Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 129
Afternoon Cyber Tea with Ann Johnson 4.14.26
Ep 129 | 4.14.26

Tony Sager: The Case for Cyber Hygiene First

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Welcome to "Afternoon Cyber Tea". I'm Ann Johnson. And today I am joined by Tony Sager, who's the Senior Vice President and Chief Evangelist at the Center for Internet Security, more commonly known as CIS. Tony works across strategic partnership and outreach efforts in the cybersecurity community, and he is closely associated with the work behind the CIS Controls, a widely used consensus-based best practice for improving cyber defense. Tony, it's great to have you on "Afternoon Cyber Tea".

Tony Sager: Thanks, Ann. It's great to be here.

Ann Johnson: So Tony, we're at this moment where cybersecurity feels more urgent and also more complicated. You have AI acceleration, there's growing software supply chain risk, there's a tremendous amount of geopolitical tension, and increasing pressure on leaders to get security right. From your vantage point, what feels fundamentally different about today's security moment compared to even five or 10 years ago?

Tony Sager: Wow, five or 10. Well, I'm approaching 50 years in this, just to let you know. One thing I occasionally remind the team of, saw this in some management thing, right? The rate of change we're experiencing now is the slowest it will ever be in our lifetimes. So everything is accelerated. The change is just getting faster. And, you know, I grew up in a world where we would count on the government. You know, is this technology safe for government use or private sector use? Well, you know, they'll hire a room full of smart guys, sit there, study it for a year, then it'll come out, yes, it's safe, or no, they need to fix this. No one's got time for that. So things are moving so quickly, and we're, we've become used to a world of both great opportunity, new capabilities, but we accept some level of flaws that are in it. And then every once in a while, those flaws go from minor to near catastrophic. So that's really the difference, is we don't have the time for kind of traditional approaches to giving ourselves confidence in software or systems or, you know, whatever's going on. And that's the world that we live in.

Ann Johnson: I think it's fair to say that for years we've been somewhat reactive in cyber. You said you've been doing 50, I've been doing 26. This is year, I'm finishing year 26. But lately there's been this push to be much more proactive, much more secure by design, much more on the front foot, right? And taking responsibility earlier in the lifecycle. We like to talk about shift left. We like to talk about a lot of things. However, the industry, we're talking about it, but the industry has been pretty slow to make that shift. Why do you think it is that we're being so slow to go from being more reactive, or why is it so slow that, you know, from being more reactive to shifting to being more proactive?

Tony Sager: Yeah, it's certainly true. You know, as I look back across the industry, the majority of it is there in reaction to flaws in protocols, bugs in software, in dealing with that, and any other domain of risk in your life, right? We learn prevention is more effective than reaction. And that's just a truism that happens to be true. But it's been really hard to get there because of the economics. So we have proven as social creatures we will accept flawed software in exchange for much better features that we had before. And that just became part of the way we operate the industry, right? And so it's a rational decision on the part of the vendor. They could study and scrub out bugs for another year, but they've missed the market. And my vendor friends will say things like, second to market is last to market, right? And that means exactly what it says, that people expect, the public is willing to pay for things sooner rather than later. I used to joke about, you know, again, I grew up in a government world where you took your time.

Ann Johnson: Yeah.

Tony Sager: It may take 10 to 15 years to build a new radio for the US Army, you know, in the '70s and '80s, and now people are patient for 10 or 15 minutes, right? And whatever they see in the current headlines, well, I hold newspaper, as if we read them now, but whatever new we want now, and no one's waiting for the government or a regulatory agency to tell them it's safe. They want to get into it right away. But this need to push earlier in the lifecycle is really important, and it's because so much is at risk. It's just, there is no economy without IT, right? There is no social life anymore without that. And so it's become so embedded in our way of life that it's fundamental to everything that we think, do, or say. And so you have to say, what do we need to demand as citizens? What would be the sort of bare essentials that we'd expect in public safety or employee safety or financial safety? We just don't know the language for it. Now, the IT stuff, cyber stuff is complicated. There's so many variables and so many things that can go wrong. And by design, it's a worldwide market. Most of our pieces don't come from, you know, sources that we know much about or that we can have much trust in. But that's the choice that we have made, I'd say implicitly rather than openly.

Ann Johnson: Yeah. Well, it's a global economy. It's an IT economy, right? And we're sitting here. I have a couple more questions about secure by design, but I just want to make comment for the audience. We're sitting here live at RSAC 2026, right, which is the 35th anniversary of the RSA Conference. And the entire conference has been about AI and agentic, and, which means that we're not only have been moving fast in the past five years, we're going to be moving at light speed in the next five years. People are going to be innovating. They're going to go into new markets. They're going to be bringing new products out, and they're going to be trying to improve their productivity and their speed, once again, acceleration with AI. With that in mind, secure by design, right? So we love to talk about secure by design. As an industry, we've talked about it for several years, but it's hard, right? People will tell you that secure by design is hard. I have the sense that it's going to be getting harder, because now you have agents, you have things that are essentially bots that you're saying, hey, these are now safe in our environment. Talk to me a little about why secure by design historically has been hard, and then if you have any perspective of why, you know, the agentic world is going to change it.

Tony Sager: I mentioned the economics of prevention of problems, right, them in. Everyone knows that's the wiser. I was around for the heyday of formalized computer security was in the 1980s, when there was a group that was associated with Fort Meade in my first career. And some of the biggest brains on earth worked through all those problems of secure operating systems. And the notion was if I could build a secure operating system, then all these good security properties would flow to the real-life environments. And it was great technology, but it kind of ignored the market. That is, if it didn't run PowerPoint, no one was going to use it. If it didn't run Excel, it would never be in the marketplace, right? So you have to start from, why do people get computers? It's not because they want security, it's because they want features. And so they will focus on that. People also didn't realize the systemic problem. If you say, I'm going to study the security of this for a year, then you lose market opportunity. Others, maybe with less incentives or less scruples, will enter that market ahead of you and take over. So it's a different kind of risk, right? So if the government is slow, others will fill that gap with even riskier things. So getting that in earlier is hard, but it also required a set of tools and analyses that we didn't have back in the '70s and '80s, the ability to craft these kinds of things and have great confidence in their output. But the explosion, and this is, you know, before there was AI, there were all the, like you said, a worldwide IT market, and the use of opensource, right? So systems in the old, I'll call it old days, you wrote software, you built a system from scratch. Now you kind of assemble it from pieces, all kinds of libraries and other components that get brought together, a lot of which were not under your control. So you're counting on those things, right, to have certain security properties. Well, as we've seen in some of the big opensource, I mean, a lot of great people work on that, but they didn't write this for every possible application, right, from household to nuclear weapons control, and yet that's where it gets used. And so this stuff gets reused a lot in places that it was not designed for, and it introduces these risks that can pervade the system. You know, I was on that Cyber Safety Review Board, one of the founding members of that. And a couple of those reports looked at this issue, right, where it's a case where an individual company might make a rational decision. I need a piece of software for this. What's the FBI using? What's NSA using? What's the DoD using? Hmm, that seems like a safe choice, right? I can't go analyze it. So you kind of go with where others have gone, and then one day you wake up and you realize, wow, the entire US government is dependent upon this piece of opensource that was not written for this purpose because it's now 75% of our environment. And that's a system-level risk that no one really anticipated, no one was tracking, but that's what happens, right? The software does what it says --

Ann Johnson: Yeah.

Tony Sager: -- until someone manipulates it in a particular way. And so that was the precursor to this, it's everywhere, right? There's no thing I control. So the traditional security models are based on loosely, conceptually here, control and inspection, right? You could pay a room full of people like me to inspect software to say, does it do anything funny? Are there any zero days in it? That sort of thing. No one has the ability to control that anymore. And no one can say, I've studied this till I believe it's highly secure and I'm just going to lock it down and no one's going to change it. That's unrealistic in today's market. So, but the AI stuff just accelerates that dramatically. Use that word, I mean, when this all, when the buzz really took off not that long ago, it's accelerant. That's --

Ann Johnson: Yeah.

Tony Sager: -- what is happening. This is like throwing gas on the fire. You know, things are getting more complicated, more dispersed, harder to control. AI will just 1000x that.

Ann Johnson: Yeah.

Tony Sager: And that's really what's happened I think and that's the way you described it I think exactly.

Ann Johnson: Well, it's machine speed, right? We're now, you know, we've gone from human hackers and human hackers aided by machine learning or human hackers aided by some tools or some capabilities, to actually the machine being the hacker over the fullness of time, right? We're not seeing as much of that. We're still seeing a bit more AI-aided hacking, right? Or AI-aided targeting, I would say. But at some point in time, the machine is actually going to become the adversary itself. And that's when it becomes necessary I think on the other side for the machine to become the defender also.

Tony Sager: I think that's right, and, you know, people often ask about, you know, is this trend better for offense or defense? And here's my experience with advanced technology. I often say, if you want to see capitalism in action in this space, study bad guys, not good guys. So bad guys are inherently more efficient, right? And they say, I don't need to write tools, I buy the tools. I don't need to build a recon network, I rent the recon information, all right. They're naturally Darwinian. They naturally divide up functions, right? And one reason they can do that is because their objectives are clear. It's not nearly as fuzzy as, let's defend ourselves, right? It's, I need this target, I'm trying to extract, you know, wealth from it or whatever. So you can see early adoption on the attack side is a natural because that's been the history of the business. On defense though, you know, defense is crippled by things like, oh, cranky users when I make a change. Things break, more expense, my boss doesn't care. I don't have a budget for it. All these real-life problems that are really non-technical, but they're more about how do I marshal the resources or get the attention. I'll say, you know, having dealt with, in my first career particularly, things like threat intelligence and incident response and all that, there is so much grunt work in the nature of defense that there's great opportunities for automating lots of that, for bringing data together. I mean, watching people handcrafting, moving, scripting, translating data from this to that. It's like the people that deal with incidents for a living are heroes. I mean, in the DoD, we saw this. Bad guys know to attack on long holidays because everyone's at home. Now we're going to pay double overtime for everybody to come in. They know how to manipulate the environment. And the folks that have done that, you know, basically working with Bronze Age tools in the Space Age, have really struggled. So that's also a great opportunity, though, for massive scale and massive improvement. And to get, you know, there are jobs still that we believe only humans can do, right? The sort of judgment.

Ann Johnson: Oh, absolutely.

Tony Sager: But all, there's so much of this grunt work in defense that I think there's great opportunity. And I think you're going to see some of that, you know, here and other places. And I really, on balance, I lean towards the optimistic rather than the pessimistic.

Ann Johnson: Yeah, we'll get to that.

Tony Sager: Okay.

Ann Johnson: Because I end every podcast talking about cyber optimism.

Tony Sager: Sure.

Ann Johnson: So think about that one.

Tony Sager: Okay.

Ann Johnson: You know, one of the things that strikes me, you said our former CISO Brett Arsenault is now very much enjoying his retirement, his well-deserved retirement, used to talk about how in your security operations center, you had kind of two modes, right? You either had firefighting, which then you're getting diminishing returns because people are exhausted. They're working long shifts and you never have enough people. Or you had that really mundane tactical work, which is like handing somebody a Lego kit and telling them to build the same Lego over and over and over and over again.

Tony Sager: That's great.

Ann Johnson: And they're getting, you know, they don't want to do that. work because it's repetitive and mundane. And I'm hoping that what AI can do is help those defenders automate all the mundane stuff and then help them in times of crisis so that we aren't burning out human beings. We're saying next best action, we're automating as much as possible. We're helping them in their judgment, right? Which comes to my next question, which is about leadership. One of the things I admire about the work you do is you often talk about cyber, about being a leadership issue, about being an accountability issue. So I have a provocative question. Where actually does the accountability for cybersecurity sit in most commercial organizations? We won't talk about government. And then in your mind, where should it sit?

Tony Sager: Well, that's a great question. So there's a tendency to blame the technologists for the problem, you know, say CISO level. And, you know, that's the hired to be fired, right? That's the life of the CISO. But there's a, really an executive level responsibility. So a healthy trend over the last quite a few years has been the shift of cyber from an exotic sort of an add-on to mission, to fundamental. Which means the decision to invest in cyber or what to have a strategy for is really a board-level executive decision, right? It happened quite a few years ago. Every tech company or tech conference had what every board member needs to know or every executive needs to know about cybersecurity and vice versa. People were starting to learn the language of each other. And I think there was a migration of these problems. How do I compete investment in cyber with investments in things like employee safety or financial security, and that's kind of the right place for that to happen. There's a quick story. So my dad was an army sergeant, you know, three-war veteran, never fired a gun in anger, but he was, every once in a while I'd do something, the dad would have been proud of me. As I was talking to him, I believe he was a two-star general in the army and there was a hack that hit the army in a bad way, and we're talking. He said, we need to find the person responsible for not getting the patch in place in time and make an example of them. This is a command-level responsibility, you know. I said, sir, you know, a enterprise that allows its lowest paid, least ranked employee to bring down the enterprise for something like that is guilty of not having bad, it's not bad people, it's bad strategy on our part.

Ann Johnson: It's bad leadership, yeah.

Tony Sager: And that same person, if he had said, could we take down the mail server for a couple hours because we're way behind in patching, he would have said, no, mission essential. So you're going to give him conflicting requirements. He's got Bronze Age tools dealing with the Space Age problem. He's running a network that's in sandy deserts, right, in the Middle East fighting wars with stuff that was meant for consumers, and you want to blame them. So that is completely the opposite of really where the responsibility lies. Now, what the tech community has struggled to do was frame the problem in ways that make sense to executive decision makers.

Ann Johnson: Completely agree.

Tony Sager: We had not, the model I grew up, I often describe I grew up in the wizardry model. This is magic, and there's weird-looking people.

Ann Johnson: Yeah.

Tony Sager: I'm not sure. I know we need to pay them.

Ann Johnson: And we talk in weird language. We talk about sandboxes and detonation chambers and all these, you know, all these strange things.

Tony Sager: We can confuse you with all that stuff. But that doesn't help, that just impresses, right? I just said, that model is great job security for all folks like me, but it's terrible for public policy or executive decision making. It doesn't put the decision in a frame that allows it to compete in its rightful spot. So, long answer, but it was the world from, I need to find the poor private, you know, and you remember in the press, fire the intern who didn't do the right thing or made the misconfigure, oh, that's terrible. These are your least equipped, lowest paid. If you collapse because of that, shame on you, right? You should have built around that. These are good people doing the best they can. They don't live this technology. There's no reason to expect them to. So you have to say, what is the executive responsibility? Where have we failed? What we didn't understand. Again, I put a lot on my community, right? Wizardry doesn't allow us to support the decision makers. At the end of the day, we have to help them make responsible decisions. And, you know, I grew up, again, in the military world. How many times I was in a room where the executive decision maker says, you know, I'm listening to all the tech gobbledygook and they just give up and they go, I accept the risk, I sign the waivers, the paper, whatever. They're not doing that because they felt confident that there's a knowing acceptance. They're just frustrated.

Ann Johnson: Yeah.

Tony Sager: No one will help them. So they, and by the way, they have wars to fight in that world I grew up in, right? They have really important, dangerous things to do, and they're going to do them. at some level of confidence. And again, our responsibility as technologists who live this is to help them understand what the risks are and support them with the best decision that they can make. And that's, you know, again, it took us, I think many of us a long time to really see that.

Ann Johnson: I think that's really fair, and I fundamentally think that most security people are very mission-driven, and most people who make a career of this actually are trying to do the right thing, right?

Tony Sager: No question.

Ann Johnson: They may not always get it right, but they're trying. With that in mind, when you think about leaders who are trying to do the right thing to improve security within their organization, what are the most common mistakes you see for people, you know, I'm going to improve security fundamentally in my organization?

Tony Sager: The mistakes that they make. I think there is a dramatic underappreciation for the fundamentals of defense. And people will say it, right? There's a term that I used to call this the most-used, least-defined term in our industry. Cyber hygiene. And you'd hear people say, you know, we need better cyber hygiene. For example, patching, we need better hygiene. For example, wash your hands, you know, the equivalent of wash your hands, right? And it's well intended, but you can't build a program upon examples. So at CIS, we formalized a definition of essential cyber hygiene for a specific purpose. These are the things you need to do. We have the data to back it up, and we feel very confident in it. But the idea was, if you want that, you have to describe it in a way that people can execute it.

Ann Johnson: Correct.

Tony Sager: Now, we accept as citizens, right, when we tell people, wash your hands, get your shots, don't cough on others, we believe in our hearts that scientists in the back room are studying that. And what they did, though, is they take all that complicated science about virology and so forth that we don't understand, and they translate it into behaviors.

Ann Johnson: Yep.

Tony Sager: Okay? So I often talk about our work at CIS, we are translators. We study all the stuff that every enterprise wishes they could study but can't. Adversary tradecraft, summary of attacks over the last year, the role of technology in business, and we try to put all that together. We translate it into behaviors. And that's something, you know, you can execute, right? You can build an improvement program on and so forth. And that is really important. You know, my background is in math. There's a term, the 80-20 rule. You might hear the Pareto principle, right? But basically, it's philosophy, not mathematics. But it's in many endeavors in our risky lives or in our lives, you get 80% of your value from 20% of your sources or variables or choices. So the idea is if you pick well, you get most of your value. But partly because of the wizardry model, it's, like, no matter what you do, you know, I'm professionally trained to find flaws in things. I can't help myself. So you could do lots of things. Yeah, but I know five more ways to get you. And at some point, that's no longer helpful, right? Because to bankrupt your company in the name of good security is terrible business.

Ann Johnson: Yeah.

Tony Sager: So at some point, you have to decide what's the risk-reward here, and you need help doing that. You'd like to then make those first choices. By the way, 80% of doctors agree that I need a cardiac treatment. I'm willing to go with that in almost any endeavor of my life. So the idea was we underappreciate the fundamentals. We overstate the sort of wizardry, right? That is, again, professionals like me, we find flaws for a living and have no responsibility to fix it, by the way. So at the end of the day, you have to make a decision about how much is good enough. And so building a program of improvement gets you very far along on the path and is the foundation. So that's the approach that we take. We're a little counter to the marketplace, right? The marketplace is noisy, tells you you need a new thing, a shiny object, magic beans or whatever. And we're more focused on what is the foundation of defense. And if you can get to there and you move into a riskier business model or have more at stake, you can build upon it. You don't throw away and start over, but you build upon that. So that was the intention of a lot of the work.

Ann Johnson: Okay.

Tony Sager: But it's sort of the two ends of the extreme, right?

Ann Johnson: Sure.

Tony Sager: Get the fundamentals right. And I discussed this a lot with general officers back in my prior career. They would say, yeah, that hygiene stuff, that's great. But what about the nation-state adversary? Well, number one, nation-state adversaries all use the same garden variety stuff when they can.

Ann Johnson: Yes.

Tony Sager: Because it works.

Ann Johnson: Yes.

Tony Sager: And it hides them in the noise, right? It doesn't distinguish them. You don't give away zero days unless you really need to.

Ann Johnson: Yes.

Tony Sager: But I said, suppose we do learn about these rascally nation-state folks and their clever tradecraft. What are you going to do about it? And the general, this is an actual conversation with a three-star, we're going to tell everybody and warn them, aren't we? You're going to send an email to every system administrator in the DoD? Is that what you're going to do? I said, no, they're going to turn to their technology --

Ann Johnson: Yeah.

Tony Sager: -- and execute something, find something, block something, remove something.

Ann Johnson: Correct.

Tony Sager: So if you don't, that's the foundation of defense. So you might have greater, more specific, finely-tuned intelligence information, but at the end of the day, you still need an action architecture, right, which you have to build first. Otherwise, that stuff is just noise to you. It's just filling up the inboxes of system administrators.

Ann Johnson: It is, and I talk a lot about cyber hygiene. I had the pleasure at one point in my career of running the Microsoft Dart Team, our customer incident response team.

Tony Sager: Okay. Sure.

Ann Johnson: And we published a blog that we refresh and republish periodically about the five top things that cause really major events. And we say things like, attackers don't break in, they log in. But at the end of the day, you also can't tell a customer you need to patch everything, because they can't patch everything, right?

Tony Sager: Exactly.

Ann Johnson: You can say to them you need to use MFA 100% of the time. That's a reasonable statement. That's what you need to understand. And we also need to talk a lot about probability of attack. The one thing I love to say about, we love to talk about advanced persistent threats. And I always say they don't have to be advanced. They just have to be persistent because there is something in your environment that's unpatched. There's something in your environment that's unmanaged. We all have technical debt. The question is understanding your risk, understanding where the, what is the stuff that cannot be impacted, and making sure you've built the right defense and depth around that.

Tony Sager: That's right.

Ann Johnson: It's hard, though. We talk in these languages, and I'll tell you, I'll make one final point on that, the way I, the analogy I like to use, which I think you'll appreciate because you've talked a lot about your military background, is I talk about the fall of ancient Rome. Ultimately what took down ancient Rome was they poisoned the water source from the outside. If they had had more resilience in their water supply, which is the same thing nation-state actors do to us today, right? They find that one, and that is hygiene. That is fundamental hygiene. And people are like, oh, I kind of get that. But we also have to talk it a line, which we can't scare people. About over 10 years ago, I went to work for Qualys, and I worked for them for a period of time. And I remember when I first, I was so excited, right? We're going to attack vulnerabilities. I had been at RSA for almost 14 years. I go to Qualys, I'm like, this is different, I'm excited. And I remember a CISO saying to me, good friend, he said, Ann, do not come in here and hand me a 400-page report of everything I have to patch, and then say, have a nice day, because that's kind of what you do. And it just occurred to me that at that moment, seriously, it was this moment for me that the industry has to change. We actually have to make the job easier. As an industry, we have to make the job easier for the CISOs. We have to make things more automated. I'm optimistic about the world we're in today, because I'm optimistic with AI, one of the fundamental things it could do for us is make things more automated. And then we're not handing out 400-page patching reports, we're doing automatic patching and updating and those type of things.

Tony Sager: Yeah, and that's a great story. And we're kindred spirits on the hygiene business, again, it's not trivial. It is the foundation of other things that you wind up needing to do anyway. You actually get tremendous value. We've studied it and every, anyone who's studied it seriously gets that, right, that these foundational steps are the launch point. You get lots of value from them, but they also allow you to build upon them. So we're very careful about thinking about it. So yeah, and actually when I retired from government and then went first with an initial, a small nonprofit, then CIS, but one of my earliest friends was Qualys, because it was kind of lined up with their business model anyway, but this idea of good management is really the foundation of good cybersecurity, right? It's most of the early, and if you look at our work, what you see is good IT control. Visibility, management, change management, all those kinds of things are just the foundation.

Ann Johnson: Great. Well, we're coming to the end. At the end of every "Afternoon Cyber Tea", I explain to the audience that I'm a cyber optimist. No matter how many bad things you see in the news, I know there's thousands of things that the industry has detected and blocked before they became bad things. So I still believe today we're ahead of the game. What are you optimistic about?

Tony Sager: Oh my goodness. Well, the standard story that I use, I said you can't last for close to five decades now in cyber defense without being one of two personality types, complete cynic or hopeless optimist. So if you're a complete cynic, there's disaster to point out every day, right? The other people's flaws and all that. But I made a choice to choose that hopeless optimism, right? Because that's constructive. I'm not interested in being on a street corner, you know, waving my fist and telling everybody what they've done wrong, because I've seen that doesn't change anything. And the goal is that we all live in a more secure, safer world. So I am optimistic in terms of the opportunity there. But I'll tell you, again, I spent that first 35 years at the National Security Agency and helped bring it out into the public. For whatever you think of the NSA, you know, I led the campaign in 2001 and beyond to really open into partnership. My first talk here was in 2002, I think, 2003, and, you know, have a long history of opening that up. And it was because of this optimism, right, that, and recognizing there was no perimeter for the US government to hide behind anymore. And what I found was, the US government did not have, despite my training in-house, did not have a monopoly on amazing smart people dedicated. And our business model at CIS isn't possible without our volunteer army. And the quality of people that will volunteer for the common good and put their energy towards the creation of security benchmarks and CIS controls and things that we do is off the charts. It is astounding. And we have volunteers that have been with us since 2000, since the founding of the company.

Ann Johnson: Yeah.

Tony Sager: And to a person, they all say something like, volunteering for this kind of work, right, which is concrete, right, they get to create products of it, feel proud of it, is among the most satisfying things in their career. So the ability to, when you have a community like that, incredible talent, goodwill, willingness to put their time into common good, I often say, again, all we do is provide a vehicle to channel all this into something constructive, right? I said to get the most value out of free labor, you need a professional infrastructure, right?

Ann Johnson: Yeah.

Tony Sager: So we define the roadmaps, deal with the vendors, publish the standards, keep things current, manage all that, is why you need a professional company as a nonprofit to take this energy and turn it to good. So I have seen just extraordinary people want to do the right thing, government, private sector, academia, all that. So what I hold out hope on, my sort of final thing about Optimist Man is that, I've said this many times in public talks, we are not going to get better people than we have in this industry. I mean, the talent is wonderful. The dedication is just astounding. What we need to do better is organize them. Because left to our own devices, we'll argue endlessly about angels on the head of a pin and how many vulnerabilities and flaws and patches. I mean, that's the nature of these smart, committed people. But turned constructively, there's nothing we couldn't do. And so that's my final. That's what's kept me still working at this part of my life.

Ann Johnson: Tony, thank you so much for joining me on "Afternoon Cyber Tea".

Tony Sager: My pleasure. Thanks for having me here.

Ann Johnson: And many thanks to our audience. Join us next time at AfternoonCyberTea.com or wherever you get your favorite podcasts. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Executive Security Advisor at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Cathy Courtney, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft