Sebastian Taphanel has spent his life on the cutting edge of technology and innovation. This week on Tech Transforms, Sebastian is sharing tales and lessons learned from his 20 years in DoD Special Ops and intelligence and 20 years implementing sound security engineering practices focused on implementing zero trust and highly resilient environments. Join Sebastian as he recounts his time in Special Forces taking his units out of the dark ages from secure fax communications to setting up an intranet, and how he continued with that innovative spirit through his 40-year career. He also shares his new passion, encouraging the industry to utilize disabled veterans to help fill both the cybersecurity and AI workforce gaps. They, after all, already have a call for the mission.

Key Topics

• 03:38 ODNI CIO responded quickly with Microsoft Azure.
• 07:03 Protecting data via application container, expanding capabilities.
• 11:01 Zero Trust redrawn cybersecurity model, data-centric approach.
• 13:57 Developing zero trust plan for downstream organizations.
• 18:50 Ensuring security while sharing information and protecting IP.
• 21:35 APIs, containers enable fluid, flexible data access.
• 24:20 Data protection systems allow secure sharing and storage.
• 27:02 Addressing cybersecurity workforce gap and AI need.
• 29:39 In 1998, new commander requests secure WAN.
• 33:49 Applied for certified protection professional, highest security certification.
• 36:28 Passionate about supporting disabled vets in cybersecurity.
• 39:55 Mentoring government employees for cybersecurity and AI/ML.
• 45:32 Using advanced generative AI solutions for copywriting.
• 47:19 Update cybersecurity tools and systems for new threats.
• 49:50 Respect for those dedicated to automation.

Enhancing Secure Communication and Cloud Environments in Special Ops

Special Ops Agility: Adapting to Remote Collaboration with Secure Cloud-Based Workspaces

Sebastian Taphanel’s experience spans twenty years in DOD Special Ops and Intelligence, followed by consulting in security engineering. The focal point of this episode is his role in advancing cybersecurity practices at the ODNI. Particularly emphasizing resilient cloud-based environments.

Sebastian describes the quick adaptation during the pandemic which led to the rollout of an ad hoc cloud-based workspace to ensure the ODNI's mission could endure despite the workforce being remote. GCC High, or Government Commercial Cloud High as conceived by Microsoft, is revealed as the successor to the initial setup. Providing a more secure platform managed strictly by U.S. persons. The approach highlighted the agility of cloud technology for remote collaboration within federal agencies.

Cybersecurity in Intelligence Sharing: "Essentially, reciprocity is a process and also a culture of accepting each other's risks. And that's really the bottom line on all that." — Sebastian Taphanel

Unfolding the GCC High Environment

The intricacies of implementing Microsoft Azure and M365 (Office 365) are detailed as Sebastian underlines their pivotal use in creating an intranet with controlled document sharing and editing. These implementations include robust Mobile Device Management. Then a BYOD Mobile Application Management system that protects sensitive data in government and personal devices. Thereby, ensuring operational security and flexibility.

Special Ops Communication Evolution

Sebastian advanced from using secure faxes for interstate communication within military units to establishing a multi-state secure WAN. This resulted in a significant leap in communication efficacy for special operations. Sebastian shared the potency of secure, cloud-based tools in streamlining and securing government communications. As well as their inherent adaptability to contemporary operational needs.

Zero Trust Implementation and Reciprocity in Security Controls: "Reciprocity, in some circles, it's a dirty word. Because everybody wants to do it, but nobody really wants to be first." — Sebastian Taphanel

The Shift to Cybersecurity Training and AI

Special Ops to Cyber Ops: Training Disabled Veterans to Bridge the Cybersecurity Workforce Gap

Sebastian recognizes the increasing importance of cybersecurity expertise in today's digital landscape. He points out the significant gap in the cybersecurity workforce and the untapped potential of disabled veterans who can be trained to meet this demand. This shift towards prioritizing cybersecurity skills reflects the industry's evolution as organizations increasingly rely on digital infrastructure. Thus, creating a fertile ground for cyber threats. By focusing on equipping disabled veterans, who already possess a strong sense of duty and protection, with the necessary technical skills to combat these threats, Sebastian believes that we can build a robust cybersecurity force that benefits not just the veterans but the nation's overall security posture as well.

Training Disabled Veterans for Cybersecurity and AI

Building upon his own transition from a military career to cybersecurity, Sebastian is passionate about creating opportunities for disabled veterans in the field. His experience has shown him that these individuals, with their ingrained ethos of national service, can continue their mission through careers in cybersecurity and artificial intelligence. Sebastian advocates for collaborations with major tech companies and training providers to establish programs specifically tailored for veterans. These developmental opportunities can help translate military competencies into civilian technology roles. As AI continues to influence various industry sectors, including cybersecurity, the need for skilled professionals who can leverage AI effectively is critical. By providing appropriate training and mentorship, Sebastian sees disabled veterans playing an integral role in shaping the future of cybersecurity and AI.

Special Ops Veteran Illuminates Zero Trust as a Data-Centric Security Model and the Strategic Role of AI in Cybersecurity

Zero Trust as a Data-Centric Security Model

In the evolving landscape of cybersecurity, Sebastian brings to light the concept of zero trust. A framework pivoting away from traditional perimeter security to a data-centric model. He highlights zero trust as a foundational approach, which is shaping the way organizations safeguard their data by assuming no implicit trust, and by verifying every access request as if it originates from an untrusted network. Unlike the historical castle-and-moat defense strategy which relied heavily on securing the perimeters of a network, this paradigm shift focuses on securing the data itself, regardless of its location. Zero trust operates on the fundamental belief that trust is a vulnerability. Thereby, anchoring on the principle that both internal and external threats exist on the network at all times. It necessitates continuous validation of the security posture and privileges for each user and device attempting to access resources on a network.

Zero Trust as a Data-Centric Security Model: “Zero trust now has essentially redrawn the lines for cybersecurity professionals and IT professionals. And I will say it’s an absolutely data-centric model. Whereas in previous decades, we looked at network centric security models.” — Sebastian Taphanel

Implementing Zero Trust in Special Ops

Zero trust extends beyond theoretical formulations, requiring hands-on execution and strategic coherence. As Sebastian explains, the principle of reciprocity plays a vital role in the context of security authorizations among different agencies. It suggests that the security controls and standards established by one agency should be acknowledged and accepted by another. Thus, avoiding redundant security assessments and facilitating smoother inter-agency cooperation. However, applying such principles in practice has been sporadic across organizations, often hindered by a reluctance to accept shared risks. Driving home the notion that strategic plans must be actionable, Sebastian underscores the critical need to dovetail high-level strategies with ground-level tactical measures. Ensuring these security frameworks are not merely aspirational documents but translate into concrete protective actions.

Special Ops in Cybersecurity: Harnessing AI and ML for Enhanced Defense Capabilities

Amidst rapid technological advances, artificial intelligence (AI) and machine learning (ML) are being called upon to bolster cybersecurity operations. Sebastian champions the idea that AI and ML technologies are indispensable tools for cyber professionals who are inundated with massive volumes of data. By synthesizing information and automating responses to security incidents, these technologies augment the human workforce and fill critical gaps in capabilities. The agility of these tools enables a swift and accurate response to emerging threats and anomalies. Allowing organizations to pivot and adapt to the dynamic cyber landscape. For cybersecurity operators, the incorporation of AI and ML translates to strengthened defenses, enriched sense-making capabilities, and enhanced decision making processes. In a field marked by a scarcity of skilled professionals and a deluge of sophisticated cyber threats, the deployment of intelligent systems is no longer a luxury, it is imperative for the preservation of cybersecurity infrastructures.

Looking Ahead: Collaboration, Reciprocity and AI/ML Workforce

AI/ML as a Cybersecurity Force Multiplier

Sebastian highlights the untapped potential of artificial intelligence and machine learning (AI/ML) as critical tools that can amplify the capabilities within the cybersecurity realm. As Sebastian provides his insights on the importance of AI/ML, it becomes clear that these technologies will serve as force multipliers, aiding overwhelmed cybersecurity professionals dealing with vast arrays of data. The envisaged role of AI/ML is to streamline sense making processes and facilitate prompt, accurate cyber response actions to threats and vulnerabilities. Sebastian portrays a future where strategic use of AI/ML enables swift and informed decision-making, freeing cybersecurity operatives to focus on critical tasks that require their expertise.

AI/ML as a Cybersecurity Force Multiplier: “I believe what’s going to be needed is the understanding, a training and culture that accepts AI/ML as an enabler.” — Sebastian Taphanel

Empowering Special Ops Veterans for the Future Cybersecurity and AI/ML Workforce

Sebastian asserts the urgency to prepare and equip individuals for the cybersecurity and AI/ML workforce. He envisions an actionable plan to invigorate the employment landscape, creating a resilient front in the fight against cyber threats. Sebastian calls for a strategic focus on training and knowledge dissemination, particularly for disabled veterans, to incorporate them into positions where they can continue serving the nation's interests in the digital domain. Recognizing the fast evolving nature of these fields, he stresses the need for a workforce that not only understands current technologies but can also adapt to emerging trends. Ensuring that collective efforts in data protection and cybersecurity are robust and responsive to an ever-changing threat landscape.

About Our Guest

Sebastian Taphanel blends a more than 20-year DoD Special Ops and intelligence career with more than 20 years of sound security engineering practices focused on implementing Zero Trust and highly resilient environments through the use of innovative technologies and common sense business practices.

I'm Carolyn Ford. Today, I get to talk to Sebastian Taphanel, principal consultant at Stractical Solutions, which is a boutique IT consultancy supporting government agencies like the ODNI. Sebastian served 20 years within DOD Special Ops and Intelligence.

And since retirement, he spent 20 years implementing sound security engineering practices focused on implementing zero trust and highly resilient environments. So I had the pleasure of meeting Sebastian for the first time at the Billington Cybersecurity Summit. And after speaking to him for 10 minutes, I knew that I needed to get him on the podcast. The two topics that we, talked about were his work around ODNI and employing disabled veterans. These two topics felt crucial when addressing today's cybersecurity landscape, and I am really excited to dig into both of these topics a little bit more. Welcome to the podcast, Sebastian.

Thank you so much. I'm very humbled that you've asked me to be in your podcast. I'm also super excited to share my two passions, which is to help continue to serve and help our nation to not only deliver, secure systems and environments but also move the needle when it comes to collaboration and coordination amongst all the different elements, within the intelligence community, I do need to caveat something. I am not here in official capacity from the ODNI CIO office, I'm merely here to share with your audience the experiences and observations and hard lessons learned along the way as we are delivering the various new capabilities for the ODNI CO and ODNI at large.

Noted, and we really appreciate you sharing your personal lessons learned. So, Sebastian, you had a long career in the Army before transitioning into government contracting and security engineering for the last 20 years. First of all, thank you very much for your service.

You're well worth it. Thank you.

And that is the nicest response I've ever received. Thank you. So now you're running your own consultancy, which the name I love. I hope we have time to get to it. Stractical. But specifically, I wanna talk about your support at ODNI. So you mentioned when we spoke at Billington, ODNI has an unclass workspace environment that is a completely new ecosystem.

It's a 100% cloud based. First of all, why would you say unclassed workspace rather than Internet? Is it is it an intranet? Is it internal only?

So what was rolled out, this actually goes back to pandemic. It was clearly accepted and understood that we, The ODNI CIO office needed to do something so that ODNI mission can continue even when everyone is, you know, forced to be home or forced to be away from, the traditional office space, right, that typical government, entities have. And so, literally over the weekend, a group of about 3 or 4 people quickly rolled out what we calling what we called an ad-hoc environment, leveraging essentially Microsoft Azure and M365. For those folks that may not know that M365 is essentially Office 365 with a bunch of other capabilities that are cloud based. And so that was rolled out to the workforce.

Over the weekend?

And that, again, it was ad hoc environment. There were a lot of things missing, but it got the job done. And so in other words, we were able to, leverage Microsoft Teams, which is top teams, which is essentially, a collaboration, suite of tools. It has, chat rooms. It has what it's called Teams Channels. So think of it as a, as a place where focused teams can collaborate in with, document sharing, document editing. A lot of people equate it to, you know, Google Workspace. If most people are familiar with Gmail.

And Google Docs and G-Drive, think of that, but in the Microsoft branding. And so the the goodness about that is that's what we delivered and that's what worked. However, comma, all along, we knew that we needed to move that into a more restricted environment, So we ramped up, what we call YouView 2.0, which was the follow on, and all that now lives in what, Microsoft calls GCC High. So GCC is Government Commercial Cloud. High meaning that it's a much more security robust and resilient environment that is exclusively, managed by US persons. A common equation would be AWS Gov Cloud.

Mhmm.

And so we we did that. We delivered it September 2022, along with that, we delivered a highly robust and implementable mobile device management, so our government furnished equipment mobile devices controlled and managed by ODNI, which means our data is a 100% protected. Right? So you can't it's they're basically no fun iPhones. So, you know, the the user is not allowed to download applications. They're not allowed to change on the security settings, and which is what you would expect typically of, GFE devices. Yeah. And along with that, We rolled out a BYOD or bring your own device mobile application management, which essentially is the device is the owners. Right? They own all rights to that.

However, we protect our data by essentially creating an application container that you're restricted from copy pasting out of our containers into, say, Messenger, SMS, text, or their own email. So we did that, and we delivered that in September 2022, and that's what we have today. Since then, we are rolling out additional capabilities. And then at some point, we're going to have, the ability to bring in, external agencies. We can do that now, but we we wanna try to bring trusted agencies into our environment so that we can have full collaboration across, the majority of the intel community.

Do you know if if other agencies have done something similar, this sounds?

Yes. They have, actually.

Okay.

Yes. They have. Yeah. I'll just say the big five. So that's, NSA, CIA, NRO, NGA, and ourselves. So the big five all have either nascent and or have delivered, to the enterprise or in the process of delivering Enterprise via, the pilot process. And so, yes, ironically ironically, we were the first guinea pigs, And, our CIO, Sue Dorr, and our CTO, Brian Sheffler, were perfectly okay with that, because we wanted to be The trendsetters slash trailblazers.

So you created a workspace that's remote? That can even be used, like, on my own device as long as I have that special application on there that is it like oh, man. I used to do this. I No.

It's not. Unlike MobileIron or any other, former, Yeah. What was that? Good?

MobileIron is the one that I'm familiar with. Yeah.

Yes. Yeah. And So no. It it actually is Office. You're actually using real Word. You're using Edge. You're using PowerPoint, you're using Excel. So you're using Microsoft native applications Mhmm.

That happen to be, managed By ODNI CIO. Right? So that way the user doesn't have this huge burden to learn something new. Again, not to disparage a Mobileiron, but that's that was their way of running things.

That that is exactly the problem. Like, these great new innovative technologies come, but then you have to learn how to walk all over again. It's painful. Yes. It's really hard to get your culture to adopt when you have to learn new everything.

Absolutely. and user I'm sorry. Go ahead.

Well, I was just gonna so I think we were going the same place. You were about to say user experience. I know that even trying to switch from, like, a Mac to, A Dell, it's it's just enough different that I just won't do it.

Yes. Exactly. Exactly.

So alright. Well, what some of the key considerations agencies should take into account when they're developing data security best practices. I mean, because obviously, you had to do that with this unblocked environment.

Yep. So key considerations, first and foremost is protecting the data. That was, if you will.

Wait, did you just say zero trust?

No. Well, that's a trap that a lot of people fall into, including myself. When Zero Trust First was published, Those of us that have been in the industry longer than, you know, 10, 15 years, we all realize, oh, you want us to do what we should have been doing all along. So so, and I often get Amen on that from, more senior folks like myself and yourself. So it It is what it is. Zero trust now has, essentially redrawn the lines cybersecurity security professionals and IT professionals. And I will say it's absolutely data centric model. Whereas in previous decades, we looked at network cent centric, security models.

Right. We're talking about Yes. It's less about connections, more about the actual crown jewels, which is, of course, is the data. Mhmm. So so from, So data projection number 1. and in fact, CDOR has a great tagline. Hopefully, I don't mess it up, which is tag the data, tag the user, then pour the hell out of them out of them. Right? Which really in a very simple, you know, 5 second tagline Really describes, you know, everything about zero trust.

So know where your data lives. Right? Understand the data flow mappings. Understand, user access and via ICAM, etcetera, and making sure that the totality of what you see on your network, what you see in your applications, platforms, and infrastructure, what you see in your workloads, what you see as far as user activity, all of that adds up to dynamic access control, Which is really the end goal of zero trust at the advanced tier, which ultimately is The ecosystem is fully aware and fully cognizant and has full visibility so that orchestrated automated decisions can be made on the fly.

So would you say that when you were looking at data security and the way you needed to approach it and even data security practices, this is would it be fair to say that you may be started with or at least took into consideration the zero trust architecture.

Am I simplifying it with a buzzword?

Yeah. Sorry. The zero trust architecture, reference architecture. And so the meaning of a reference architecture is it's it's a suggested thing. Mhmm. A lot of people think that Zero Trust is solution based or it's a one size fits all, and that's not really the case. Zero trust, at least in my personal opinion, is more to do with I have a goal. I have an objective.

I'm gonna create tasks associated with that, I'm gonna capture that in a zero trust implementation plan in my own version of a zero trust reference architecture So that, our downstream organizations can apply that at the system level, We at the ODNI CIO enterprise level are going to deliver, which we already started. We're gonna deliver consumable services so that when it comes to security controls or reciprocity of security controls, it's not a It's not a whole new game or a whole new requirement at the system level. Right? So, you know, reciprocity, in some, in circles, it's a dirty word because everybody wants to do it, but nobody's really wants to be first. And so we're learning. Right? We're learning. I think as culture is changing and realizing that, oh, yeah. We can protect our data.

Oh, yeah. We We can share it responsibly. All the buzzwords that were thrown around, again, 10, 15 years ago, we actually now have the technology and, frankly, the culture to do that.

Well, so this kinda goes back to we were talking about this before I hit record. The name of your, company, Strac Stractical. Did I pronounce it right?

Yes, ma'am.

We were just talking about how, you know, these these strategy plans get made, but there's no there's no way to actually implement them. They're just words on a page that get shelved. They mean nothing.

Right.

So until we can marry the strategy and directly map it to the tactical to achieve the strategy. It's just a it's a waste of time. I mean, maybe you check a mandate box, but it's a waste of time. So I'm not gonna lie. I had to look up reciprocity to try to understand, like, in this context, what you mean by it. So I'm reading the definition, but help say more about that, about what you mean by it in this context.

Sure. So originally, what it meant is if agency A, in the old terms, accredits, now the new term is authorizes. ATO is another common new term, which is authority to operate. So when authorizing official, which typically is the highest it's a delegated position from the a director or and DOD world would be, potentially could be a Commander or the G-6, A-6, etcetera, J-6. That authorizing official has full responsibility and accountability to make sure that that system that was ATO'd is operating within a certain set of security parameters.

Now that authorization where the term reciprocity came was intended to be, essentially adopted by another agency, call it agency B, so that if I roll out the same thing or if I connect my system to the other system, I would essentially inherit all of the goodness that was evaluated, assessed, and tested and approved. That way, as agency B, I don't have to go through that whole process on my own.

So I can use agency A's APO?

I can I can essentially accept agency A's ATO as my own

Because I trust that they've implemented the security controls and practices? Okay. Got it. Got it.

Sadly, that hasn't been really adopted across, the entire I can say with confidence into, across the entire intelligence community, there are some really good pockets that have, but overall, it's not common practice.

Really? Now Yeah. What? Just because we don't trust each other?

Really? Yeah. Yeah.

Is that really why?

Yes. We, It it's it has to do back to the data. Yeah. So in the data world, you have what's called data stewards data owners. I'm sorry. That's now been replaced with data stewards. So a data steward is, again, personally accountable to protect the data.

And so, of course, Especially with an intel community. Well, let me put it in commercial terms. Would Pepsi and Coke share information? But they're gonna be really protective about it. Right?

They can share processes without sharing intellectual property.

Yeah. The formula is what really is what gets protected.

Right.

So how can I do that in an environment or ecosystems, you know, corporately, etcetera, safely and securely and still be able to protect my own IP? Right? So That's essentially what the intelligence agencies all have collection authorities. And then based upon those collection authorities, they are, mandated or encouraged to share that intelligence across themselves. Now when it comes to reciprocity of systems, right, and I wanna get I'm sorry. I'm a I don't wanna deep dive into this because I could go for hours, but, essentially, reciprocity is a process and also a culture of accepting each other's risks, and that's really the bottom line on all that.

Mhmm. Yep. Okay. So we've we've talked about it, you know, a little bit here and there about how, data protection has evolved. You talked about, you know, we used to look at how do we protect the network. Now we're more focused on the data rather than the the castle moat kind of scenario. Right. This reciprocity idea, maybe I've heard it before, but it's new to me.

That's why I'm just like, okay. I gotta I understand reciprocity. I just I needed to wrap my head around it how it fits into this context. So so two those are two things that have evolved. What else has evolved in data protection since you've been in the business.

Yeah. I would say data protection has absolutely evolved with regards to understanding access, And that's both at the user level and what's known in our community as nonperson entities. So, essentially, you've got person entities, AKA human, and then you have nonperson entities, everyone else. So The user access is typically what did. It derives from physical and personal security. Right? If, you and I need to share a piece of data, I need to make sure that you have the right need to know, the right access, etcetera. So that was old school. Now I can leverage a system that automatically checks, your, your PKI and matches it with mine and says, okay.

You guys have the same we have the same level of clearance. I'm still I am still responsible to determine need to know on your case, and then I can share that data with you. Now put that at scale. Right. Think hundreds of thousands. Yeah.

Like, that doesn't seem like it scales.

It doesn't scale. Correct. So now you have NPE access as well, which which gets a little more dicey because now, essentially, now you have servers, applications, APIs, which are essentially ways to connect, from one system to another that I can call data from, that I can either read only or I can read and then, download on my own system. And that way, I can do my own prosecution of that data set or a piece of data. And now APIs get even more murky because now we have these things called containers. And containers are very fluid. Right? I'm sure most of your listeners understand that a container, really, at the end of the day, is a is an location running on a server, except it's free to roam based upon the rules set that is, provided to them.

The problem with containers is it's really hard to audit containers unless you have and I'm gonna pull it plug you guys. Dynatrace that can see what's going on. Right? Can tell you what's going on in that container. However, you still have to be really careful about the API API calls that are allowed from each of those containers and also the network piece. So when you wrap all that together, does this sound like zero trust? Because it is. Now you have to pay attention, right, to not just the user and not just the data. Right? You gotta pay attention what work station, what work load, what application, what environment, what network, what subnet...

All of that. Doesn't scale.

No. It doesn't scale. So so now we have to realize that, we've got to leverage AI/ML or Artificial intelligence machine learning as best as we can. And I'll and I'll share my personal opinion on AI/ML. There's a lot of buzz and hype about it, but it really if you peel the onion back, it boils down to, At least from an IT security perspective, it's an enabler. Right? Mhmm. It right now, we have a lot of human on the loop.

What we want to do is, sorry, human in the loop. What we wanna get human on the loop and then eventually human out of the loop. So now access decisions are made dynamically. Now I don't necessarily need a human on the loop, unless it's, like, super super sensitive IP or classified information, then you need someone, right, that is a human, oxygen breather, that can actually make that decision as far as need to know, etcetera. However, everything behind that, once the decision is made, there is no more touch. Right. A decision's made. It's captured.

It's loaded into the various, identity systems and ICAM systems and data, protection decision points, all that is done in the background. Now, again, there's small pockets that are doing this today. A great example would be, you can easily share something, right, within a particular file sharing application, and you can restrict that to only specific email addresses, and you can also restrict whether or not someone able to forward that. Right? So that's one good example of what can be done today at your home. I would say from another data protection point of view is most people are realize that the we have data at rest and data in transit protections. Right? And so what we need to work out is if I do data at rest, right, and now I want to have multiple, say, cloud blobs or storages or buckets. I don't necessarily wanna use the same key. Right.

Right now I need to use separate key, which means now I have to either bring my own key management service or use the organic, vendor provided key management service. That gets a little tricky. Right? Because now if you're tapping both those data storages or data blobs, you wanna make sure that you're tapping into the right one. That also gets tricky because now you have to manage those keys if you're providing your own. And so these are things that are, again, big thoughts, big issues to think through. Not impossible. In fact, most of the vendors already do that, and they show you ways to do that. We'll plug our our cloud service providers.

They do cooperate, Actually. In fact, Sue and Brian force them into the same room, and we have a single conversation about our needs. And I think that's great.

So you so when you say they cooperate, you mean that big hyperscalers cooperate with one another?

Yes. Oh. Yep.

Good to know.

Yep. and they they do this for the simple reason that they recognize that not all data needs us to live in a single place.

Some data can, but a lot of it can't because we're leveraging AI ML solutions across multiple providers. Again, everyone has their own strengths. Right? So we're trying to choose, best athlete as much as we can for specific datasets that we have.

So everything we've been talking about, I mean, it comes back, yeah, it comes back to cybersecurity.

I'm gonna shift gears a little bit because we know that there's a huge gap in the cybersecurity workforce. And we've we're creating this new need for an AI workforce that doesn't exist. Like, the recent EO that came out on AI is saying, you know, you need to hire or you need to appoint these AI experts, and they don't exist. So you and I talked about, enabling disabled veterans to help fill the cybersecurity, workforce gap, and I'm gonna throw in there today just based on, you know, the latest buzz around the AI EO.

Yeah.

Same. I know. It's like an Old McDonald's song. But, I mean, there's there's a gap in that workforce too. So tell me about how we can train, and equip our veterans to help alleviate the cyber workforce shortage. Well, I mean, let's start with you personally. Like, you transitioned. Right, you're a vet.

You are now part of this workforce, the cybersecurity workforce. How did that happen?

That's actually a really good question. I love to share the story because it's kinda it's essentially my origin story. So my last unit that I served was, Again, a Special Ops unit, and we had, 5 disconnected, and the only way to communicate with each other pass on, information was to use secure faxes. Right? So yes.

Secure fax. Did you just say fax?

I did. Oh my god. So, yeah, we didn't have a common place to share email. We didn't have

In the field, you were faxing each other?

Not in the field. We're all Garrison based, but Okay. We were spread across, 5 states, actually.

And so by design, this was primarily because of security, needs and concerns, we were using secure faxes.

Wait. Was this, like, 1980? When us this.

I know. I know. Yeah. Wait. The joke was 1985 call them that want their secure fax back. Yeah. So, Seriously. So, yeah.

So somewhere around 1998, we we, we had a new commander show up, and he was very forward leaning. And so out of nowhere, He calls me to his office, and my nickname back back then was Taph. He says, Taph, like, I've got a do I have a deal for you? And I was like, oh, crap. And mind you, at the time, I was the command security manager, which really meant I was single threaded, and I had all the securities, personal information, computer, contractor security, everything was under my my purview. And so the last thing I needed was another new project, but he was an O6 Colonel. I said, yes, sir. What is it? Says, hey. I want you to roll out a secure WAN.

For those of you that may not fit better back then...

Wireless access network?

Wire No? No. It's wide area network.

Wide area network.

Yeah. It's okay. So a land back in those days was, you know, confined to a known geographical location, And that was it. Whereas a WAN was essentially I would go through, standard comms or communications secure communications, And I'll be able to connect to someone else's WAN.

So, thank god he share would equipped me with an amazing network, security engineer, and off we went. And literally in a back of a napkin that my boss gave me And working hand in hand every day for 6 months. In 6 months, we actually rolled out the first ever, Secure logistics acquisition contracting, network in direct support of, Top DOD special operations units.

You rolled out your own intranet across 5 Yep. How many states?

Our own intranet. So 5 states. So a lot of work, a lot of, TDY and visits on the road, a lot of culture changing. It was huge.

I can only imagine, like, leadership

Yeah.

How scared they must have been to, like, zero information out into the ether like that.

Yeah. Yeah. Well, obviously, we use secure connectivity.

Yeah. But they wouldn't I mean, At the time, it was so, like you said, forward thinking to be able to trust it. Right. They don't under you know, a lot of people still don't understand it. I only pretend to.

But you do a great job, Carolyn. You're doing awesome.

I can, like I said, I'm just thinking about even my dad? Like so he was a Colonel in the Army.

Right. Right.

And I'm thinking, he didn't trust anything online.

Right.

I can only imagine, like, what his response would have been to this what you did. It was so sci-fi cutting edge out there, really.

It it was, and it it the benefit was immediately, felt. And so back to the name of my company and how I got into cyber, the strategy was, right, to create a, a statewide WAN, 5 or multistate WAN. The the why was because we were done using secure faxes, and it took 3 times as long to actually get to a decision. And also, by, you know, by the time you copy that fax times, 4 times.

It's no longer secure. Were you using It's

hardly legible. It's hardly legible.

Oh, yeah. There and there's that. Were you using cross domain tech so were you able to send, like, high side, low side, or was it all

You're adorable. No.

I told you. I pretend to understand.

No. No. So, So what happened then, I, I went ahead. And right before then, I applied to, undergo a task which was known as certified certified protection professional Which were, At that point, the highest security certification that was internationally accepted and recognized for folks like me. It had very, very light, domain known as information security or computer security at the time. And so I went to a conference, national conference, I would obviously, I was still active duty, and I was mandated to show up in uniform.

So here I am, you know, guy walking around with a green beret in a security conference, which immediately I was suspect. And so so I attended I attended a session that was, and I'm re we're really gonna date ourselves. I'm sorry, Carolyn. Do you remember, CompuServe back in the day?

I don't know what you're talking about. That's way before my time.

As we stay in the military, you're coming over broken and stupid. Yes. So so yeah. So, you know, back in the day of AOL I'm sorry. AOL And Yahoo and CompuServe, those were the big those were the big, folks on the market. Right? And so the the, chief security officer or director of security as they were called back then, had another certification after CPP, and that was CISSP, key, which is the highest

I know that certification. Mhmm. Right.

The certified information system security professional.

Mhmm.

And I was like, wow. That sounds cool. And so after his talk, I literally walked up to him, say I introduced myself. And After just a few seconds of talking, he looked at me and said, well, what do you wanna be? And I literally looked at him straight in the eye and said, you. I wanna have both the certifications, and I wanna be able to speak authoritatively about computer security and also the other securities.

Mhmm.

So, yep, for for a long time, I carried both certifications. That gave me a taste and a love for what we now call cybersecurity.

Yeah. So you got to learn on the job, though. I mean, you got to learn

Oh, yeah. I am a self taught security engineer. Right. I did not go to school for this.

Nope. Well, you did. Right?

You did these certifications, Right.

Yeah.

Yeah. But it was practical training, Stractical training.

Yes. They really want doing? Correct. and I think that's what I would like to, provide disabled vets to tie it into, really, my passion. a quick footnote. It's officially announced to my folks, so it's gonna be surprised when they listen to this. I'm, pursuing retirement, like, full retirement. I've been at this game for over 40 years, and I realized that there comes a point when you have to accept the fact that there's only so much more I can give and so much, I have a different mission. My mission is to equip, enable disabled vets, to become agents of good, right within cybersecurity and artificial intelligence, ML environments.

And, also, we still need, security minded cloud engineers, really. So those 3 are the big three needs right now. Particularly, cybersecurity is huge now with it. Like it said, the new AI EO. We have to have competent people. And being a disabled vet myself, having gone through a lot of stuff to get my head right, and I'm still, obviously, it's a work in progress.

For us all for us all the best. Yeah. Right? Yeah. Thanks.

This is where the audience says ditto. So anyhow, the, at the end of the day, you know and I'm sorry. That's my favorite phrase because really at the end of the day, I just want things done.

Well, So I need to pause because you just said you're seeking retirement, but you realize you're not. You're just shifting focus to this new mission.

Let let me live that lie for a moment, please.

Okay. Fine. You go be retired for 5 minutes. Okay? I mean, you said something to me at Billington that just really like, it gave me chills. It struck me at my core. And you said that veterans already have a call to protect the nation.

Absolutely. 100%.

And this is just a way for them to continue the mission, which is what you've done. And what you're telling me you're going to continue to do, you can call retirement if you want. That's if that makes you feel better, you say that word.

Thanks. Just don't tell my family. No. But, seriously, the it is a passion, like I said, and I don't know how that passion's gonna roll out. I have some thoughts, ideas. Again, if people wanna reach out to me, I think you're gonna put my email address out into the wild, so please do. I would love to partner, not only with, current, training providers, but also, You know, the likes of Amazon, etcetera.

A lot of them already hire veterans, and that's awesome. And a lot of them already have, even corporately have programs to to train folks. I know the military and the intel community adopted it as well. It's called the Wounded Warrior Program.

Yes.

So we we off we actually have many in our building, that came through that program, and they were essentially would come on as government employees And our coach mentor train to do to be again, contribute to the mission. So it's not a new thing. I think the focus, at least from I believe my the focus is now specifically delivering folks who can perform and deliver cybersecurity and AI ML, support.

Well, you may think of I so I just had the pleasure of talking to, Dr. Amy Hamilton, she's with the Department of Energy, and she's a visiting faculty chair for the DOE at the National Defense University.

Awesome.

So, I mean, maybe you should go be a teacher, Sebastian.

Nobody would take me on because I have 0 credentials in the academic world. So Unless they wanna put me on as adjunct professor slash get speaker, sure. I'd love to share, my experiences and also the hard lessons learned along the way. But, yeah, I don't I don't I don't intend to be an academic. I play 1 on TV, and I got fired last night. So wait.

There you go. No. Seriously, there there is I know there are solutions out there. I just I feel that from a disabled veteran perspective, Again, as one myself, you feel like sometimes you feel like you can't contribute to the mission, and that's all that negative self talk that we give ourselves.

A lot of us, deal with guilt, survivor syndrome. A lot of it are, we see our impairments as that. And so it's hard to get out of our head. It's hard to to get out there and actually put yourself, and make yourself vulnerable. And I know sorry. I'm sounding like a therapist. I'll send you the bill later. But this is this is a thing.

This is a thing for us. And so by giving ourselves a mission, something that we can definitely cling on to, something that actually matters.

And is already the fabric of your values.

Oh, yeah. It's our ethos. Absolutely. It's our yeah. It's our DNA. It's our ethos. It's how we operate.

And so you don't have to convince disable that to protect the nation. Done. and I'm sorry. I'm not disparaging civilians or, regular veterans at all.

Oh, no. I get it. I get it. Oh, yeah. I hear you.

Yep. Yep. And so and that's I believe that's an untapped population. I really do. And, again, I could be wrong. So please, if I'm wrong, please send me an email and say, hey, Sebastian. You're way out of line. This is already done.

Go do something else. Cool. I'll go ride my motorcycle and just enjoy life.

Thank you. What does Wounded Warriors do? like, with the site so do they not focus at all on, training disabled vets to take these, like, cybersecurity jobs and stuff like that. Is that something they do?

I honestly don't know.

Yeah. I don't know either.

That program was specifically, to bring into the government workforce, disabled vets.

Okay.

And, again, it's, and you have to qualify for the position. At least you need to have some level of, credentials. Again, that's all I know about it. I know I've seen, multiple folks in our building, and I probably next time I see them and ask them specifically or just reach out to the to the project itself. But, again, these are thoughts. These are passions. That's it's a I'm taking this on as a mission.

I believe there's a need, especially now with AI ML because I. That didn't even exist 10 years ago.

Right.

That was 5 years ago as far as, mainstream. So there are there are lots of things that are tech come down the line, and I will share securing AI ML is, I think, gonna be the big 2024 thing. Yeah. I also believe there's gonna be, the need to well, let me just say this. I personally believe cybersecurity folks are drowning in data. They're absolutely drowning in data.

All drowning in data. I can only imagine being, like, in cybersecurity specifically because I'm drowning in data.

Right. Right. Exactly. Individually.

Yeah.

Yeah. And so so I believe what's gonna be needed is, The understanding, a training, and culture that accepts AI ML as an enabler.

You're betting me to my Tech questions because that's what actually what I was gonna ask you what your 2024 predictions are. So your prediction is AI ML workforce, like, focus on that. What say that again.

I believe the prediction is this. We're gonna need to leverage AI ML as a force multiplier.

Yes. Absolutely. And everybody, not just I mean, me as a marketing person, I've got to get better at leveraging, like, generative AI.

Correct. Specifically something like marketing, you know, the the tools that are available right now for copywriting, and I'm sorry if anybody in your audience is a copywriter, but they're amazing. They're absolutely amazing. Now but you don't have to start from scratch as the copywriter. Right? You can have, the likes of ChatGPT and others, and there's a ton of them now, generative AI solutions, we'll call them that, that could give you the the the outline. And then from there, you go forward. Right?

Yeah. And it doesn't mean...

Like you built that.

Right. And you still have to have the training expertise in your area.

It's not replace it's ChatGPT has never written anything that could replace or just that I could use ad hoc. I have to always look at it and say, you did you missed my you missed the meaning. You change the meaning, and I should not say you. It. It

Yeah. It's funny how we change that. Mhmm.

Yeah. Yeah. So we AI is here, and we It is.

And I will share with you, at least from a, you know, my optic for cybersecurity, I believe there's a huge need for sense making. Other words, I think AI ML can help us make sense out of the the, ocean deep worth of cyber data. And, yes, there there are tools. There, flags. There are prompts. There are ways to, You know, reduce the false positives, etcetera, which is all great, but that takes time to fine tune. Right? That that takes expert knowledge to be able to do that.

And then if something flips, right, let's say you get a threat intel feed that says, oh, by the way, there's this new new attack and new, vector. Now you've gotta figure out how you're going to fine tune your, cybersecurity ecosystem and tools to be able to to do that. And so we typically You know, from a cybersecurity perspective, we usually trigger from, signatures. Right? A CVE, something that tells us that's obvious. Well, the reality is, particularly with nation state actors that are have all the time and money in most cases, And even the criminal, cyber actors, they often apply standard things that we may have overlooked or they recognize through their, network, discovery and network. Sorry. I'm losing the word. It's okay.

1 cup of coffee. We We understand that sometimes we don't always patch our stuff. Or in the one vendor. Right? The whole, supply chain was compromised, so a patch then became the attack. And so as that happens, right, in real time, how we're gonna respond to that? Correctly, quickly, accurately? So then that becomes the sense making. And, honestly, it's sense making to have actionable information slash intelligence So that I, as a cybersecurity operator, I can execute.

Right?

Mhmm.

Back in the day when I used to kick down doors for a living, people often ask me, hey. What do you need? I said, I only need 3 things. Location, location, location. We'll take care of the rest. And so, it's the same thing here with cybersecurity data. I need that piece of data or pieces of data They're gonna allow me to do sense-making or even, enable me to do sense-making, AI ML, for example, So that I can then execute, and I can actually either, do the right things to quarantine whatever it is, but my technique may be. And so that, I believe, again, I'm not a Cybersecurity Operator.

I don't pretend to be. There are people who've dedicated their entire lives to do that, and they're amazing. And I also know that a majority of them are crying for help, and they're realizing that I need to leverage automation as much as I can because

Yeah. Absolutely.

Back and goes back to the previous conversation we had about, lack of people that can do this.

Mhmm. What a fabulous time I've had talking to you. Thank you so much.

Thank you for having me. It was awesome.

Super fun. Listeners, thank you for joining us. Please share this episode and smash that like button, and we'll talk to you next time on Tech Transforms. Thanks for joining Tech Transforms sponsored by Dynatrace. For more Tech Transforms, follow us on LinkedIn, Twitter, and Instagram.