Ireland Degges
Mike Fluharty currently serves as president and a managing partner at True Zero Technologies, a veteran-owned small business with a wide portfolio of cybersecurity offerings. His interest in technology began during his college years, and his first career position at the Centers for Medicare and Medicaid Services solidified his passion for the field.
Since then, he has held a variety of positions supporting federal organizations, specifically the Department of Commerce, Department of Homeland Security and Department of Health and Human Services.
In a recent Executive Spotlight interview with ExecutiveBiz, Fluharty highlighted several emerging technologies shaping the current federal landscape – including cloud and artificial intelligence – and discussed the top cybersecurity challenges the U.S. government faces today.
What is the top challenge you’re seeing as federal agencies migrate to the cloud? What solution would you propose to this problem?
There are two main aspects, one on the security side and one on the actual fundamental implementation side.
Fundamental cloud skills are becoming more and more costly as people move off of antiquated technology to more streamlined, scalable enterprise solutions. Irrespective of what cloud provider it is, whether it’s Google, AWS or Azure, the skill sets needed to migrate to the cloud in a manner that doesn’t affect existing systems and that allows for the same interconnections that those same systems have traditionally leveraged can be difficult to scale.
Having one or two systems that require a cloud migration is very different than scaling to a hundred thousand plus servers or endpoints and moving them into this ethereal environment that you no longer control. That change is a paradigm shift in the way that different enterprise groups – whether they are government, commercial or otherwise – think about the control of their technology. You must make sure that they understand what their responsibility is, where the demarcation point is and how they can effectively implement their mission and technology from the onset. As you continue to adopt new aspects of this scalable and elastic cloud environment, it is about taking those emergent capabilities and making sure that you have a repeatable framework that you can use over and over – and that’s just from the operational perspective.
A secondary aspect is the new concept of CNAPP, which is thinking about how to continuously protect the same network you are modernizing and build it into this elastic and scalable infrastructure. How do I overlay concepts such as CSPM for posture management and security? How do I overlay cloud workload protection across all these different microservices, and where do I find the talent that understands the way to do that with a business-oriented, mission-oriented approach?
Those types of individuals are A, costly, and B, very in demand, so how do you garner the individual to a particular mission? How do you keep that person excited about that mission? Then, how do you orient them into the necessary executive view of, ‘we are here to support the business and ensure it thrives?’
While True Zero is a cybersecurity company, we understand that business drives security because we are protecting the business, including its personnel, constituents, and the data. That mindset must be instilled in those particular engineers and architects, and then implemented in a way that allows for scaling to enterprise needs.
What do you think is the biggest threat facing U.S. cyber systems today, and what can be done to protect against that threat?
The biggest threat is complacency. There are tons of tools and tons of processes across agencies, whether they are within the DOD, Intelligence Community or civilian sector. There are frameworks and ways to orchestrate your security approach to be threat-centric, allowing for you to understand what your organization’s particular assets, data, identities of interest and attack targets are. There are defined ways to look at your external attack surface management in support of your particular mission. There are tailored tactics to look at the identity of your users and to aggregate all of these components while tying directly into a zero-trust strategy with these evolving concepts. This inherent convenience and availability of cybersecurity platforms leads to a world where fundamentals become secondary, and people become complacent. They stop considering the fundamentals and the value of being rigorous in terms of their ability to secure existing systems.
Let’s take identity management as an example. If you’ve had a legacy active directory or authentication approach your organization has used for years, you may feel that your identity-based approach to resource access ensures your safety – while at the same time, the very act of not continuously interrogating the objective data provided by said active directory or identity data may be the very reason a primary attack vector exploited by an APT is successful. Again, people and organizations get complacent. They enjoy normal, comfortable and oftentimes inexpensive solutions. They don’t know or oftentimes have deprioritized the organizational importance of checking if they are using local accounts, leveraging over privileged accounts and so on, and don’t do the due diligence and apply the basic cyber hygiene that’s necessary to stop bad things from happening. It becomes the annoying task that would have saved the target mission. Bad things will happen, and incidents will occur – however, it’s about the ability to detect and recover from those incidents – stopping them in their infancy in order to limit the damage to the business, thus allowing the mission to continue with confidence.
Oftentimes, if nothing bad happens, we end up getting complacent and thinking we’re good enough for now – especially if we passed an audit. That’s great, but passing an audit doesn’t secure you, it is simply an attestation of your purported ability to meet a specific framework at a given time. Let’s take those same frameworks and make sure that objectively and technically relevant data shows we are protecting said infrastructures and missions from threats on a continuously measurable basis. To be clear, this same concept of complacency ties directly into organizations not funding cybersecurity appropriately because of the fact that nothing bad has happened in the past – which is then incorrectly assumed as a reasonable approach to lowering future cybersecurity initiative funding. This remains a pervasive perspective throughout many enterprise environments.
Luckily, recent Executive Orders are putting a bigger emphasis on the unacceptable risk to the American people tied to cybersecurity complacency and helping to change the mentality linked to cybersecurity requirements at a department and agency level. Still, you see big commercial entity hits or governmental entity hits and the effects they have on the populace of the United States and abroad every day.
Which emerging technologies do you anticipate will have the greatest impact on the federal landscape in the next five to ten years?
There are the obvious ones that are the big buzzwords out there in terms of nation-state level considerations, like quantum, neural networks, generative AI and others.
Internet of Things security is one of the biggest – but most fundamentally misunderstood – concepts today. Basically, we are thinking about how to focus down on SCADA, ICS, IoT and the interconnected nature of different, traditionally disconnected or unknown organizational devices, while being asked to provide bespoke processes and understanding of these systems that don’t function the same way that a traditional operating system works. Sounds complicated, and it is.
Programmable logic controllers are not the same thing as a DLL on a Windows box. They are fundamentally different in the way they interact with the underlying system and thus the way that one interprets and secures them is fundamentally different. Most people understand them far less than they understand traditional, networked computers and operating systems, so educating them on the technologies that focus their specialty on said technologies while allowing for the ability to secure IoT devices in an objectively safe, secure, and measurable fashion is the number one priority.
The second comes from the aforementioned CNAPP perspective for cloud modernization and cloud security technologies, which allows us to start protecting individualized workloads, such as microservices and non-traditional serverless technologies. These are your Lambda functions within AWS or your Kubernetes clusters from a containerization perspective that are prevalent across all of these different cloud entities. We need to gain insight into how they work at a fundamental level and what our responsibility is as consumers of this technology. This allows us to proactively stop incidents within these platforms using the directly applicable approaches of zero trust, cyber security posture management, workload management, and application management at scale.
The last one – and maybe the most significant advancement technologically since the advent of computers – is AI, generative AI to be specific. If applied appropriately, it is a significant game changer in terms of one’s ability to quickly respond to threat-centric entities or protect against threats across an enterprise.
We’ve all seen the power of ChatGPT to help us modernize and take care of menial tasks over the past year and a half, but it doesn’t mean that you’ve replaced the human in that particular chain. What it means is that you’ve made the human more efficient and able to process the data and concepts that actually matter. Instead of worrying about the way we word a sentence or the way we write something syntactically, we simply address the semantics of the syntactical output. This allows us to support requests in a more efficient format and reduce the time it takes to triage and deliver.
We talk about this in terms of operations. We have a term at True Zero, ‘Actionable Intelligence Operations,’ that we have built into this same mission and threat-centric productization. The concept of AIO is the DevOps style of alerting that allows you to take the threat-centric items and apply artificial intelligence, genAI and large language models to help crank out high fidelity content faster so it can then be delivered to customer missions to stop bad things from happening.
We use this DevOps style approach to enable quality assurance, rather than replacing everything with an unchecked AI-based approach. This way, we can augment processes to significantly increase work productivity as long as we are doing it in a secure manner within those specific large language models. GenAI is such a full force multiplier that it is akin to the next digital age – and there is so much behind that right now that will help the world drive mission and cyber success in and into the future.
