Welcome back, everybody. In the home stretch of our program today. There will be three panels awardsup followed by two and as i talked about before, a very special guest who will receive a lifetime award today. You will certainly want to be here for that. This next panel is dealing with the chief Information Security officers. We are fortunate to have some great leaders here today. Our moderator is the right is a Vice President of the Public Sector. Joining frank is nicholas ward, chief Information Security officer from the u. S. Department of justice, shane barney , Security Division is from homeland security, mr. Jack wilmer, hes the deputy cao for Cyber Security and the d. O. D. Chief Information Security officer, and stacey dawn, chief Information Security officer chief privacy officer for the Export Import Bank. Thank you, panelists, for joining us today. I know tom especially wanted this panel between lunch and happy hour because of the great panel weve put together. I run Public Sector at splunk. We are a tshirt company that also makes really Great Software and wed love to talk to you about that. If we could just start and go down the maybe for a minute the size and scope of your agencys security environment and some of the top challenges you are dealing with today in cybersecurity. Identify the chief Information Security officer for the department of we have about 160,000 users, 250,000 end points, different types of networks that we have to protect. A lot of permissions. We do lawenforcement, we do the negation incarceration, the whole lifecycle of criminal justice is really what the department of justice does. Try to catch up and tell everybody know. We are helping them complete the mission and be successful. Thankful shane . Shane we are a component of homeland security. We are responsible for the administration of the immigration systems which is the administration of the benefits, citizenship, work permits and we componentsh other within the agency on immigration related issues. It is a very large, complex mission. Moving parts. Of because of what we do and where we work, we are very spread out. We have to hunt 50 officers offices we have 200 around the world. Cloudbasedgency is. Maybe more. Theres a lot of challenges. As a heavy shop, we are policing, developing and doing new things and staying on top of that while securing clouds. While securing against all these threats that we dont even know about yet. It is the challenge and mission. It is a dynamic and never ending. Sharing. You for jack . Jack i am jack wilmer. Userse three to 4 million 3 million to 4 million users. If you look at network devices, those of the real cyber text services, about 12 million endpoints. So it is abal scale bit scope of what it is what we are responsible for. In terms of the biggest challenge, when you have to impact the surface that large, it is not that difficult to find any user that is going to click on whatever link you sent to them. To kind of find that weakest link in the chain. A big part of our emphasis is trying to look at converting that cost curve. It is not that expensive for our adversaries to be able to attack waysd try and find throughout offenses. It is expensive for us to keep pace. We have to we are finding a new exploit and find a new tool to find that particular exploit and try something different. One of the big challenges we have is trying to figure out what are the things we can do to make the dod defenses a little more agile so we dont have to continue to buy new tools every time the adversaries pivot their capability. I have the macro level view. Gives me a little bit of anxiety. From exportey dawn import bank of the United States. How many of you have heard of Export Import Bank . Fair number but there is that havent. They are the agency that keeps jobs in the United States by providing credit as insurance and guaranteed product for companies that are exporting products to other countries. We only have about 500 users so our scope is quite different. Because we are a small agency we have the challenge of being able to afford the tools that you have and we are held to the same standard from dhs as the larger agencies. We have a lot smaller staff, we have a lot less tools but we have the same mission to protect the data. Thank you all for sharing. I thought we will start off talking about i. T. Modernization and how it is impacting your world. Jack, i know you are no stranger so i thought you could kick us off on this question. Modernization is impacting all facets of Public Sector today. Your upgrading legacy systems and trend to meet objectives and resulting in the elimination of physical boundaries. Clouds are a unstoppable source. How are you going about optimizing your approach to cyber in this new world . Jack i will start out with that. Our i. T. Modernization strategy, my boss and he has spent probably the first year really honing in on how do we need to modernize a modern physician to make sure we can keep pace. There are four key pillars and i am hoping i dont have a Holiday Inn Express moment. The first one is cloud so that is one of the major efforts that we have is trying to implement the Cloud Strategy and drive the department to make better use of commercial cloud. Real emphasis is to be able to drive agility to bring new capabilities to the field faster. The second is Artificial Intelligence. We recognize as just about every country has nai is going to have the ability to revolutionize house the department of defense does its mission. That is a huge area of importance. There is an intersection between cloud and Artificial Intelligence making sure the ai algorithms that are run. General shanahan yesterday and walked through a little bit what their mission is and how they are helping to bring that change to the department. The third pillar is command control and communications. Basically how we talk. That is integral to how we fight. Torything from satellite your Standard Networks including 5g and all of that. The final pillar is cyber. To get to your question about how do we keep pace . I have two main functions. The first is how do we drive down risks for the department . How can we make sure we execute our mission in the face of some of the worlds best cyber actors that is try to undermine our ability to succeed . The second goal is how do i support those other pillars of modernization . You can have the most agile cloud but if wes if we apply the same standards to how we bring applications to the field, we are not going to be able to deliver on that promise. That is the main focus of the cyber perspective as it ties to modernization. Great. Perspective, both these i am more component level in my understanding is slightly different because we have been in clout for as long as we have been in, we have had to deal with a lot of these issues. It comes back to a saying. Drove which they really kind of tied it all together is the infrastructure is code then security is code. From my perspective, if i have i ught in my developer does not only am i losing the battle, i have already lost the war. , we have hadn the some incidents and some interesting experiences with it and learned a lot. It was the developers who came they were the ones who came in and helped us solve those problems and develop new methodologies and new tools. Having thoselved developers in place is a strategy. We started implementing this about four or five years ago. Can you share . Really, we look at i. T. Modernization isnt simply just, it certainly is there to address mission use but also getting rid of some of that text that can help improve our cybersecurity landscape as well. It is very typical to update and keep up and patch and do her thing you need to do for system that is 10 or 20 years old. How can you secure those kind of systems . Turning your security teams and developers make it really migrate into that kind of model. That is the way weve got to go. We got to be able to be fast and use code and that is the way to success in my mind. If we are not going to go to enable the mission, you need to get rid of these old systems and i. T. Modernization is the method to get there. Stacy . Part of modernization is finding everything you have out there and i think that is the challenge because theres a lot of shadow i. T. , even in a small agency, all of a sudden we will do a report and find out someone is using a system we didnt know about and we have to find a way to modernize that and make sure the network is protected. Cooker that is great. I love that that is great. I love that phrase that security is code. The skills that youre looking for as you build up your staff. You look at the contracts and the staffing models and we recently redid our entire division. So we redid the entire structure around the model. Part of what we have the compliance mindset. We look to create matrixes and add Little Things to it and find colors and make it glow green and yellow and ink and purple. That does is make someone happy. Secure. t make you and we get lulled into that. I band the word compliance. Everything should be based on risk and risk assessments and mitigation over risk. How do we go about doing that . It is a cloud environment. Changings doing is various dynamic. We say have our security analysts. You would have your compliance officers. Nerdyu got these highend cyber specialists who can do Amazing Things and cant really talk ones and zeros. The Development Teams who are helping build what is necessary to drive forward their mission and to deal with their eyes and it should change and has to change. To take that further, thinking we are going to leverage the same skills and Network Monitoring is different you are not going to be a Network Security analyst, youre ng to be looking for develop Test Developers have to be part of your team. I do think we better look at people that are going to have those kind of skills, analytics scripting and it is much different than your traditional Network Security kind of you. You cant just look at peak cap anymore. Sure. If i could followup something he said, you mentioned ai. For each of you, where d. C. The role of ai playing in cyber or your environment. Is there one yet . Or is it in developing piece of technology. The good news is yes. It is still developing and evolving. I dont know how much shanahan touched on this but one of the Mission Initiatives is sponsoring for the department and basically leveraging ai to producing helpful cyber defense. What we are seeing trends where both the militia and defenders are looking at how ai could be leveraged and more machine learning. Leverage to build to find and exploit vulnerability on the attacker side and for us to be able to have the kind of agility to be able to match that. How do we leverage ai to predict anticipate the types of moves they will make as we encounter them. I am going to agree with jack. But we need tools like ai. We have to prepare for the future because right now there is a deficit of cyber professionals and we need tools to help us so we need to rely on things ai. We have seen there is incredible potential opportunity in the set the foundation from what i have seen is having if only there was a Software Company that could help with that . About services. Shane, i will start with you. This security border in the i. T. Modernization have been encouraging Government Agencies to consider increasing the use of services. How will shared services be better for you as you think about your push cyber . So, i am kind of on a yes and no. Shared Services Offer a really unique opportunity and framework modeling type thing. Dhs, there a higher stock optimization on the way and part of that effort is to adopt. We adopted a dod model what elements are involved . Compare our different opponents and then leverage that for those who do not have that center of excellence. That is a good use of a framework. Then use that also from more of a Department Level is to say, ok, these services are required based on our assessment in the framework that will help leverage that and theres cost savings. The danger for me becomes you get a compliance mindset because now youre looking at it and saying oh, we had all 17 points. We are rock stars. Security is a proactive game. It involves far more than making sure you check all the boxes that youre actively engaged in doing bug bountys, that youre always assessing all your risks and understanding what is critical and what is not critical there is those elements. Model sod Services Long as it doesnt apply so far to become the standard by which you define yourselves. You know, for me shared services, i think, is a critical component on the even attempting to win this fight in cyber. How many federal agencies are there out there . Theres just not the talent to be able to fight this war. Theres no way every Single Agency can possibly recruit all the best people and be successful here. Thats one area that we saw. We did well in Security Operations so we built a Security Operations as a service. We offer that out to other federal agencies because we just think its really important to have good strong capabilities that can be leveraged across any agency and we shouldnt be trying to hoard those things and keep them for ourselves. We need to share them with everybody else. The cost savings is definitely a piece of that, but i think it has more to do with how do we share the best capabilities we have within the federal government. Leveraging pockets of expertise. Absolutely. From my perspective it becomes id almost love to talk about an api framework. I always get back to the data because a lot of these conversations that i would have at the department at my level, it always comes down to that data element. Api models within that framework would actually really extend our capabilities and allow us to know where we have our gaps. In terms of shared resources, absolutely. I dont need Digital Forensics in my sock ever really. Im happy to push that off to somebody else. But there are things i do need that are unique to me that a shared Service Model doesnt always permit. Theres got to be a good balance, is my view. I would offer, part of our experience, using the Defense Industrial base as an example, youve got the big guys pretty well situated. They understand how to operate a sock on down the line in terms of cyber capabilities. But you have very small suppliers that are not going to be able to handle the nation state attacks directed their way depending on what theyre supplying to us. If we can target the guys that are not going to be able to attract that Cyber Security talent to kind of build it all themselves but at a price point where they can afford it, i think thats kind of the optimal use of a shared service. How we apply that to the larger organizations i think has to be done with a lot more care just because they do have a lot of expertise. Definitely as a small agency we rely heavily on the shared , services and the economies of scale to get the prices down for some of those tools that we wouldnt be able to negotiate on our own with only 500 users. Its really important to have those shared services and the staff to test those tools and to give us feedback on them because we dont have enough staff to create all of those Development Environments for everything that is out there. Is so great about having a florida view is we have such diverse environments from large agencies small little ones. Stacy brought up something that i think is important and i thought i would ask the question your way is about the Human Resource issue. One of the Biggest Challenges ive heard from other government leaders is the skills gap in the shortage of cyber personnel. This is impacting everyone but more acutely government. How are you dealing with this and do you see technology helping you address this . These address this . These are my opinions and not those of my agency. Splunk did not pay me to say this, but its really hurting the small agencies to attract that cyber talent and the federal government is seen as a place if you come out of school, they are old, they are backwards, they dont have the latest tools and it takes so long to get something done. So the federal government as a whole has to look into modern technologies, keep modernizing and bring in the workforce and have them get challenging assignments. So we need the career progression path clearly defined for them. And we need to use other agencies. Mines so small, we need somebody thats at an advanced level and we need tools like splunk so we dont need as many humans, that Technology Helps us to fight the bad guys. Its really important to stay on top of whats modern, use those tools, train the workforce. The way i look at it is if were in the government and one of the agencies trains somebody and they get a promotion to go to another agency, thats better for the government as a whole. If we train them and they go into industry, its still better for our country. So we shouldnt not train somebody because were afraid that were going to lose them. But giving them that training might actually keep them happy and retain them more. That is a great perspective. Its interestin