Consolidation, innovation, and perspective all need to work together in government IT according to Eric Trexler, VP of Global Governments and Critical Infrastructure Sales at Forcepoint. IT acts as an enabler of business in the challenging landscape of government technology. Listen in to find out what Eric believes the United States IT space should be focusing on in order to stay ahead of the adversaries.
Carolyn: Today, our guest is Eric Trexler, Vice President of Global Governments and critical infrastructure at Forcepoint. Eric is an expert in the technology industry with more than 25 years of experience with both the public and private sectors. And Eric and I used to host To The Point Cybersecurity podcast together. So today is actually a real treat for me to see your face again, Eric. So, good morning.
Eric: Good morning. And it's bizarre being back on the air with you, Carolyn.
Carolyn: So, today, we're going to talk about the perplexing and growing cost of cybercrime and how we can shift the paradigm. But before we jump into that, Eric, you have actually a pretty fascinating background. So, can you just tell us a little bit about your journey?
Eric: My journey in IT? Or where would you like me to start?
Carolyn: Let's not go all the way back to birth. Let's start at your Airborne Ranger days. How about that? And then how you got to where you are today. So yes, technology.
Eric: So, I was an aimless kid at about 17 with no potential to pay for college. No easy path at the time. And I said, I'm joining the army against my mother's wishes to become an Airborne Ranger.
Carolyn: At 17?
Eric: Yes. She had to sign the paperwork so I could join the delayed entry program. The military throws at you when you have a high ASVAB score, that's the entrance. And I had a high ASVAB score. So, I saw the Navy and they wanted me to be a nuclear engineer. And I just wanted to be a Navy SEAL back in the day before people knew what the Navy SEALs were. But you had to pick a rating, I believe they call it in the Navy.
So, I'm sitting in front of the recruiter, and he's like, "Okay, but what do you want to do?" And I'm a dumb kid, I'm 17 years old. "I want to be a Navy SEAL." "Well, you can't do that. You have to have a rating. You have to have this skill at trade." And nothing, absolutely nothing was interesting to me.
So, I left. I went to the army recruiter and enlisted. Because they'd let me be an airborne, I was unassigned airborne, technically. How I became an Airborne Ranger? I didn't want to be normal and I was in jump school and talked to a gentleman and I didn't want to wear chemical gear. This was right at the end of the first Gulf War, and everybody was running around in MOPP suits. If you remember that MOPP suits? Hot, heavy, you can't see.
Mark: You can't breathe.
Eric: Same reason I didn't want to be in a tank or a ship or a plane. I wanted to be on my feet and I wanted to be able to move. And I was like, "I don't want to wear MOPP gear." The guy said, "Here's what you do." And that's what I did. So, I literally made the choice because I did not want to wear a helmet and I didn't want to wear MOPP gear.
Carolyn: You sound like my six-year-old niece, how she chooses what she wants to do is whatever that doesn't require shoes.
Eric: I was probably about as evolved at that point in time. Mark, you know what it's like to be a 17-year-old boy. I mean, you're really pretty low on the intelligent decision-making maturity scale, right?
Mark: Maturity scale.
Eric: I mean, you're just not there. It was a great choice and it's how I got into IT. Because in about '92 or so I started building computers. And we got a computer in probably '94. The first computer in my unit to run, just to manifest for drops, exercises. It was literally an electronic typewriter, the way these guys thought about it. I’m with a bunch of infantrymen.
I was the only guy in the unit who had new computers, the only guy, I built them for gaming. So, I volunteered for college. I said, "If you allow me to set up college courses for the detachment, 60 person volunteer detachment I was in, I will work in the operations department with a computer." And that's what I did and my career just took off from there.
Carolyn: How long were you in the army?
Eric: Four years, 17 weeks, and I think four days or something with my contract.
Carolyn: And then where did you go?
Eric: University of Maryland. So, it was a great ride. It was even before the amazing benefits the government gives you in the GI Bill today. The GI Bill in army college plan to go to a college fund. It was like $28,000 for four years of service. That was the optimal breakpoint. You could do five or six, but you really didn't get a lot. You got to like 32,000. And my goal was to go to college.
Mark: Did you go to college full time or did you kind of dual shift at school and work at the same time?
Eric: So, I probably got about a year in the military when I moved into operations and ran, I didn't run but I did a lot of the operations work with a couple of V6s. At the time I was an E-5. But then, when I went to college, I went full time and I worked somewhere about 40 hours a week. I had a kid. My first son was born at 20. So, I'm out of the military at about 22, and I had to keep the lights on. And I had to get my college education and get moving. So, I was working full time and I was working and I was going to school. I was doing probably 21 credit hours a semester on average.
Mark: Yes, that'll make you grow up.
Eric: It's interesting. I have three boys and I think the maturity level as you watch them and their friends. Twenty-five is the magic age, in my opinion, plus or minus three years for maturity in boys, that's just Eric's principle here. Unless you have a kid at 20 and you're in the military and you don't have a lot of help. And then, you grow up really quickly. I stopped going to Nashville every weekend for parties and concerts. I stopped drinking. It was time to get serious about life and take on the responsibilities that I had. It was good.
Carolyn: What was your first job out of college?
Eric: So, I bartended a little bit until I got a job at Microsystems working on, I was a QA test engineer for all of two weeks. I don't think I ever told you this.
Carolyn: No, I'm learning new things.
Eric: It was absolutely miserable. I was the worst QA test engineer ever. So, I'm IT savvy. I can build computers. I've been building computers for years. I know the Windows operating system. I'm pretty good at what I'm doing for that age and that period of time in life. I couldn't sit still. I kept talking to the developers. I'm supposed to sit there and run test routines all day and look, I had a bank of three monitors, and I literally could not sit still. Two weeks later, I was like, "This isn't working." And my boss at the time, I can't remember her last name. It was Melissa. She was awesome. She says, "You're right." And we had customer service problems.
Eric: So, we took an employee kitchen. We moved a bunch of computers and tables into it. And we became like an R&D faction that helped customer support issues. So, we got all the hardest issues because we sat in R&D. And it worked great for the company. It worked great for the customers, and most importantly, for me.
Because I was always talking to people and fixing problems and doing things as opposed to watching automated test scripts build all day. It was the most boring job ever for me. Actually, I sorted apples once for a day and my grandfather was a produce farmer. And he took me to this amazing job. I think it paid four bucks an hour to sort apples, and that was probably worse than the testing, Carolyn.
Carolyn: Worse than QA?
Eric: Yes, at least with the QA, I have computers.
Mark: I thought you were talking about the Apple computers.
Eric: No, I'm talking like Macintosh and ROM, and the traditional apples in Pennsylvania. And just moving on a conveyor belt and sorting and checking apples all day was like the most mindless activity and it just did not work for me. But you're getting a lot out of me that I would say many close family members and friends have never even heard.
Carolyn: All right. So, which brings us to today. Well, before you came to Forcepoint, were you at McAfee right before Forcepoint?
Eric: Yes. So, I worked at Micros and I got my MCSE. I was really good at databases. And I went to Sybase at that point, great database company. I had a friend bring me over. And then, I went to EMC after that and learned storage area networking at the best of the best. So, I've got database IT storage background servers, I built them. And then I went to Salesforce.com for a two-year PhD in the Cloud
This was a great experience and it was challenging at the same time based on the customers and the sheer growth there. That's all they cared about. So, then I went to McAfee and really took up the InfoSec or cybersecurity side of the business, which I've been doing for the last 12 years and it drives me crazy. Because we get further and further and further behind the adversary.
Mark: That's interesting that you bring up the whole Salesforce thing, because they were probably one of the first software service companies that were out there.
Eric: Certainly, at scale. And the scale there right now, Mark, is, I was looking the other day. I have a couple of friends there and I had lunch with a friend. I mean, what they're doing today, I could have never imagined in the 2008, 2010 timeframe.
Carolyn: So, Eric, you and I have been talking about cybercrime, cybersecurity for a while now. And you've written some recent articles, and you've been talking about it. I want to talk about the problem of cybercrime. And you just mentioned that we're getting further and further behind. And when you and I talked earlier, it just reminded me of the Alice in Wonderland quote, when she's in the Red Queen's race and the Red Queen tells her, "We have to run faster and harder here just to stay in place." And Alice is like, "Well, that's stupid." So, let's talk about the massive amounts of money that we're spending on cybercrime and cybersecurity, and what needs to change.
Eric: Yes, I can talk to some of that. I certainly do not have the answers on what needs to change. I thought you put that quote in because of me. Because it's actually something that my old CTO and CMO at McAfee wrote in a book called The Second Economy. They quote Alice, in that specific quote, in the context of cybersecurity.
So, we're just talking about my career, up until 2010, when I really joined cybersecurity, hardcore for the first time. I'd always build things.
IT is an enabler of the business, it builds things to make business run better, faster, cheaper, whatever it may be, but it's an enabler of the business.
Eric: And you're always growing and building things. The problem with cybersecurity is you're getting further and further behind. You're not necessarily building things to make things better. You are kind of putting things together to try to prevent things from getting worse. It's almost the flip side of the coin, if you think of it that way.
Mark: Eric, do you think that the fact that we're getting further and further behind is a function of the discipline of cybersecurity and that we're just behind there? Or is it the fact that adversaries like China, Russia, Iran, are investing more? And General IT like encryption quantum computing or artificial intelligence and stuff like that. Is it more a function of that or the discipline of cybersecurity?
Eric: I really think it's both, Mark.
So, when you understand the rules of the cybersecurity world, the adversary gets first mover advantage. They get to decide every single time how they want to attack you, how often they want to attack you. They essentially get an unlimited number of tries. Because it's risk and treasure.
When you look at it, what's the risk versus the opportunity? That's the probability of cyber there and the risk is very low. You don't see a lot of people going to jail, you don't see a lot of people losing money in cybersecurity, you see them gaining. At the nation state level, you don't see a lot of sanctions and things like that, because of cybersecurity action. It's almost like there are no red lines, and they're just taken for granted.
Eric: And if we're going to go into a country and surveil their networks, or our adversary steal our IP all the time, it's almost accepted, unfortunately, these days. So, you've got the adversary first-mover advantage, they get as many tries as they want. There are no silver bullets here. And then you look at the defender side, we don't have enough people, depending on who you look at data-wise, where cybersec.org is good. They'll show you we're probably a million-plus people behind on the cybersecurity side of just being able to hire. We don't seem to innovate and that's an interesting comment, if you're me, in an industry that has four or 5000 players.
But that leads to my next point, we don't consolidate. The industry really hasn't consolidated. If you look at most of IT, look at storage or I mentioned databases or operating systems or even networking, there are usually two or three key players. We don't have that.
And then, when you look at the incentive side of the equation for the defender. If you pick a tool, a cool tool, I'm going to take you back to 2012, sandboxing. Sandboxing was the end all be all as FireEye at the time. Kind of took what was in academic labs and productized it and marketed the hell out of it. Palo Alto did the same thing with the next-gen firewall to iterate on the firewall side. You take a tool that's really hot and really cool as an IT operator, a security operator, and you buy it and bring it into the business while you're doing pretty well.
Eric: What's the efficacy rate? We're probably not able to measure that as businesses, most people don't care. And you just deployed a cool tool in 2012, called sandboxing. Well, the adversary quickly innovated around that. They had the ability to look for sandboxing, am I running in a virtual machine, is my malware running in a virtual machine. They put in things like time delays, which are really easy.
The sandbox isn't going to sit there for 30 hours and wait for your malware to activate, it's going to look for it to activate right away. So, I'll just put a seven-day delay in and you can quickly innovate around that. And that's okay. But the defenders aren't any much better for it, let's put it that way.
Now, if you're the person on the team who brought in that tool, you can probably go to a bank or another company and say, "Well, look at my resume. This is exactly what I did. Regardless of effectiveness, I can do the same thing for you and get a huge increase." Because we all know or I think most people know, the only people really making money in cyber, in general, are the employees.
But if you're on the defender side, if you're on the attacker side, if you're on the vendor side, maybe you could argue government employees aren't making as much as they could be. That would be accurate. But the employees are making the money. A lot of cybersecurity companies still today run at a loss.
Eric: So, we've got all these dynamics in the market that make it a really hostile environment, when as a business owner, or a network, cybersecurity defender or whatever it may be, you're just trying to protect information. You're just trying to protect business. It's a tough space.
And it's equally as easy for the adversary. If they want to steal something, if they want to make money, it's a pretty low risk, not so hostile environment. It's perplexed. It's really why I stay here. I'm not an IT anymore. I'm not building things really. We're falling further and further behind. I think there's an answer, but we don't have it yet. And to me, that's the ultimate puzzle that maybe by the end of my life, I'll have some clues to how to solve it. Well, I'm certainly not solving it.
Carolyn: So, you said a couple of things that I want you to unpack a little bit for me. So, you said in cybersecurity, we don't consolidate. What would that look like if we did? And then, you said something that really got me. You said we don't innovate. Are you suggesting we haven't innovated since the sandbox in 2012?
Eric: I'm not, but I'm thinking about it in a maybe a different way.
Carolyn: What would the consolidation look like?
Eric: So, there are four or 5000 companies, right? We haven't consolidated like most of IT, like most businesses do. Michael Porter talks about industry clustering, and we've seen clustering, but we haven't seen consolidation.
Mark: If we have, well, half a dozen. We have half a dozen kind of players in our market compared to the cybersecurity space, four or 5000 is crazy.
Eric: Pick any space and they're probably 10 to 20 larger organizations. And there are dozens to hundreds of startups. And I think the market drives in that direction with venture capital, the private equity, all the investment, all the hype. The fact that you can launch a product. I mean, Splunk, I don't remember when they even became profitable. They were operating at a major loss. Not to pick on Splunk, there are majority of companies who do this. And look at the stock price and look at how they took off because they were going for market share.
Here I am at the time 2010, I left McAfee in 2018, the beginning of it. We were profitable, I believe the whole time. Not an interesting company, didn't have the funding we wanted to innovate the way we wanted to. It wasn't interesting in the...