Helping Future Proof the Cyber Landscape
Ann Johnson: Welcome to "Afternoon Cyber Tea with Ann Johnson," where we speak with some of the largest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson, and today, I'm joined by Rob Duhart. Rob began his cybersecurity career in the United States government working at the Department of Energy, FBI and in the intelligence community. He transitioned to the private sector and has successfully led talented security teams at Cardinal Health and Ford Motor Company. Rob is a member of the Cybersecurity Executive Education Advisory Board of Directors at Washington University in St. Louis, where he helps craft the future of cybersecurity executive education globally. Rob also sits on the board of the EC Council and has founded chapters of the International Consortium of Cybersecurity Professionals, ICMCP, across the country. Rob is currently the vice president, deputy chief security officer and CISO of eCommerce at Walmart and is passionate about securing the digital world and supporting Black-plus women and underrepresented minorities across the entirety of the technology landscape. Welcome to "Afternoon Cyber Tea," Rob.
Rob Duhart: Thanks, Ann. So honored to join you today. And gosh, when I hear the intro, I ask myself, is that even a real person? That's not me. But thank you for the kind words and the kind introduction. Love the platform and I always love to partake. And so good afternoon, "Cyber Tea."
Ann Johnson: Thank you so much. And are you taking any tea this morning with the podcast or are you doing something different?
Rob Duhart: Oh, my goodness. Water today, but that's simply because it's been a long week, as I'm sure many in our industry would agree.
Ann Johnson: You know, I think that - and I was reflecting on this because I think it's just many, many long weeks that pile up for our industry. So I'll start by thanking the frontline cyber defenders who are constantly working around the clock and don't get nearly the recognition they deserve.
Rob Duhart: You know, Ann, I love that point, right? We have a number of associates that have been working really 24/7 since last Thursday. And so they don't get thanked enough. And, Ann, you'll agree with this, oftentimes, when everything is good, you know, nobody's really giving kudos, right? You know, the teams don't get a lot of focus our attention. But when everything goes bad, all of the focus comes down to the team. So I couldn't agree with you more. Thank you to all across the industry.
Ann Johnson: Yeah, thank you again. So, you know, it's great to have you here. I've been - as you know, I've been trying to get you on for a while because you're such a great voice for the industry. Let's talk just for a second about the time of year for - we're recording this as we go into the holiday season. And for those of us in the cybersecurity industry, it's a time when we tend to look back at the calendar year, recognize all we have learned. And that's actually, you know, an interesting part of the job. But we also sometimes will focus on our cybersecurity predictions for the next year. But before we talk about predictions, let's talk about some of the big cybersecurity surprises in 2021. What surprised you and what are your takeaways from this past year?
Rob Duhart: Well, you know, a lot has surprised me this year. And I have to go outside of cyber first, too, right? You know this, a lot of people know this, I'm a huge Tennessee Vols fan. So the fact that my Vols put up 40 points a game, huge surprise. But, you know, to get back to cyber - across the industry, you know, ransomware continues to cause problems as the business of malware evolves. I did not expect that we'd start to see a whirlwind of nation-state actors and others getting caught, getting indicted and even being taken down, right? REvil was one of those such cases. I didn't expect that going into 2021 but really glad to hear, glad to see. You know, I think at the same time, there's some things that are continuing. Talent continues to be a hot topic where we see - you know, this is tea moment, right? We see unrealistic job posts and bias sometimes preventing our industry from becoming more diverse, something I know both of us are really passionate about. So, you know, to be honest, outside of those surprises that I shared earlier, honestly not that much is surprising in 2021 - many ways a continuation of what we've seen beyond, you know, previously. But many leaders like you and I have been warning of these issues for many, many years, whether it be talent, whether it be ransomware, you name it.
Ann Johnson: I agree with you. Look, I posted on Twitter recently that I wasn't going to make huge predictions about 2022. And then I reposted an article about, you know, cyber hygiene and doing some of the things that organizations legitimately, like, struggle to do because they have so much technical debt, right? And I do think that whilst there were some really great things that happened in the year and things that happened with, you know, the U.S. government and, you know, 20 or 30 governments globally taking a much more assertive stance with ransomware and with the takedowns that happened, I think that there were things, unfortunately, if you've been in the industry long enough, almost nothing surprises you, right?
Rob Duhart: Absolutely, right. And hey, we got to give a shout out to Microsoft because you all played a huge role in a lot of that work. So thanks to yourself and other industry partners who helped make that happen.
Ann Johnson: Yeah, well, thank you always for the partnership. So we can't deny that this past year seemed to set some records - right? - with the sophistication and the broad range and velocity of cyberattacks. So as you think about the future, without making, you know, specific predictions, do you think we're just going to see a continuation and an increase in sophistication and velocity, or are there new threats on the horizon that you think that we need to prepare for today?
Rob Duhart: Yeah, look, the sophistication in TTPs of malicious actors are continuing to grow. The susceptibility of our tech stacks continue to be complex - right? - where technical debt gets in the way. It really leaves holes that we don't intend to be there but, you know, kind of grow there through over time. So, yeah, everyone is going to have to break the mold, focus on, you know, metrics like dwell time and containment versus building higher walls, right? - that worked for a while, doesn't work anymore - and make headway eliminating that aforementioned technical debt. In addition, we also are going to have to make progress against implicit trust, empower our technical partners across our orgs to address the basics of cyber hygiene. Again, I feel like we've said this before. Ann, if we were face to face, we'd be nodding our heads in unison. And then ultimately to leverage security, to enable and accelerate the delivery of technology and technology transformation for our orgs. Look, if I had a buzzword that can encapsulate all of those pieces (laughter), I would be a wealthy man on the Mediterranean right now. But, you know, I don't think there's one term that encapsulates everything.
Rob Duhart: I just think technology-wise, there are a few pieces of technology that many of us have been preaching about for years that are going to go mainstream, hopefully. MFA via hard token's one. Chaos security engineering's one that's near and dear to my heart, right? How do you build environments that anticipate breach and where you're consistently evaluating and continuously assessing your environment for vulnerability to those types of breaches? Dynamic and automated asset management - if orgs had that, I think we'd all be very happy. All of these components are critical to effectively managing bad actors and the threats that are coming our way, not just in 2021, but definitely in 2022 and beyond.
Ann Johnson: You know, I think it's so funny that you talk about MFA via hardware token because, as you know, I spent almost 14 years at RSA Security. You know, hardware tokens, at the time at least, had about 20% uptake in enterprise customers. And it'll be interesting, I think, with the, you know, lack of friction and going passwordless and creating a more seamless end user experience - I'm optimistic that we're going to see more uptake for customers really rolling out MFA. And as you know, we've done a lot of research, and about 90% of breaches have some type of password element to them. So to the extent we can eliminate passwords completely, we're going to make environments more secure.
Rob Duhart: Ann, you're spot on, right? And what I tell people at Walmart and in previous places, even at Google - and they do this well at Google - having hard tokens can cover a multitude of challenges in our environment, right? So it helps our businesses move faster and us to be more confident using hard tokens and moving away from passwords. So we'll see, Ann. Hopefully this is the year (laughter).
Ann Johnson: Yeah (laughter), it's the year of the token. All right.
Rob Duhart: Every year, right? I feel like - hopefully in 2023, we aren't saying hopefully this is the year (laughter).
Ann Johnson: You know, it goes to my running joke. This will be my 20th or 21st year at the RSA conference, and I always have a joke that every year is the year of something. Maybe we'll see '22 being the return of the hardware token, kind of like the "Return of the Jedi."
Rob Duhart: (Laughter) Microsoft and Walmart together, right? We'll find a way.
Ann Johnson: Yeah. All right. So when you think about organizations and their risks - right? - and when you think about suitable measures to prevent them that don't disrupt business - right? - you don't want to block business - what do you think that organizations should be focused on? What's the couple of things that you would say, look, this will help your security posture and, by the way, it also helps your business?
Rob Duhart: You know, Ann, I love this question, and I'm really proud of what we do at Walmart. We have some amazing teams that do this - enabling business leaders to understand and quantify the risk of their decisions and automating our responses to those decisions, right? I'll say that again - quantify the risk of decision-making and then automating our responses to those decisions. I think those make such a huge difference when we think about improving our ability to ensure our organizations are secure while businesses continue to grow.
Rob Duhart: So many orgs in the industry - right? - we almost work backwards. We purchase technology tools, and we build these suites and portfolios of capabilities. But sometimes we haven't defined the very basics of risk, right? What is your risk appetite? Have you, you know, quantified your risk tolerance, right? Can you clearly define, you know, what I call the game and mark the goalposts before we start, you know, getting into the game and start playing the game, right? Have we partnered with our business partners to quantify and draw these lines so that they can run freely within those lines? You know, I really think that from a security perspective, you must define what it means to manage risk in our environment and our organization, and then that enables the business to move more quickly and to accelerate.
Ann Johnson: I think that's amazing because you're taking it to a business standpoint, right? You're not talking just technology. And I think one of the things the industry has to learn to speak in is more business language so we're more effective at getting executives to understand the challenges we face.
Rob Duhart: Absolutely, right? The - I remember people saying security is a cost center, right? And what I like to tell people is, no, good security are like brakes on a fancy or a fast car, right? If you're an F1 driver, the security doesn't mean you drive that car slower. It means that when it comes time to take that corner, you can take that corner confidently and continue to get back up to speed and get to where you need to go.
Ann Johnson: Exactly. I love that analogy. So, look, as cyberattacks are continuing to increase - you talked about this, right? - we have this shortage in talent, but we also have a shortage in diversity of talent, which I think leads to our shortage in talent because we haven't really gone out there and tried to attract people with different backgrounds, people, you know, from all aspects of society, from all walks of life. And I often say that our teams need to be as diverse as the problems we are trying to solve. And I know you are very, very focused on this with ICMCP and with other efforts. So can you talk about constructive ways and tangible ways that companies can create opportunities that are going to help us attract more people and to get more people excited about cybersecurity careers?
Rob Duhart: Gladly, gladly. And as always, you hit the nail on the head, Ann. And I love how you put it. We need diversity to help us solve these complex problems. The solution is the - is almost the same as the problem, right? You know, the problems are so diverse that we need diverse people to help solve those problems. Look, I think every cyber org in our industry really needs to sit down and be honest with themselves, right? Do we have a multi-year talent strategy, right? Do they have an execution plan that encompasses sourcing, recruiting, retention, succession planning? You know, and these are really hard things to do. So I don't want to say that they're easy. I think we talk about talent shortages every year, right? But I think sometimes we need to think about our leadership and our focus. And how are we leading? And how are we growing our orgs? This is thought-provoking, not provocative. But, you know, there's a lot of performative activism out there, you know? There's a lot of people that don't want to have the hard and uncomfortable conversations. They're avoiding having those conversations and are still kind of clinging to these, you know, stereotype-based recruiting that has created the industry that we have today, not realizing that the problems of tomorrow require the teams of tomorrow. And that takes a completely different approach. The talent is there, right? The diverse talent is being produced. The question is, are we, as organizations, selecting those people and giving these amazing people a chance?
Rob Duhart: I've seen it over and over again, Ann, right? And I think it's time for us to ask ourselves, why? I'll use an example, right? Our CISO, Jerry Geisler, you've known him for years. He famously started his journey in stores - right? - in Walmart stores and worked his way into the current role that he is today, an incredible technical leader in the cybersecurity industry. I would argue often that, you know, Jerry is a bit of an anomaly. And there may never be another Jerry. But at some point in his career, someone stopped and said, he has a gift, right? He has something. He has talent. There's something about Jerry that makes him unique. And they gave him a chance. To be honest, somebody did that for me as well, right? Jerry did that for me. A bunch of folks did that for me. And it's about time that leaders in our industry take steps to give folks the chance, right?
Rob Duhart: At Walmart, we have a program that we call Live Better U where we reach into our 2.5 million associates, roughly. And we help them, you know, earn degrees not just in cyber, but across multiple sectors. And then we offer opportunities to support their careers as they finish their education. That education is at no cost to them. And then we have members of our InfoSec team reaching out to these folks, meeting with them monthly, quarterly, mentoring them, giving them opportunities to shadow. So perhaps, we are finding the geniuses in our own backyard.
Rob Duhart: So I would challenge a lot of organizations in our industry, if you can, find a way to develop apprenticeship programs. A lot of these programs exist through organizations like Per Scholas and others - Year Up is another - where you can reach out, find talent that maybe doesn't look the way you think it does. Give them an opportunity to make a difference and I guarantee you, you will find your superstars. So my answer to you, Ann, is - you know what? I don't think we have a talent shortage. I think we have an intellectual honesty shortage. And I think we all need to be honest with ourselves and ask ourselves, why aren't we giving this amazing talent that's in front of our noses a chance? And how do we make those changes?
Ann Johnson: Yeah. And I'm with you. Look; I'll pine for just a moment here, you know? Someone gave me an opportunity. Here I am, you know, with a political science and communication double major, by the way, nothing STEM-related. My minor is in world history. And someone gave me a chance early in my career. And I had some wonderful mentors - right? - early in my career. That was opportunity. I would tell organizations and candidates that it's not enough to talk diversity. It's not enough to go onstage or to, you know, talk about it in social media. You need to dig deep and make sure you're actually walking the walk - right? - not just talking the talk, and that your organization is creating opportunities and going out there and finding talent. One of the things that I've done since I've been at Microsoft is I've done a lot of recruiting from the military, you know, transitioning military members...
Rob Duhart: Absolutely.
Ann Johnson: ...Because you get diverse folks. But you know what, Rob, they don't have to be security folks. They know how to work in a team. They know how to work under stress. We can give them the technical skills they need if they have the desire and aptitude to learn. And so find those avenues. Go out and recruit in places that are non-traditional. Don't just go out and recruit in all of the, you know, STEM graduates from Ivy League schools. If that's the only place you're recruiting, you know, you're not...
Rob Duhart: (Laughter).
Ann Johnson: It's not that you're going to get a not-diverse population in the traditional sense. You're going to get people that think alike. And one of the biggest problems we have in cybersecurity is we have this bias in how we think about problems. If you bring in those liberal art grads or bring in those people that may have not gone to college - right? - people with diverse learning backgrounds, they're going to look at problems differently. And we're not going to give those actors the opportunity to exploit that groupthink that we've created in cybersecurity. So I'd love to, you know, pull the thread on that. And one of the things that I've been exploring a lot in the past, you know, 12 months is that intersection between things like cybersecurity and disinformation, which takes advantage of that bias. Do you see - and it's both an intersection from actors, but also outcomes. Can you talk about how about - how you think about that?
Rob Duhart: I love it. I absolutely will and, you know, here. So I've led offensive teams across our industry and in government, right? And, you know, the greatest, most effective tool when we're running an operation isn't necessarily a killer exploit. It's usually exploiting the human mind, right? So when I'm sending a phishing email or when we were doing any type of exploitation, the technique that works the best is, really, exploiting the way people think and the biases that they have. So your connection point on bias and binary thinking to, you know, even the discussion of what we're talking about right now are very apt, right? And so the essence of exploitation in nearly every technical exploit that I've ever played with is really taking advantage of people and taking advantage of biases that humans have. We take shortcuts. And offensive cyber is often just about exploiting those shortcuts.
Rob Duhart: In the context of disinformation, disinformation is so profitable, right? When I worked for the government and studied this maybe more officially, you know, the folks propagating disinformation, they really don't have to lie. In many cases, they really just have to feed people what they already want to hear. It's not about truth. It's not about, you know, distorting the truth even. It's really just trying to take a message and repeating it over and over and over again until it often can become their truth. I think disinformation - like racism, like sexism, like homophobia - you actively have to challenge it and fight it, not only at a societal level, but at an individual level. And let's be transparent here. We, as technologists, play a huge role in helping to be on the front lines of managing and fighting against disinformation and the exploitation of bias. Our tools and technology that are used for good and are designed for good can also be co-opted for harm.
Ann Johnson: Completely agree. And I love what you said. It has to be fought at the individual level. You have to, and within your organizations - every time you see it, you have to challenge it and call it out in every meeting, in every conversation, of course in an appropriate and constructive way. But if you don't do that, it grows because it feels like it has an environment to grow in, right? Unchallenged, those biases and that behavior will grow because they feel like they can.
Rob Duhart: And it's hard, right? It's uncomfortable and it's challenging, but it's also very important.
Ann Johnson: And the other word I'm going to add is it gets to be exhausting (laughter). It can be really exhausting when you're the person in the room that's continually challenging, but you have to build champions around you. And you unfortunately - you also need to give yourself some grace. But you have to keep doing the hard work. It's a daily thing.
Rob Duhart: I love what you said - giving ourselves grace, right? People are people, but we all need to stand up for what's right.
Ann Johnson: Well, not to completely change, but to end on - you know, as we talk, I always like to be positive because I'm not a doom-and-gloom cyber person.
Rob Duhart: Of course.
Ann Johnson: You know, for every attack that makes the headline news, there's thousands we've stopped. So with that, what are you genuinely excited about and do you think is going to be a positive thing for the world of cybersecurity in 2022?
Rob Duhart: I love this question, Ann. And, you know, many of our organizations have been investing for years in technical capabilities that maybe some questioned, is that going to be valuable? I know here at Walmart, we have an accredited digital forensics capability. I've had one for years. It's really the jewel in the crown maybe, perhaps. So there's no secrets there. But it was built at a time when, you know, such a capability was a long-term investment versus something that was absolutely necessary. And I think something that I'm expecting in 2022 is for some of this expertise and some of these capabilities to absolutely become essential. And what I mean here, Ann, is that, you know, years ago, some teams invested in behavior analytics. Some teams invested in IAM. I'm not just speaking about Walmart. I'm speaking about our peers across the industry. Some people invested in insider threat. And I think in 2022, we're going to see those investments really starting to reap rewards. I'll give you an example. Our forensics capability helps our ability to identify in sandbox malware. No secret. But we built that before ransomware was even a thing, and now we're in a better position because of that investment.
Rob Duhart: So, look, I think a huge positive note is that the investment made by many security programs over the past two decades will really start to pay off. And honestly, a lot of CISOs, like Jerry and others and myself, we may be - we may feel a bit vindicated for some of our harebrained ideas two, three, four or five years ago that are really reaping rewards.
Ann Johnson: (Laughter) I love that. And it's so inspiring to hear you say that. Can you, as we end, just share with your listeners something that you're working on, something that you're super excited about?
Rob Duhart: Hiring, hiring, hiring, right? If you could see my video, I'd be emphatically pointing at the screen. Deeply passionate about the potential of building diverse teams to tackle some of the hardest problems in our industry, right? At Walmart, we're on a journey of growing and expanding our global teams in Bentonville, in Reston, Va., across the country, really, and in many other locations, as well. We are looking for diverse, talented team-first and team-oriented people to join us and change the world. We have major hubs across the United States, as I spoke to earlier. And we are looking for change-makers and industry leaders to join us on this journey. We need you. We're looking for you. Check us out on LinkedIn, and I guarantee you you'll find a role and a place for you to join the family.
Ann Johnson: You know, I love that. I love the opportunity - and I'm being quite genuine - to use this platform for recruiting because why not, right? Recruiting is an everyday job. So thank you. And by the way, I like to send the listeners off with one or two key takeaways that - of things that you think that they could do today to help their organization. So what are the one or two pieces of advice you have for your peers, as we wrap?
Rob Duhart: Remove friction for our end users and our business partners. Build strong talent pipelines for diverse teams. Again, beat the drum. Talk about taking a proactive approach for tackling issues in our world. I don't need to speak to what's happening in our industry today - all will know - but we have to start getting ahead of the technical debt that has been piling up across our orgs for many, many years. And the sooner we can do that, the faster we can continue to allow our organizations to move and deliver value while also being secure. Look, I'm particularly proud of our Walmart global tech teams because we do this well. But even outside of Walmart, there's no better time to enter this arena and no better time to join this journey.
Ann Johnson: Rob, thank you so much for joining me today.
Rob Duhart: Ann, always my pleasure. And I hear maybe I can give a shout-out to Mariah Pup and Landry, too. One of these days, we'll have to meet face to face.
Ann Johnson: I want to thank our audience for listening. We actually had a special - some special guests in the audience. I call them my supervisors, but they're my two pups, Mariah Pup and Landry, who were helpfully quiet during this recording. Join us again on the next episode of "Afternoon Cyber Tea."
Ann Johnson: I chose Rob Duhart to join "Afternoon Cyber Tea." I've known Rob for quite a while, and he is just this incredible voice in the industry - very, very, you know, technically experienced, understands cybersecurity, has a wide background, whether it was in government or within, you know, the private sector, and is such a champion and voice for diversity, taking action - not just talking about it, but really backing that up with constructive action. I knew he would be an amazing guest for our listeners, so I was just thrilled he was able to join.