The next panel is with the chief security Information Officer is the cyber leader panel, they are fortunate to have some great people appear to talk to us today, the moderator today is the Vice President of Public Sector. Joining him is the chief Information Security officer from the u. S. Department of justice. The chief Information Security information ist from homeland security, and a deputy cio for cybersecurity and the dod chief Information Security officer. And the chief Information Security up there and she privacy officer for the Export Import Bank of the United States. Over to you, frank. Thank you, please, have a seat. Thank you, panelists for joining us today. I know tom officially one of the panel because of the great help in together, my name is frank i run the Public Sector and for those of you that knows and our customers i would love to meet you and i will be here today, because you that do not know blanche we are a teacher, the next the software as well. A sure my time i thought we would just jump in. If i could just starting go down the line. Well talk a minute or two about your agency and security environment and some of the top childrens youre doing with today. Sure. So, they chief Information Security officer for the Department Justice the department is, we have about 100 to 2000 users, 2000 and points, lots of different types of networks we have to protect. Out of information as we do law enforcement, we do litigation, incarceration, the whole lifecycle of criminal justice is really what the department of justice does. I tried to protect the mission as i can. Some of the challenges looking at how we can adapt to the rapid pace of the changing missions and how we can support the better. How we really can integrate security in systems as we try to deploy the really quickly and, so, im looking at ways we can rapidly catch up, not catch up but keep up and be able to enable those missions especially want to be able to adapt and address these kind of problems. 20 years insider, we can never fast enough. Im trying to change things so we can do that, that is my goal is to really make security and enabler rather than try to catch up and tell everybody know all the time, i want to make sure we are helping them complete their mission and be successful. Thank you. Im Shayna Barney and the chief security Information Officer at immigration services. We are a component of homeland security. We are responsible for the demonstration of the ration system which is the demonstration of benefits citizenship, work permits, legal residencies, these type of things, we partner with other components in the agency on immigrants related issues. The mission is a large mission, a complex mission, there is a lot of moving parts, once in a blue moon you see something about it in the press. Maybe. But, no, the less capable reworking, you know, we are spread, offices rental real. About 190 some odd and points, economy, where the earlier office we have been caught about 10 years. About 85 maybe of the agency is called basic this point. Many more . We are still releasing and developing and doing the things. Staying on top of that, staying in front of that, while securing the cloud, securing against all the threats we have not even a note about you. It is a challenge, the mission. So, it definitely is the dynamic, neverending. Excellent. Thank you for sharing. So, good afternoon, i am the assistant dso, in terms of our side of the scope we have 3 to 4 million users, about 4 million and points managed 10 points and operating systems, if you look at Network Devices for the real cyber attack services, about 12 million implement. And as neil said, global scale, pretty big scope of what it is that we are responsible for, in terms of the biggest challenge, when you have attack surface that large, it is probably not that difficult to find a user on the 4 million doubleclick on whatever link you sent them and to kind of find the weakest link in the chain when you have that large of a chain, a big part of our emphasis is trying to look at converting the cost curve, right now, it is not that expensive for adversaries to be able to attack us and, you know, try and, you know, waste through our defenses, it is extensive for us to keep pace so we have to come it seems like we will find a new exploit, a tool to stop the particular exploit and the thing is to try something different. We try to find out what we can do to make the dod defense is a little bit more agile so we do not have to continue to buy new tools every time the adversaries pivot their capabilities. So, that is part of the macro level. Hearing about the size of your environment me anxiety. That is why you are here. I am stacy don from Export Import Bank of the United States, i am the official chief privacy officer. How many of you have heard about export import take of the United States . A fair number. But, there are some that have not. They are the agency that keeps jobs in the United States by providing credit and insurance and guaranteed products for companies exporting to other countries. We only have about 500 some odd users, so, our scope is quite different. But because we are a small agency, we have the challenge of being able to ward the tools that you have and are held to the same standards from dhs as the larger agencies. So, we have smaller staff, a lot less tools, but the same mission to protect data. Excellent. Thank you and thank you all for sharing. I thought we would start off talking about it modernization how it impacts your world and efforts of organizations, you are no stranger to the topic, i find it pick up on this question here. But, meditation is part of the Public Sector today, we are dealing with upgrades to the system, trying to meet objectives, resulting in the limited of the physical boundaries. Micro services is the Unstoppable Force taking over it today. How are we going about customizing your approach to cyber in the new ephemeral world . So, i will start off with that, the it modernization strategy, we casted the digital modernization, as easy as my boss, he has spent a year of the tenure honing in on how we need to modernize to keep pace with the challenges we face . I, theres four pillars to that strategy i hope i do not have a Holiday Express moment and forget. The first is clouds. That is one of the major efforts we have, trying to implement our dod Cloud Strategy trying to drive the department to make better use of clouds. The real intent is to be able to drive agility into the department to break new capabilities to the field faster. The second is Artificial Intelligence. We recognize just about every country in the world has a i to have the potential to revolutionize how the department of defense does information, we fight, how defend the country. So, that is a huge area of importance. An obvious intersection between cloud and Artificial Intelligence, making sure computing is available for the ai algorithms run with a joint Artificial Intelligence are i believe yesterday the general walked through a little bit what for the mission is and how they are helping to bring change to the department. The third pillar is command control and medication, basically, how we talk, integral to how we fight, modernizing department, so, everything from satellite to just your Standard Networks including 5g and all of that. The final is cyber, to get to your question about question a how do we keep pace. I really have two main functions inside of there. The first is how do we drive down risk for the department . How do we make sure that we can execute our mission in the face of some of the worlds best cyber actors that are trying to undermine our ability to succeed . The second major goal, though, is how do i support those other pillars of modernization. You could have the mote most agile cloud in the world, but if we apply the same technology, were not going to be able to deliver on that agile promise. Thats kind of the main focus from a cyber perspective as it ties to our modernization. Great. From my perspective, you know, both these gentlemen and actually you too are at an agency level, my focus and understanding of the problem is slightly different. Weve because weve been in cloud for as long as weve been in, weve had to start dealing with a lot of these issues. For me it kind of comes back to a saying, i was recently at the aws conference, which really kind of ties it all together is if infrastructure is code, then security is code. So for my perspective at an agency level, if i have a sock and my sock does not have developers on it, not only am i losing the battle, ive actually probably already lost the war and im not even aware of it yet. Having been in the cloud for as long as weve been in, weve obviously had some incidents, weve had interesting experiences with it. Learned a lot. Every single incident that we had, it was the twdevelopers wh actually came in, they were the ones who came in and helped us solve those problems and develop the new methodology and tools to help us deal with that. Cloud is evolving faster than you can possibly keep up with it. Having those developers in place as part of your strategy is critical and we started implementing this about four or five years ago. Its a really key aspect to this whole modernization approach. Yeah, and really, i mean, so we look at i. T. Modernization isnt simply just, i mean, it certainly is there to address needs and things like that, but also getting rid of some of that tech debt really can help improve our Cyber Security landscape as well. Its very difficult to update and keep up and patch and to everything you need to do for a system thats ten or 20 years old. How can you possibly secure those kinds of systems, really turning your Security Teams into developers, really migrating to that kind of model and embracing it, thats the way weve got to go. Weve got to be able to be fast. Weve got to use code, our security as code, and thats the way to success in my mind is if were not going to keep up, theyre going to go around us. With we need to get rid of these old systems and modernization is really the metsd to get there in my opinion. Stacy. Part of i. T. Modernization is finding everything that you have out there, and i think that thats a challenge because theres a lot of shadow i. T. , even in a small agency. All of a sudden well do a report, and well find out somebody east u somebodys using a system we didnt know about ask p we have to find a way to modernize that and make sure the networks protected at all times. Thats great. I love that phrase, security as code. Just a followup question, is that changing the profile and the skill sets you areki for as you build out your staff . Is that evolving . Oh, yeah. Youi look at the contracts a the staffing models that were using. I redid my entire division thats responsible for Information Security and Cyber Security, and in doing so we redid the entire structure around that model, so weve done away, you know, part of what we have to end is a compliance mindset. Government loves compliance. With we love to create matrixes and add Little Things to it and assign colors to it and make it glow green and yellow and pink and purple. At the end of the day, somewhere up the line it makes people happy because its green, but it doesnt really make you secure. We get kind of lulled into that. When we redid it, i banned the word compliance and started thinking of everything in a risk model sense. Everything should be based on risk and risk assessments and mitigation of risk, and how do we go about doing that. In a cloud environment, its the Development Teams that come in and help us do that. So what its doing is changing the very dynamic of that work force. Whereas it use to be wed have a security analyst, youd have your compliance officers. Now youve got these high end unbelievably nerdy, you know, cyber specialists who can do Amazing Things and cant really, you know, talk in ones and zeros, theyre sitting with these Development Teams that are helping them build the tools necessary to drive forward your mission and to deal with the Security Issues as they arise. It should change it. It has to change it. Yeah. And so to even take that further, you know, thinking that were going to the same touch of skills. Network monitoring is different in these modern architectures, right . Youre not going to be a Network Security analyst. Youre likely going to be looking for developers, developers have to be part of your Security Team, your Security Team has to be part of the dev teams. So i do think that weve got to look at people that are going to have those kinds of skills, analytics, developing, scripting. Its much different than your traditional Network Security kind of view, right . You cant just look at p caps anymore. Sure, sure. If i could also ask you to follow up something you said jack. You mentioned a. I. For each of you, where do you see the role of a. I. Playing in cyber or your environment today . Is there one yet or is it still a developing piece of technology . So the good news is yes to both. It is definitely still developing and evolving. Again, i dont know how much general shanahan touched on this yesterday, but one of the Mission Initiatives that his organization is sponsoring for the department is basically leveraging a. I. To basically help with cyber defense, and i think that what we are certainly seeing trends where both the malicious cyber actors as well as now the defenders are looking at how a. I. Could be leverageed and really its probably more Machine Learning type stuff than true a. I. , but leveraged to be able to find and exploit vulnerabilities faster on the attacker side and therefore for us to be able to have the kind of agility, how do we leverage a. I. To be able to anticipate the types of moves they will make and then counter them. Im going to agree with jack on that, but the other thing is we need tools like a. I. With modern technologies that are coming like quantum computing and 5g so we have to prepare for the future because right now theres a deficit at cyber professionals, and we need tools to help us so we need to rely on things like a. I. Absolutely. Yeah, we have seen that theres incredible potential and opportunity in tools like a. I. And Machine Learning, and the foundation for that from what ive seen in my colleagues is im having pure large clean data sets. If only there was a Software Company that could help with that. Ill move on. I i want to talk about shared services. So shane, ill actually start with you. Naturally. The security executive order and the i. T. Modernization report have been encouraging Government Agencies to really increase the use of or consider increasing the use of shared services as well as Common Security frame works. How will shared Services Benefit you or your peers on the stage as you think about your approach to cyber and improving cyber across the federal government . So im kind of on the yes and no on the shared services thing. Shared Services Offer some really unique opportunities and framework modeling type thing. At dhs theres an entire sock optimization effort underway, and part of that is to adopt we adopted i think it was a d. O. D. Model of how to assess a socking and sock operations and then what elements are involved, and its going to allow us to go in and actually compare our different component socks, not against one another in a competition necessarily but to see who has a center of excellence in certain areas and then leverage that for those who dont have that center of excellence. That is a good use of the framework and use that to take it to another lefl, the Department Level is to say okay, this is what we understand the services are required based on our assessment and this framework, and we can now create a shared Service Model that will help leverage that. Theres cost savings and thats great. The danger for me, you get like a compliance mindset again. Now youre looking at it going oh, our sock is good. We hit all 17 points. Were rock stars. Greens all over the place. Were not even like kind of green. Were 100 green, and you know, thats where we get thats where the danger starts to creep in because then it makes an assumption that you have checked a box and youre not security. Security is a proactive game, you know, it involves far more than making sure that youve checked all those boxes. It does also involve making sure you have a solid pen test program, that youre actively engaged in doing bug bounties and youre always assessing all your risk and upnderstanding wht is critical and what is not critical so you can assess it appropriately. Theres those elements. The shared Services Models offers us the ability to save costs. So long as it doesnt become the standard by which we define ourselves. Its something important to do. For me shared services i think is a cri