We continue our effort to underscore certain patterns and themes found throughout the OODAcast library of close to 100 conversations with leaders and decision-makers, on topics such as leadership, empowering a team, clear decision-making while operating in a low information environment, the qualities and best practices of a true leader, the future of intelligence, the future of cyber threats, the cybersecurity marketplace, innovation, exponential technologies, and strategic action.

In October 2020, OODA CTO Bob Gourley had a conversation with Paul Kurtz – an internationally recognized expert on cybersecurity and the Co-Founder and Chairman of TruSTAR.  Paul began working on cybersecurity at the White House in the late 1990s. He served in senior positions relating to critical infrastructure and counterterrorism on the White House’s National Security and Homeland Security Councils under Presidents Clinton and Bush.  Paul’s work in intelligence analysis, counterterrorism, and critical infrastructure protection has influenced his approach to cybersecurity.  Paul believes in intelligence-centric security integration and automation. Paul believes in using machine learning to help detect, triage, investigate, and respond to events with confidence.

In the same month, Bob spoke with Mark Weatherford.  Mark is an icon in the cybersecurity field. He is widely known as a mission-focused leader who builds teams and gets hard things done. His career included success in the US Navy as a cryptologist, leadership and management in a major defense integrator, CISO for two states (Colorado and California), CISO of the nation’s regulatory organization for our power grid (the NERC), head of security efforts for the newly formed DHS, and operational CISO roles and advisory board positions for several US corporations.

…I really don’t think that the topic area of cybersecurity was really taken seriously until later in the 2008 through 2010 timeframe.

Bob Gourley:  I  met you a couple of years before 9/11.  Maybe it was 1999, maybe 2000?  I was at the Department of Defense (DoD) Joint Task Force for Computer Network Defense. We had responsibilities only for DoD when it comes to cybersecurity, but the process that Richard Clark had put in place was to coordinate across government when it comes to cybersecurity.   And that’s where I met you as part of that cybersecurity effort.  I thought on 9/11, first, as soon as the second attack occurred, I started producing intelligence for my consumers.  I worried because cyber had been my life for like two solid years trying to improve our cybersecurity posture. And I felt, that day [9/11] like I had ignored the terror threat and that maybe the nation had spent too much time thinking about cyber and not enough thinking about counter-terror. Would you react to that thesis?

Paul Kurtz:  I probably disagree with that. And here is my basis for saying it: there was a great deal of emphasis on counterterrorism toward the end of the Clinton administration. There have been some significant problems on the counter-terrorism side and there were some resources and assets being put against it, but what wasn’t happening was that we were still the fiefdoms within the U.S. Government, which came out loud, and clear in the 9/11 Report that followed.  Cyber was forming up and it was out there.  People were tracking. I started tracking it at the beginning of 2001. And looking at like, say, for example, Code Red (which was August of 2001) and, and remember we had Y2K.

And so there were a lot of resources and assets that were brought together for cyber with Y2K. And if I’m kind of hopping around a little bit, I, I will say this:  we went all in for Y2K to make sure that when the clock ticked that we didn’t really have a significant problem and really nothing happened. And I remember the commentary after that as well:  “It wasn’t that big of a deal, so let’s not pour a lot of money into it.”  But as we went forward, we were seeing challenges at Microsoft, we’re seeing increased numbers of attacks.  Those in the government who really were following it were aware that there were challenges that needed to be addressed. And so I remember immediately after 9/11, Nimda hit.

And I was in the situation room constantly.  We were trying to restore Wall Street – bring Wall Street back up online. And at the same time, we were hearing about Nimba, which was affecting financial networks. And so we paused a little bit at that point in time. I remember thinking, well, what’s going on here? Is there a connection? And ultimately there was no connection. So it was really a confluence. And I really don’t think that the topic area of cybersecurity was really taken seriously until later in the 2008 through 2010 timeframe.  That is when I ran an association called the Cybersecurity Industry Alliance – and when you would go up to Capitol Hill, there were certainly some staffers that cared deeply about it who remain active in the industry today. But we were too technical about it and the Hill couldn’t absorb it. A lot of folks in the Executive Branch could not absorb it. So now I think we were in a totally different place obviously, but it was a very interesting time.

…we’ve come a long way. But that is not to say that there is not a lot of work that remains to be done.

Bob Gourley:  There is something else from that time period that is so directly relevant today to corporate strategists and business leaders.  I observed what you and Richard Clark did when it came to strategic planning. You guys, early on, recognized the need for a national cybersecurity strategy and set about doing that. And as I recall reading this strategy:  I was struck with the fact that not only was it the first real strategy, but you did something else that was even more important than the strategy, which was the process behind the strategy. It wasn’t the plan: it was the planning. It was the way you went about building a network and getting input from people that had never communicated before on these matters. You reached far beyond the White House and far beyond the federal government  – into academia and the commercial world to establish communications with people and let them know their input was important.  And in doing so you produced not just a cybersecurity strategy, but a community. And it reminded me of what they would teach us in the military when it comes to building war plans.  They underscore the fact that no plan survives first contact with the enemy, but the process of building that plan can endure and can help you when you’re executing.  You guys created not just a cybersecurity strategy, but the first real network across the nation for dealing with cyber.

Paul Kurtz:  Yeah. Okay. I think the best thing about the cyber strategy when it finally came out was the network that it created.  It was almost less the document than it was the network. So how do you create the network?   What happened in wake of 9/11, [Richard Clarke] took on responsibility for the cyber side. And we had, prior to 9/11, we had talked about putting together a strategy and he jumped into that feet first. And rather than spend his time inside the beltway, he said “let’s get outside the beltway and let’s go to California, let’s go to New York, let’s go to Redmond – wherever it may be to track down the people who are building the products and building the capability.”  And not just going into the nascent cybersecurity vendor space, but the Cisco’s and everybody who was building the hardware and software.

And we went around the country as we built out the strategy. And we took a lot of input and a vast majority of that input ended up in the strategy.  But Bob, just as you said, it created a network.  Networks started popping up in each one of these cities. And when we ultimately published the draft strategy, what did Dick do? And Howard Schmidt to his credit was very active in this as well.  He went out to all the cities and met with people. We reviewed it and took in more input and then ultimately it was finally published.

And that was really the beginning of a national-level effort. And I would argue it was different than – if I look at the non-proliferation business, looking at WMD or even counter-terror  – cyber was really something different because there were so many people that are involved:  the software producers, the hardware producers, the user’s, critical infrastructure  – across the board. So the level of consultation and inclusion was significant.  And we’ve come a long way. But that is not to say that there is not a lot of work that remains to be done.

…if somebody wants to be introduced to a headhunter or to a hiring manager somewhere, I’m more than happy to do it, but you have to take my unvarnished advice if you want to get to that stage of the game.

Bob Gourley:  I want to ask a question about careers and just as context:  a lot of people come to you, I know, when they are looking for a position to be filled, and then you reach out to your network and email people like me and say, do you know anybody who is interested in this position?  You are just that kind of connector.  Other people come to you and ask for career advice. And that is the question I wanted to ask you:  for someone who wants a successful career in the cybersecurity world, do you have any advice or tips for them? Let’s say they want to be chief security officer (CSO) in a large company?

Mark Weatherford:  Well, the first thing I try to do is I try to identify what it is they really want to do. Some people want the Chief Information Security Officer (CISO) title. And, and that’s where I dig in and say:  Do you really want to be a CISO?  Because, I mean, this is not a trivial job these days.  Especially if you’re in a large company where you have to report to the board on a quarterly basis, where you have to sign the 10-K and the 10-Q every quarter.  Your signature can be used against you at some point if you have made a misstatement. So I think really digging into what people want to do is important.

There are a lot of factors in it.  I have many friends, whose careers have been limited simply because they didn’t, weren’t able to – and this is not a criticism- they weren’t able to take advantage of an opportunity.  Maybe they lived on the East Coast and a great job came open on the West Coast, but they just weren’t at a point in their life where they could make that transition. And so I try to tease these kinds of things out early in a conversation to see how flexible somebody is:  would they be willing to work for a CIO? Would they willing be willing to be a deputy CISO as a steppingstone to being a CISO? Would they be willing to be a CSO, which may include a lot of physical security responsibilities as well as information security responsibilities?  Would they be willing to step out of their comfort zone and work for a software company or go work for an electric utility company somewhere?

I can remember when I was wrapping up with the Schwarzenegger Administration in California and Mike Assante called me. Mike was the CSO at the North American Electric Reliability Corporation. He said:  “Hey, I’m getting ready to leave. I want you to be my relief, my replacement.” And I said:  “Mike, the only thing I know about electricity is what I learned in the Navy on a component level. I have no idea what the grid is or what the bulk electric system in the United States is all about. And he said: “Don’t worry about it. We’ll figure it out.”  And so, for me, it was a huge stretch to go into an industry that I really didn’t know a lot about, but I ended up being fairly successful there.

And I think part of it was because of my Navy background and learning a lot of the fundamentals of electricity way back when.  So I really do try to kind of tease out what I think are some of the critical decision-making factors in where they want to go with their career because there are a lot of jobs.  I have a whole list of people that I kind of keep my eye out for and I’m trying to figure out which people would be good for different jobs. And sometimes I may make a recommendation and say “Listen, here’s a good job, but I don’t think it’s right for you for these reasons.” And I’m never going to stop somebody from doing something. So if somebody wants to be introduced to a headhunter or to a hiring manager somewhere, I’m more than happy to do it, but you have to take my unvarnished advice if you want to get to that stage of the game.

I think, in the absence of really starting to fuse data more intelligently,  we’re going to be having the same discussion again in another ten years.

Bob Gourley:  You have written a paper that you shared an early draft with me.  And frankly, it was very influential on my views of threat intelligence. And I was wondering if you could share a few of your ideas there as you talk about the future of intelligence and what you think our next steps should be.

Paul Kurtz:  Yeah. well, I appreciate you raising it here. I think when I look at how we’ve defined intelligence for the last twenty-some-odd years in cyberspace, intelligence is seen as the external data about the adversary, the charming kitten, whatever the name of the malicious actor might be, or whatever the observables or indicators of compromise might be coming from an external threat provider. And that’s all great. But what I want to see us do is begin to redefine intelligence because there are two definitions of intelligence. There’s the one I just described, which are plans of a malicious actor – what they may be trying or intending to do.  But there’s the intelligence of our ability to bring together, to infer, to judge, to predict what might happen next, or to reason.

And we need to get to a place where we can take a large amount of data about what’s happening in our enterprise and make intelligent decisions about that, triage the data and refer it to an analyst based on five or six different tools or systems and refer it to an analyst to take it to the next level or use computer systems to help us judge something to be severe and then automatically update defenses. And I feel like it is s going to take some effort to turn this ship, but I think it is vital that we do.  Because if we don’t, Bob, we are going to continue, as one of the reviewers said to me, we are in a cyber war that has precipitated a tool war – and as so long as we have a cyber war and a tool war, the adversaries are going to win  – because we’re just going to keep on coming up with a new darn tool to take care of whatever the problem is.

And it’s going to be much like the Cold War.  We are going to overspend and we’re not going to be able to keep up on the spending until we start putting all this data together and getting smart about it and intelligent about it. And so this paper is focused on the creation of what I call secure, intelligent ecosystems, where you’re able to bring the data together, you’re able to discern patterns in data. You’re able to take those patterns and use them to update your defenses quickly.

The model which I point to – and it’s not a one-to-one comparison  – is what has happened in the autonomous vehicle industry.    They’ve broken down the problem into three pieces:  sense, understand and act.  You have all these sensors deployed on the car. All those sensors pull in data that must be made sense of by the computers and then tee up actions for either the driver or the computer to take actions to steer the car.

It’s remarkably similar in cyber. We have all these sensors deployed that we’re trying to capture this data to help us understand whether we’re secure. We need to fuse that data together more effectively than we’ve been in the past, and then kick it into taking action. And I’m hopeful. We’ll make progress on this front. I think, in the absence of really starting to fuse data more intelligently,  we’re going to be having the same discussion again in another ten years.

…the most important thing that a security professional needs to think about when dealing with the board is that most boards are not technologists.”

Bob Gourley:  Our OODA Network has a lot of CEOs, board members, and chief operating officers.  Senior people. And most of the people in our network, I think, are savvy when it comes to cyber security because they’ve learned from the school of hard knocks.  But I frequently run into people at that level who could use a little advice about what should they care about when it comes to cyber security? And I know you’ve worked with a lot of boards and senior people. And I just wanted to ask you that question. What do you say to board members to get them thinking right about risk mitigation in the cyber domain?

Mark Weatherford:  So this is probably the question I get most often and probably any CISO gets this question. I think the challenge is you want to be honest and realistic, but you want to avoid FUD (fear, uncertainty, and doubt).  If you get into the scary, dangerous game kinds of stories, I think you can lose some credibility there. But at the same time, you must try to convey a sense of urgency around security to non-technical people. There is a good example that I just read about today.  Anthem had a data breach in 2015 and they spent hundreds of millions of dollars cleaning that thing up, cleaning up the data breach.  Last month [in September 2020] they were just fined an additional $39.5 million as the last piece of the lawsuit.

This is what I try to convey.  In fact, I sent a note to a bunch of my friends this morning, saying “this is the kind of thing your board needs to understand when you go to them is you may have a data breach, but it may be five years before you wrap this thing up. And that’s five years of this thing hanging over your head. And then at the end, you get another $39.5 million fine to go along with it.”  So I think conveying that not just to the board, but to the CEO and the CFO:  there are really kind of long-term implications to some of the risk, risk-based decisions you make today. And one of the things that I tell my colleagues – and there are a lot of people that have way more experience dealing with boards than I do, but I have a little bit of experience dealing with boards, some successful and some not so successful, I’m pretty honest about that – but I think the most important thing that a security professional needs to think about when dealing with the board is that most boards are not technologists.

I say:  meet the board where they are, because you may have a CFO on there. You may have an HR manager on there. You may have a venture capitalist on there.  Boards are made up of these people from a variety of different backgrounds. And if you try to try to treat all of the board members the same way, you will be unsuccessful – I guarantee it. So meet them where they are. I always advise people: to establish a relationship with the board and reach out to individual board members. Know a little bit more about them so you can kind of tailor your conversations and tailor your briefings to make sure that everybody is getting what they need.

The Original OODAcasts:

OODAcast: Mark Weatherford On Leading Change As a CISO

OODAcast: Paul Kurtz, Iconic Cybersecurity Leader and Founder of TruSTAR

OODA Network Interview: Paul Kurtz

The final version of the paper by Paul Kurtz discussed during the conversation:  Cloud-Based, Intelligent Ecosystems | CSA (cloudsecurityalliance.org)

Related OODAcast Thematic Posts

People, Culture, Organizations, Cybersecurity, and Technology (Bryon Bort and Masha Sedova)

Cybersecurity Investment, Due Diligence, Innovation and Growth (Andy Lustig and JC Raby)

Leadership, Management, Decisionmaking and Intelligence (Paul Becker)

Nate Fick on His Early Career, Writing ‘One Bullet Away’, The Stoics and Dynamic Leadership (Part 1 of 2)

Stay Informed

It should go without saying that tracking threats are critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community