. And then, you know, big, big companies and small companies, I don’t, I’m not sure you can generalize it. It’s easier for bigger small companies to adopt pathology, but I do think that there is a resource factor as well as a management kind of culture factor.

You know, small to medium sized businesses obviously typically face more cost constraints. So technology, that’s all things equal more expensive to, I. Maybe, maybe more difficult for small to medium size enterprises. But, you know, for, for technology that, that, I mean, it’s cost effective. Small to medium size enterprises may have the advantage of having sort of fewer decision points, fewer sort of, you know, bureaucratic veto points on change and could move faster.

So I, I think, you know, I, I, I’m. I think it’s safe to generalize that yes, the government is, tends to be slower than the private sector, but I also would characterize that as a you know, a, a, a trend not, not a law of physics. Then when it comes to, you know, your point on adoption you know, there’s sort of a, a correlation causation question here.

It could be that, so in some cases, when the government adopts a new technology, it, it sends a signal to the marketplace. That this technology is safe or in some cases that actually, if you don’t use this technology, right, you may subject yourself to liability risk. Multifactor authentication is an example, right?

Where you know, the government’s pushing this as a matter of policy in itself has implemented it. And I think now there’s sort of a collective zeitgeist that yeah, if you’re not, if you’re, if you’re a company and you have sensitive data, Business operations, you’re not, you’re not using two-factor mal multi-factor authentication.

You’re, you’re probably not up to snuff when it comes to media industry standards, but also the government adoption could, could also just be that look, I mean, they, they’re, they’re following trends in the marketplace too. And so, it’s not the government’s causing, you know, the market to adopt. And it’s actually the government’s part of that market and part of the trend of broader adoption.

Neal: Yeah, I could agree with that. That that’s definitely good insights. So, kind of thinking about, you know, adoption paths I’ve, I’ve personally consulted with some Fortune 50 companies. Worked with a lot smaller companies than that. And to your point, you know that there’s a lot of things that obviously go into that hurdle in the decision making process.

You know, it’s more than just money. It’s people, it’s it’s, you know, who’s been there for 20 years and has an idea that this works better than, that doesn’t wanna change versus who comes in and is able to. Make changes when and where applicable. You know, the, the who’s the better spokesman for whatever the new construct is, as well as being able to get the money.

But yeah, I’ve, I’ve seen Fortune 50 companies that have two people in their sock and managed services as a primary. And then I’ve seen companies that are lucky to break 750 that run a 24 7, 365. Yeah. Yeah. But you know, it’s just a matter of prioritization and principle, right? You know, it’s not like the one running the M S S P is technically getting less.

They’ve just prioritized how they want to handle it differently and that that’s fine. You know, if, if it gets you at least the same check boxes, whether you’re compliance driven or compliance and security driven. Then props to you. I guess so. No, that’s pretty good stuff. So I have a curiosity question.

So on around your, your gaming background, and maybe we’re a little early to ask you about this, but I am very curious. So, you know, early on before we kind of kicked off the recording, you were talking about some of the hurdles that you were more or less hired to in indirectly impact and overcome because of the merger of the gaming with, or the buyout, I guess probably more aptly from Tencent.

Can you kind of elaborate a little bit more around kind of what that meant for you and some of the hurdles that you’ve probably had to see or overcome in respect to your security posturing and, and all the regulatory junk that you’ve obviously had to deal with because of that Chinese presence?

AJ Grotto: Well, to me, the experience has reinforced how there, there’s a, an incredible diversity of IT environments out there. And you know, a, you know, the, the, the, the IT environment within a gaming studio is way different. You know, an environment in a bank, for example, the tools are different, the workflows are different.

And you know, the, the challenge from a security perspective is, you know, regardless of, you know, the company, how do you, how does one, how does management identify risks decide what level of risk to accept or. Decide where to, you know, invest in risk mitigation. And you know, that that is that process is ultimately a human.

Come back to your, your, your point earlier about people, right? I mean, that, that’s a people driven process. You know, there’s a lot of hype around, you know, AI tools helping to, you know, helping decision makers make more informed decisions about their risk posture. But even then, you know, humans are still gonna be the ones making decisions.

You know, management culture management leadership is I think by far the most important factor. You know, whether it’s a video game studio, whether it’s a bank, whether it’s, you know, a small, you know, bi, you know, grocery store business, right? In terms of, of, of, of, of managing risk. Any risk, but especially it.

Neal: No. Well said. So on that journey some of the things that, you know, Points, again, fair points about infrastructure. I think these are key things for people to understand is back to the one of the reasons why Elliot and I are doing this, cuz no one’s journey’s gonna be the same about going down the Zero trust Rabbit or any security rabbit hole.

And if you’re trying to take a model from company A to copy process company B simply because you have the same dollar signs or you’re happening to be in the same industry vertical, good luck. Right? But you know, there are obviously lessons to be learned. So in, in your journey here a little bit from the IT side with the.

Company how does that kind of impact y’all from the idea of, you know, zero trust or, or better security postures, especially with the international presence? Like, I mean, what are, what are some of your maybe key concerns or some of your key findings that you think are, have been pretty impactful along that part as well?

Knowing. Infrastructure’s way different than financial services, to your point, and, and some of these people I’m imagining, given what I know about the engineers I work with and programmers, they don’t like to come to the office unless they have to. So there’s a lot of potential remote stuff. There’s a lot of potential p i i for what y’all are doing.

And I would say given one last thing that’s success of what the company has done in the past, there’s probably a lot of people who are. Potentially actively engaged in trying to exploit something for insights or other stuff. So anyway, all that say compared to financial services, which is, you know, they’re there, they understand how to stop web jacks also the crap, but how does that impact you from a gaming infrastructure in that cultural mentality to overcome that from doing things zero trust esque and stuff of that nature.

AJ Grotto: Well, I, I’ll say, you know, we, we, the, the IT leadership. Team at within the company is, is this first rate. And you know, the, the, you know, the culture of a gaming studio is, is, you know, this will be a little, maybe a little bit of a theme is, is unique, you know, I mean, you know, compared to a bank, for example at, at a studio you know, I, I would summarize it.

It’s, it’s, it’s a workforce of creative. Right. So these are, you know, people who are developing narratives for games, people who are you know, designing, you know, worlds and vehicles and weapons and character skins and all that kind of cool stuff that makes a game, you know, visually appealing with you, compelling narrative and you know, an intuitive, you know, gameplay. Yeah. And, and your creatives, you know, I mean, it, there, I think there’s a constant sort of and, you know, I would say healthy, you know, tug of war between, you know, the need to facilitate creativity the need to eliminate, you know, sort of friction and transaction costs to people, you know, doing their jobs.

And then of course, You know, you know, making sure that, that the systems are, are appropriately locked down. That you know, that to your point, you know, adversaries can’t, you know, can’t get in whether they’re malicious insiders or you know, outside threat actors. You know, I mean, that, that, that, that, that’s actually a challenge that exists for really any organization that, that, you know, that, that wants to adopt zero trust.

And this again, comes back into sort of the management cultural factor. What, how one goes about you know, implementing zero Trust in a video game studio and the federal government you know, pick your, your, your, your sector. It’s going to look different. And, you know, it, it, it, again, I think it all, all comes back to management and leadership culture.

Neal: So, so I mean with that kind of in mind, I think for some of the listeners it’s important to highlight that mine is the fact that you’re tied to, to a Chinese entity and there’s some regulatory requirements there. Y’all as a company are, are more or less kind of pure power play, private diy. There. There’s not probably a whole lot of blatant rules and regulations for what makes you hu other than just normal standards, I imagine.

And so back to financial services, you know, There’s a lot of regulatory things there that keep them what they are. That security standards, implementations, interactions with ISACs, government entities, all that other stuff that, you know, if they miss a day doing such and such, then they, they get obliterate.

They get fined, they get brought out in the news, they get shamed, whatever. Right. But for a company like y’all, I imagine, you know, there’s probably a higher level of just self ownership of this process to make things better. Right. You, you kind of, Look at it from a, a lens of what makes sense for us versus what the government’s enforcing us to do Is, is that fairly accurate as a whole?

AJ Grotto: Yeah, well, you know, there’s I mean there are so, you know, in, in the case of studio you know, we’re subject to a national security agreement. That the company negotiated with with the Department of Justice and the Department of Treasury, you know, under, pursuant to the theus, this Foreign Investment Review process as a result of the, the Tencent acquisition.

The details of the, of the National Security Agreement are confidential. I can’t go into it really any details about them. But, you know, they’re, they’re, they’re reasonable. You know, and I think, you know, if you may, maybe taking a step back. Really, I think the question, you know, the, the big policy question is, okay, un under what circumstances are we as a country comfortable with a private actor operating and under purely private economic motivations make risk decisions versus Okay, are there circumstances where either we don’t. The private sector to make the right decision. Or maybe there are other factors that that, you know, that are that, that are in play that where, you know, a public policy view of what is an acceptable level of risk, maybe different from what you know, what, what the, the company does. And so, you know, to take take, take critical infrastructure as an example, right?

So think, think about, you know, the electricity sub-sector of our economy, right? Huge. I mean, we all rely on. And you know, that that’s a, it’s a, it’s a pretty heavily regulated sector. Although I will say cybersecurity was, is a relatively late arrival in terms of regulatory focus, let’s say last 15 years or so with, with greater focus.

And, you know, the reason, you know, the reason why we may not quote unquote trust a utility, most of which are private, you know, privately owned to make the right risk decision is because. The, the difference between, so if, if, if, if the power goes out, the company suffers a loss of revenue that is a loss that they, they’re able to internalize, right?

They, the company’s okay, we, we get this. On the other hand, like the costs to society are much bigger than that. So big that you know, why, why would a rational utility factor that bigger cost, which doesn’t affect them, it affects their customer. Into their internal invest, risk mitigation investment decisions.

And by the way, they may include, look, if, if, if it gets so bad, we’ll just go bankrupt. Right? So again, why would we, why would we pay you know, before to mitigate if in the end we won’t ultimately be responsible for paying the costs? And it’s those kinds of problems that where, right, where I think regulation is, is, is Avi, it’s advisable.

You know, figuring out how to craft regulations that are, are proportional to the problem and tailored to the problem that the regulations are, are, are trying to solve is, is another matter. You know, it’s possible. It’s eminently possible for there to be a need for regulation and for government to screw up, you know, how the regulations are designed and implemented.

You know, that’s, that’s, but there are always maybe. Circumstances where, you know, companies aren’t gonna internalize the cost of the risk decisions. In those cases, you know, maybe, maybe there’s a need for government.

Neal: Well it’s kind of funny cause I think on our, our very last episode that we’re just recorded, we kind of went down this a little bit and you know, one of the The analogies or similarities and hopes of what we’re seeing now was with like the banking industry with respect to credit card fraud and debit card fraud, pick a flavor.

Right? And that that’s a privately regulated decision around what they decided to do originally around, you know, if your card gets popped for 10 bucks, you’re not gonna hire a lawyer. You’re not gonna hire an investigator. Right? But they’ve made that part of their business risk decision because they know long term.

A $10 pop turns into a million dollars, turns into $10 million kind of thing from the same threat actor. So they took ownership of the fraud, reimburse you for what’s there, and then they go out and do the larger investigation with whoever their el le counterparts are to in order to do that stuff.

And then as part of their own internal opinion on the size of the bank, you know, they may or may not have already done some of that legwork before giving it over to FBI or whoever, but that, that’s slightly different in respect to, like you mentioned, if the power goes. Or if the gas gets shut down and we don’t have any gas pipelines slowing for whatever reason.

You know, you’re right that that’s, that’s a little bit different risk assessment from a cost benefit analysis that they’ve done. And I agree from a regulatory perspective, it makes a lot more sense for those critical infrastructure type things to have that tie-in. I think that’s the other thing for people to understand is that when it comes to critical infrastructure, key resources, Like you mentioned, there is a lot of regulatory things that apply to the uptime and availability of those types of things and those solutions specifically.

So that way, day-to-day life moves on. When the pipeline went out, that obviously impacted gas prices nationally and then eventually globally for a couple of weeks. And that was one single pipeline, right? Stuff coming down to Houston and or up from Houston rather. And that’s what really stuck here in central Texas.

It wasn’t like we were getting that fuel, but because of the lack of stuff going. The state had to compensate and supply to push things a different route. So, you know, even the state that was producing but not consuming, still got impacted by something as simple as that. And the other part was, it wasn’t like the pipeline itself was really down, it was billing infrastructure to support.

That really was ultimately impact. And that’s what, so I’m saying all this because that’s kind of what I think got us into where we’re at with all these recent regulatory requirements over the last couple years. And I believe personally, that’s kind of what got us to the government constructing their first, you know, zero trust mentality model.

Because they had all these regulatory requirements now that are there that say if you’re a part of C I K R and you get any kind of. No matter what it is, you have to report within X hours. Right. And that was kind of already there, but then that got us into the software bill of sales, courtesy of Solar Winds and all the other crap that we’ve put up with the last couple years.

So, anyway. I think that’s kind of our path is we’ve just had a lot of critical issues that weren’t regulated very, very well that impacted global economics and now the government stepped in to regulate because unlike parts of the banking industry that self-regulate for the sake of risk mitigation on our behalf.

To your point, that really wasn’t there, in my opinion. 

AJ Grotto: Well, yeah, and I think it’s, you know, incentives matter. You know, it’s, it’s a, you know, kind of. Right thing to say, but they, they do. And if you, if you, you know, if we look at, at the risk decisions that actors and organizations make in the marketplace, they’re, you know, they’re, they’re driven by incentives.

You, you mentioned you know, a credit card, you know, fraud. And there’s actually a really interesting case study comparing. The the incidents of credit card fraud in the United Kingdom versus the United States. And so, you know, as you mentioned here in the United States the credit card companies are on the hook for for covering, you know, fraudulent transactions using the card, right?

So if you or I, our card gets, you know, hacked and used we’re, we’re not liable. Like the credit card company is gonna gonna cover that for us in the uk. It was the, the burden fell on the consumer to prove that there was a fraud which is hard to do if you’re just an ordinary consumer, right? So if your, you know, your, your account gets hacked and your credit card gets used, your number gets stolen and used, you’ve gotta prove that those transactions work.

That’s really hard. And so, not surprisingly the banks invested a whole lot less in credit card fraud mitigation, including a lot of cybersecurity capabilities in the UK than they did in the United States. Why? Because in the United States, the banks felt those costs in the uk the banks were able to pass those costs onto their customer. And so why invest if you’re not gonna pay the costs? That, that, that, you know, and I think these incentives problems are, are legion, you know, in in, in the cybersecurity. Well, you mentioned the software bill materials. You know, there’s a, there’s a classic work in economics. By George Oloff who actually ended up winning the Nobel Prize in economics for this where this is an article I think was put out in 1970, where he imagined a marketplace for, for used automobiles.

Some of those a, these automobiles are identical in every way except some of them are peaches, some of them are lemon. Peaches are good cars, lemons have something wrong in them. And what he argued and I think proved was if you have a market where consumers can’t tell the difference between a peach and a lemon, what are they gonna, what are they gonna be willing to pay for a car?

Well, somewhere in between those two prices, well then all of a sudden, owners of peaches are gonna be like, look, if I put my peach in the marketplace, I’m not gonna get the full value. Why would I then bother to sell it? And what happens then is peaches get pulled from the market and you end up with a market of lemons only. And there are a lot of people, myself included, who believe that the software market is the market for lemons because it’s really hard for consumers to differentiate products on the basis. Of the security attributes. And when that’s the case, you end up with a, an ecosystem of all things equal relatively bad software from a security perspective.

And the software develop materials is designed to, you know, designed to fix this, right? By bringing more transparency, by resolving what economies are called information asymmetry between buyers and sellers of cars. In, in Alos case, but in our case software.

Neal: Yeah. So that brings to mind a good question that we haven’t, I don’t think we’ve really completely asked in a while. So from a standards perspective, when we think about Zero trust, Do you see a future and we’re, I mean the answer’s kind of already slightly there, but do you see a future where, from a regulatory perspective, outside of the government industry and connections where the, there’s more certification pass more, Hey, look at us.

We have a stamp of approval, like pick a flavor regulation. This is our, our, our. Proof that we’ve done it, you know, and, and that we claim to be zero trust and here’s what we say it means to be zero trust by x third party standard. And do you see that market space opening up a little bit

AJ Grotto: Yeah, for sure. Yeah. No, it’s, it’s a, it’s a, it’s a, it’s, it’s a growth industry and I think especially When it comes to systems that also have AI ML components in them, you know, there’s a big push in, in, in, in that space as well to, to audit algorithms for bias and for other, other problematic attributes.

And I’ll be honest with you, I. On the one hand, I love the idea of, of certification in audits because they, they help resolve this information. Assymetry problem that, that, you know, that I, I mentioned you know, it’s, it’s but audits can be gained, certifications can be gained and. You know, the broader economy as well as the, you know, the, it, you know, part of the economy have lots of examples where clever organizations have gained audit.

Or where audit has an you fulfilled its, its objectives because of problems with either conflicts of interest between, you know, the, the auditors and those who were being audited be, you know, as one example. Coming back to the incentives theme you know, a big problem with audit is if I am a, a, let’s imagine, I’m a, I’m a a company and I wanna get an audit of my, actually, actually, let me say I’m a company and, and I have a product, a software product that I want audited against some standard, right?

And I’m probably gonna pay some third party to perform that certification. Now third party auditors are businesses. Typically, they’re out to make money. Their revenue is derived from doing audits. Think about the incentive structure here, right? And the conflict of interest. It, you know, auditors want repeat business.

If they get a reputation for being too hard, they’re not gonna get repeat business. So you got, you know, so you gotta be careful, right? And that, that’s not to say that all auditors are, you know, suspect, but you know, there is that, that incentives problem there. And part of the answer, you know, is, is having, you know, accreditation, you know, for auditors, training, ethics requirements, enforcement of ethics requirements.

But now we’re talking about you know, a, a bigger, more expensive ecosystem, meaning that the cost of an audit also goes up. And so, you know, It, it’s, and this is again, I think I, you, you asked Okay. You know, is this smart? Good take up? I think the answer is yes, because there’s a lot of money to be made, but, you know, in, in audit, especially for people who are selling audits.

Neal: No, that’s awesome. Yeah, I, I, I agree. I think Elliot and I are gonna shift trajectories here financially, and we’re gonna start our, the first official Zero trust audit company, third party

AJ Grotto: Nice. Congratulations.

Elliot: Don’t tell that to my parent ship company cuz they’ll, they’ll kill me immediately. Oh my gosh. So, I don’t really talk about it often, but I do work for dra, which very much is. In that house where we help facilitate the audit process before the audit make sure that they’re good there. But 

AJ Grotto: Yeah. 

Elliot: too timely of a conversation where A I C P A actually just put out a signal flare, I think three weeks ago, indicating that not just as you’re indicating that there might be conflict of interest between the.

I think they’re calling it service organization versus the auditor, but there’s also that software layer. And I, I gotta be very careful, so I’ll get myself in trouble. But yeah, there are definitely organizations who have auditors. Who actually are connected to that agreement, which that completely defeats the whole, like, third party neutralized approach.

So yeah, it’s just a very timely factored, it’s pretty clear that organizations like A S C P A are flagging these things too. So there are multiple conflicts of interests factors in there. But yeah, you know, maybe after I eventually get myself in trouble and get fired, we’ll, we’ll build up our own zero trust audit firm.

Neal: No, I think I think personally, I think we’re on track to become the next hacker Valley Media and, and. Maybe grow faster than than Chris and crew over there and buy them out. And real quick, shameless plugin. Not shameless, but purposeful plug for them. If y’all are looking for some fun stuff, just shout out to our friends.

Over at hacker Valley Media and Studios. They, they run some really good content. And Chris Cochran’s, former Marine, like myself and a Netflix Intel guy when he got off active duty. Anyway, that, that in mind. Yeah. You know, there’s a lot of weird things, rogatory. I, I think it’s hilarious. I, I do agree. I, I’ve seen I’ve seen auditors come in and, you know, every once in a while you do get the hard butt one that’s just like, man, y’all suck and we’re not, do you know you need to fix all this?

I’m like, thank you for being truthful. But by and large, most of them are, I wouldn’t even call ’em consult. Consultative would at least say, Hey, here’s what’s wrong. We’re gonna help you fix it and then charge you for it and do all this. There are some who do that too, but by and large, most like, Hey, here’s what’s wrong.

And if you fix it, fix it, quote unquote, within two days to where we can’t see it, you’ll pass the audit check. Right. And really, what does that mean? You just unplug the device for the next time they run the audit check and the device is no longer active. Oh, crap like that. And then they’re like, oh, congratulations.

And yeah, I agree. It’s a weird. Slope. And your mileage does vary, but you know, I, I am, I am looking forward to seeing now that we have some government regulation standards of sorts, rather behind some of those, some ideas around NIST for what Zero Trust means. I am very curious to see what the rest of this year holds for, for audit companies that one claim zero trust as process flow, but two, start trying to develop their.

Standards, you know, what are those gonna look like and who’s really gonna come out on top as the one who gets the first government paycheck?

AJ Grotto: Mm-hmm. Well, there, look, there, there, there, there’s a, there’s a need for it because, you know, think, think about you know, business partners, right? You know, let’s imagine you and I are business partners. You say you’ve got. You know, I, I, I’m gonna be transferring data to you sensitive information. And as part of our contract negotiation, I’m gonna wanna know, okay, how are you, how are you gonna protect that?

Right? And you come back and say, well, I’ve got zero trust. I’m gonna say prove it. And that’s why comes in. I mean, so there, there’s gonna be, you know, a huge demand for this. And as, as I, I appreciate your points about, you know, both of your points about, you know, the need to structure those relationships in a way. That you know, ensures that, that you know, that the stakeholders are getting good information out of the audit, which much of which has to do with there being like, auditable criteria. You know, that, that, you know, we can sort of point to objectively, yes, you either are or are not meeting this requirement. That by the way, has been a big problem in, in the federal contracting space especially for dod. And that that’s a whole, that would be a whole other other.

Neal: No, that’s awesome. So I, I think we’re kind of coming up on time, so I’m gonna let Elliot say his piece real quick and see if there’s anything else that he wanted to cover before I take us off on a whole nother tangent. So,

Elliot: Yeah, unfortunately there’s just a really good topic to fall down. Our rabbit holes end. But I, I just want to bring up maybe a point that we flagged from our last episode, which was with Lana Cohen and Tony Scott. Where we talk about national cybersecurity strategy, one of the elements that seems to be a like really critical blocker for innovation at the government level are budget.

So, you know, having been in those shoes, having dealt with where that lives do you feel that it makes sense to try the government, try to find a pathway? The budget tied to cybersecurity is outside of the realm of that giant bucket that everything else is in. Cuz it does create obviously blockers.

They put out the strategy. Are they able to execute it on it? Not until they approve the budget, but yeah. I’d love your input and your perspective on, you know, how that functions.

AJ Grotto: Well, yeah, and, and I mean, you know, I know both Tony and Alana and Tony in particular when he was federal cio you know, developed this this revolving capital fund idea for federal it that was, was a great idea and Congress implemented part of it. I wish they would go the go the whole way.

The idea is that agencies could basically borrow against a revolving capital fund to modernize their IT and then pay it back. And that. You know, help help them get out of the sort of annual kind of dubbo of federal budgeting for it, which isn’t very Well suited to make to sort of long term you know, recapitalization decisions should back up.

A big, a big problem the government has is legacy. It this, this, you know, this, this big legacy. It overhang and because we, you know, for many years it’s gotten better actually over the last five or six years. I actually give the Trump administration a lot of credit. They, they actually put a lot of work into trying to recapitalize Federal it.

And, but we had this, this tax that we had to pay to maintain legacy. It outdated, more expensive to maintain. And you know, this, this, this revolving capital fund, you know, which exists small, relatively small amounts would one way to address that problem.

Elliot: Very cool. Yeah, I, I’ve not been aware of that, but I, I love that we’re able to kind of like, overlap from that last conversation, kind of dig back in. So that said we are unfortunately at time, but we are definitely gonna have to find a way to bring you back your balance between working on the federal side and working with, you know, Creative studios that you’re at right now.

You know it. Oh, sorry. And being an academic there’s that piece too. Obviously. There’s just a lot of really good perspective here that we we really appreciate you providing that insight and expertise with our audience. So thank you so much for being here. We, we really appreciate it.

AJ Grotto: to be here guys. Thanks for having me.

Neal: Appreciate aj. Thank you, sir.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: