Their discussion covers:
- Juliana’s journey into IT and how that impacts her perspective as an industry leader today, as well as a look into her current role with Splunk
- How the public sector has changed over the years regarding digital capabilities and the cyber landscape
Insights into how ransomware and other intrusions into government networks have impacted the public sector this year
- What the Biden Administration’s National Cybersecurity Strategy Implementation Plan (NCSIP) means for our nation and organizations serving our government
- Juliana shares her thoughts on strategic considerations for zero trust adoption, and whether partnerships between government and private companies could be the solution in helping address cybersecurity issues faster and more efficiently
- What she perceives CIOs and other IT leaders should be prioritizing right now, to be most resilient
Watch the video here:
Or Listen to the full audio here:
Disclaimer: The Six Five webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we ask that you do not treat us as such.
Patrick Moorhead: Okay. Hi, this is Pat Moorhead and we are live in Las Vegas, it’s Splunk .conf 2023. This is a great event. You can feel the energy around us. We’ve got people walking around, music playing, just a ton of fun, educational and informational. And hopefully you’re having fun watching the eight videos that we are shooting here at the conference. Daniel, how you doing, my friend?
Daniel Newman: Yeah, it’s great to be here at .conf. Always good to be in Vegas. Sweltering.
Patrick Moorhead: Yeah.
Daniel Newman: In the inside, air conditioning. I Joke.
Patrick Moorhead: It’s so hot that you had to put a vest on and I had to put a coat on.
Daniel Newman: Pat, I wouldn’t care if it was 200, I’d still have this vest on. I think that people know that about me.
Patrick Moorhead: Do you have air conditioning built in or something?
Daniel Newman: Listen, it’s the tech industry.
Patrick Moorhead: Okay.
Daniel Newman: Now, I got to put my flip-flops on, thankfully they don’t see my feet, but this is how we do it in tech. And we’re here for security, so you got to add the hoodie layer.
Patrick Moorhead: A black hoodie is a requirement.
Daniel Newman: You’re a little formal, let’s just say.
Patrick Moorhead: I don’t know.
Daniel Newman: It’s okay.
Patrick Moorhead: Gary Steele showed up with a jacket, so.
Daniel Newman: Well, Gary’s Gary.
Patrick Moorhead: Okay. Alright. And I’m not Gary. So hey, we’ve been talking a lot about digital resilience here, this combination of security, visibility, and now it’s time to do the drill-down into the public sector. And I’d like to introduce a first time Six Five guest, Juliana. How are you?
Juliana Vida: I’m wonderful, thank you.
Patrick Moorhead: Yeah, great to see you, and thanks for coming on the show.
Juliana Vida: Well, thank you for having me. It’s a pleasure.
Patrick Moorhead: Absolutely.
Daniel Newman: Yeah, it’s great to have you here. Your background and your experience is fascinating.
Juliana Vida: Thank you.
Daniel Newman: And so I want to start there. Quite a few years into the public sector, military background. Talk a little bit about the journey that you’ve taken into IT.
Juliana Vida: Sure. Certainly not one I orchestrated or would be able to orchestrate again. Long story short.
Patrick Moorhead: It’s kind of like life.
Juliana Vida: Kind of like life.
Patrick Moorhead: Yes.
Juliana Vida: And it’s all about being agile and pivoting when there are opportunities to pivot and transform. So I joined the Navy out of high school to be a Russian linguist, and then an opportunity came to go to the Naval Academy. I did that. And then women were allowed to serve in combat, so I served on a combatant ship for three years. Then I became a helicopter pilot, and I did that for most of my career. I flew helicopters in different missions around the world. And the navy sent me to the Pentagon to be an assistant to the Chief Information Officer.
Daniel Newman: Wow.
Juliana Vida: And I didn’t know what that was, or what that person did, and I quickly had to learn to be a good staffer and a good supporter. Turns out I’m a pretty quick learner, and it was pretty interesting stuff. So I wound up retiring from the Navy and continuing in technology first as a Deputy Chief Information Officer for the Navy, and then took a turn at Gartner, and now I’m here at Splunk.
Patrick Moorhead: It’s great. And first off, thank you for serving. I mean, whenever I hear experiences like that, I’m very thankful that it lets me do what I’m doing now, so I appreciate that.
Juliana Vida: My pleasure.
Patrick Moorhead: So doing this for 30 years, advising, practicing, you’ve seen the industry ebb and flow, and I want to specifically get your observations over the last 30 years, how digital capabilities and cyber have changed over that period of time.
Juliana Vida: Sure. And there are many things I could talk about, but I always want to talk about the triad of people, process and technology, because we often get stuck on the technology part. And particularly for the government, well, like any organization, it’s hard to manage that people and process and culture piece, not to mention the technology. But what I’ve seen in the public sector, thankfully, is a real opening of conversation, dialogue, and people opening the kimono that, I mean, even when I was in the Pentagon seven, eight years ago, there wasn’t a whole lot of sharing going on. It was a lot of empire building and it’s all about money. So it’s all about my budget, not sharing with you. A lot of that has gotten better. It’s not 100% better. So I’ll start there with that trust relationship, that’s gotten a lot better.
The other thing that’s really changed for the better is the openness of government to embrace and invest in commercial technology. I mean, I remember when I was in the Pentagon sitting in meetings, and the poor guy from AWS when it was brand new would come into the meeting with all the service level, the Army, big S, we call it, service, Army, Navy, Air Force, Marines, Chief Information Officers. And he would be talking about this commercial cloud thing. And it was like, we were going after him with pitchforks and torches. Like, “Get out. The DOD’s, never going to do that.” And my oh my, how things have changed.
Patrick Moorhead: Yes.
Juliana Vida: And I’m so grateful, because we’ve got to. There’s got to be more of an embracing of commercial technology, and I think that’s the biggest positive that I’ve seen change over couple decades.
Patrick Moorhead: I love that.
Daniel Newman: And I think there’s obviously a continuum. There are still some things that really, We do a lot of work in the mainframe space, for instance, and there’s been this multi-decade… And you know the analyst world, you mentioned you’ve been in that space of analysts making these bold predictions like, “The mainframe is dead.”
Juliana Vida: Yeah.
Daniel Newman: One of the worst predictions made by analysts contiguously over three decades now. Or for instance, the public sector would never use the cloud. And that one is wildly wrong. Now again, there’s been a lot of concessions, and Pat, you like to do the hybrid cloud victory lap, I’ll get it out there for you. Pat called early the hybrid cloud, just so you don’t have to do it again.
Patrick Moorhead: Here. No, thank you.
Daniel Newman: No, I just want.
Patrick Moorhead: No, I appreciate that.
Daniel Newman: I knew you’d do it if I didn’t do it.
Patrick Moorhead: Thank you.
Daniel Newman: I’m kidding. I digress. I digress.
Patrick Moorhead: No, no, you’re right. No, I would’ve done that. You’re right.
Daniel Newman: But in all serious, we’ve seen how these things flow and ebb and then end up becoming a thing. You’ve also made some bold calls. Like I said, being from the analyst background, you realize, we always joke, we call it victory laps, but you get things right.
Patrick Moorhead: Yeah.
Daniel Newman: Now, calling that there would be more ransomware attacks probably wasn’t the boldest prediction you’ve ever made. I think we know that as tech becomes. But with all the technology and cyber and investment, there should be a point where it occurs. We’re not there yet. Clearly, we aren’t there yet. How are you seeing this evolve though? And especially, let’s take it through the public sector lens. Our government entities are vulnerable.
Juliana Vida: Yeah.
Daniel Newman: And what are we doing about that?
Juliana Vida: Well, first of all, I’ll go back to the prediction piece, and it’s always risky making those predictions.
Daniel Newman: Totally. Totally.
Juliana Vida: But in terms of ransomware, I’ll say we’ve unfortunately seen that that’s true. That that has continued, I’ll say specifically in the K-12 education space, our primary schools and our high schools, and also in our state and local governments. And because quite frankly, they’re softer targets. They often have the smallest budgets, they often are just struggling to get the resources that they need. And so unfortunately, that remains a challenge. But back to the openness and sharing of information across the federal government, now, we were actually seeing funding being earmarked for higher education or K-12 or state and local. So I would say what’s changing is that, in this administration anyway, the recognition that funding must come from the federal government and be pushed down to the state and local, that’s really important, because where else are they going to get the funding that they need to make these modernization and these upgrades?
So it’s slow progress, but it’s progress. And again, it just opens up a whole of government approach, like we’re all important, all agencies, all citizens and residents are important. And so the moving around of money and funding and policy guidance is really helping all of those agencies that just can’t help themselves all the time.
Patrick Moorhead: Yeah. I mean, the threat landscape, a lot more bad folks out there. What’s changed from my point of view, probably over the last 15 years, is that we have nation state budgets now that are utilized for the bad folks. We now have AI, and we’re in this AI spy versus AI spy type of thing that comes out. And the plus side is we’re digitizing areas like water treatment plants, dams, public utilities. And all of that has really, again, just a few, I’m sure we could list hundreds of reasons the fractalization of applications through APIs is just another way to do this. So I’m sure we can all agree that it’s getting more difficult out there.
Juliana Vida: Yeah.
Patrick Moorhead: Last week, the Biden administration passed the NCS implementation plan out there to help address this growing threat. Can you talk about what this means in a security landscape, and what it might mean for large governments and state and local governments as well?
Juliana Vida: Sure. Well, we are really happy to see the administration continue to put out guidance and often the funding that goes with it, because it shows that it’s a priority truly at the national level, and across all agencies. It’s not just the IT shops. It’s not just the technology leaders in the government. When it’s coming from the administration as a, “Thou shalt do this across the government,” that adds a lot of justification that agencies need when they go try to get funding, or when they’re trying to get support from Congress. Having that top cover of that policy level is absolutely critical. Because without it, there’s too many other priorities that people are trying to shuffle around resources and money towards.
So what it means for the agencies with the implementation plan is a little bit more, I won’t say specific guidance, because the implementation plan is still pretty broad, but it provides these buckets of focus. Not just for the agencies, but for the industry side, for us to come and say, “There’s these 65 implementation items in the plan, or in the implementation plan. Our expertise can help you with 10 of them. And our vendor partner over here, they can help you with five of them.” And at least it gives agencies a place to go. Because coming from the government side, I remember, even if we wanted to have conversations with industry, there’s so many, where do you start? And often, that just leads to the same companies being able to support the government. So I think that’s what it does. The implementation plan allows, it puts a little bit of structure behind where agencies can go for help, where technology can support, and take away a little bit of the fear, uncertainty and doubt of, “Oh my gosh, what are we going to do?” It’s moving in the right direction.
Patrick Moorhead: Right. If nothing else, giving a common nomenclature, because I mean, security has its own dictionary of its own.
Juliana Vida: Yeah.
Patrick Moorhead: And I think it’s very similar, but even to get people on the same page in terms of what are some of the definitions? What are we talking about here? And also, where can vendors focus in and relate to NCS as well?
Juliana Vida: Yeah. Yeah, that nomenclature point is so important because you’ve got to be able to make sense to the average person who is making budget decisions or policy decisions. And largely, they don’t come from a cyber, they don’t have a CISSP.
Patrick Moorhead: Exactly.
Juliana Vida: They don’t come from a security background.
Patrick Moorhead: Yeah.
Daniel Newman: So a lot of this plan, as I understand it, has to do with moving to zero-trust. Used to be trust but verify. Now it’s, we trust nobody ever.
Patrick Moorhead: Yeah.
Daniel Newman: And of course, the validity of that is, if you take that approach, you have a very low risk because you’re basically checking every single thing. It does contradict some of the cultural and digital transformation norms that we’re all about people, process, technology, and buying into people. But in a world where one breach can take down your grid, it can take the water, planes fall out of the sky, things like that, we do need to be more careful than ever before.
So I’m going to try to put a couple questions together here. As it pertains to this cybersecurity implementation with what Biden administration passed, and then more in general across the public sector, talk a little bit about this whole zero-trust movement. What’s your thoughts? Is this the right plan, and is this something the agencies are going to be able to cope with?
Juliana Vida: It’s like making a prediction.
Daniel Newman: Yes.
Juliana Vida: Do I think that the administration got it right? Yeah. I mean, yes, I think zero-trust is the right approach. The right approach. What we call it is different. People are always ready to poke their fingers at, “Oh, you’re just going to use that buzzword.” Well, we have to call it something. And so for zero-trust architecture, of course, as you all know, but as a refresher, it’s breaking down, it’s dissolving the old way we thought about security, the castle and moat, there’s only one way in, and if you keep people from getting in, then you’re safe.
Patrick Moorhead: That’s right.
Juliana Vida: We know that that’s just not true anymore. And so that zero-trust architecture provides an element of, there are several different doors that people, entities, networks, whatever would have to get into. So if we do our best to protect all of those entry points, then that’s how we can manage the risk the best. Is it going to be 100%? No. Are people going to find a way around it? Yes. But it’s better than having a single point of failure approach. And in terms of the public sector, this is where I like to talk to customers about why should you care about this? Not because it’s the latest security trend, but because it’s going to help you, Agency XYZ, provide better services to your citizens. It’s going to prevent fraud, it’s going to save money because you’re preventing fraud. And all of those things that leaders care about, they can easily be tied to zero-trust because we all live this in our personal lives.
You think about your banking, I wouldn’t want to think that if I just put my pin in on my banking app, that all is good to go. Absolutely not. I want to make sure that my bank is checking on the logs and checking on their network health and all of that. So I think it is the right approach, and it’s certainly going to morph and it’s going to change. But goes back to the embracing of commercial technology on the government side, there are many, many providers out there that are working, we work together. We’re frenemies in a lot of spaces with other vendors that we provide this part of the zero-trust architecture and this company provides this much. And when we work together, that’s when we deliver the best results for not just the agencies, but for all of us, all of us consuming those services.
Patrick Moorhead: Yeah, I completely agree on working together. It takes a village. Because what’s happening now is, the complexity of security is going up, which typically means that there’s a lot of very focused vendors, some call it one-offs. And then there’s some who are going to be the catchall, “Hey, I’m going to integrate all this stuff on our own.” And what a lot of security experts are finding that the time to integrate those best-in-breed, sometimes they’re on the second or third revision back of what was best-in-breed, and they’ve even opened up security holes through integration.
And I’m curious, a great conversation about zero-trust, and also like we’re in reality mode that also says, “When they get in, what we do,” and then, “How do we get them out?” And then, “How do we get that data back and recover?” That’s just this idea of, “Nobody’s going to get in, and that’s how we’re going to do this.” I mean, it kind of worked for 20 years, but they got in and then we didn’t know what to do and get them out. And then once they took all our data and took it hostage, we then didn’t even have a playbook for that. So thankfully we have ransomware protection and things like that, but I want to uplevel zero-trust. What sort of strategic considerations at the highest level do CISOs and government agencies need to be considering for this?
Juliana Vida: I think back to people, process and technology. The people in an organization are just as important in the protecting of data and all the technology that they have at their fingertips. And speaking for the federal government, the vast majority of people who work for the government do not have, they don’t have a baseline of knowledge or understanding or education about their role in being a good steward of that technology. So one strategic consideration I truly believe in is an upleveling of just the basic understanding of people’s role in resilience. In preventing things from happening in the first place, and then when something does happen, how do we fix it, and then how do we get our data back? Yes, there’s been cybersecurity training that’s required for agencies, and you have to go through this training once a year, but it is so woefully inadequate.
I think it’s past time for us to be thinking about people’s understanding of data, just as we all understand about how to use electricity. So I use the example of, in your house, you know what those three holes are in the wall, and that you shouldn’t put your finger in them because it might hurt you. Do you have to be an electrical engineer? No. Do you have to have a background in electricity? No. But we are taught through our entire lives that that can hurt you. And I think we’re at that point now, you don’t have to be a data scientist to know that, going beyond just changing your password, what does it mean when you’re downloading these apps and checking off on the privacy box that you don’t want to read? I think that up leveling of the average worker’s knowledge can help towards the zero-trust, because there’s the technology piece, yes, but people use technology. And so I hope that leaders continue to put money and resources into that upleveling and upskilling. Otherwise, the technology can advance all the… It can advance beyond what we’re able to use.
Daniel Newman: Well, they say what’s old is new, and generative AI, remember those little books, CliffsNotes?
Patrick Moorhead: Sure.
Daniel Newman: Generative AI is like the CliffsNotes. It’s just a different way of.
Patrick Moorhead: I mean, not that I ever used them.
Juliana Vida: No, sure. Of course not.
Patrick Moorhead: It was my friends in high school.
Daniel Newman: I used them all the time. Now, there was, again, your parents would tell you that wasn’t smart because the old way was you had to read the whole book and you had to walk uphill to work both ways. And it’s like, “Oh my God, I invented the wheel. Holy crap. I can roll to school.” It’s okay. And generative tools can give us the capabilities to maybe. Because the privacy things, I’ve been joking about the privacy box. I’ve been joking about that for a long time. I don’t read them. Nobody reads them. And by the way, the companies depend on the fact that nobody reads them to be able to harvest your data. And so something like a generative tool could be like, “Give me the generative cliff notes about what did I just commit to?”
A lot of things could be done, by the way, these could be government-driven policies to say, “You have to do a cliff note version, a generative version.” The mortgage disclosures, all the things that’s really messed up society is when lawyers, politicians write 5,000-page bills that no one’s going to read, and it ends up. So anyways, I digress a little bit, but.
Patrick Moorhead: Wow, Dan, you’re swinging out there. But I know you’re coming back with something.
Daniel Newman: Well, these shows are more interesting when you go out there.
Patrick Moorhead: I feel it coming back.
Daniel Newman: I’m about to do a victory lap on something I once predicted as an analyst.
Patrick Moorhead: It’s important.
Daniel Newman: I’m just kidding. I wouldn’t do that here. So public-private, though, partnerships are a real course of debate. The most capitalistic thinkers will tend to think that public sector can’t do anything faster or better than private. But the truth is, almost every society benefits from having a public sector and infrastructure. The amount of public involvement can be debated. How are you seeing those partnerships being put to use to really add more utility and value? Because I think that’s where a lot of people are flustered is how much do we invest, how much do we get out? But public-private could really help drive better outcomes, yeah?
Juliana Vida: No, absolutely. Because again, back to how the public sector has advanced and this embracing of commercial technology, I think that was the stepping stone to this public-private engagement. Because there has to be a level of trust. And there wasn’t that trust in the past that, and even now, we have customers who just think we’re out to just take all their money. And that is, we all live in this world. We all want ourselves and our families to be safe, and we all want to participate in making the world safer. And I think the government believes that now, more than they did before. And so the public-private partnership is critical because going back to whatever the stereotypes are about public service, I say the good news is that generally people who join the government and they’re public servants, they don’t go anywhere. They stay in their jobs forever. The bad news is also that they stay in their jobs forever.
So as long as you take the two of those and you combine them with, they stay in their jobs because they’re public servants, because they care about this country and care about whatever country it is that they’re working in, they have domain expertise that industry will never have. And so if we can tap into all that greatness of the public sector and amplify it with the technology enhancements and the digital transformation and the innovation and the investments that we can make, that’s where the magic happens. And I think now there’s more examples. It’s not a first-mover advantage anymore to be in a public-private partnership because there’s so many. And I just think Ukraine is a great example of how the war is progressing and how the Ukrainians are being successful, because they needed that injection of support from the outside commercial industry. And that’s just one example. So it’s gaining ground, absolutely, but that trust piece, it’s going to always need some work. But it’s better than it was 10 years ago, and certainly better than it was 20 or 30.
Patrick Moorhead: Juliana, I’ve really enjoyed this conversation. We’re coming up on time, but I want to ask you one final question. It’s one of these, “If you walk away with nothing else other than this, pay attention,” what should CIOs be prioritizing right now? What’s their hit list to improve their digital resilience?
Juliana Vida: No question, there has to be continued investment in modern cloud architectures, hybrid cloud environments. There are too many agencies still spending money and time caring and feeding for legacy technology that is just not going to get them, they’re going to fall even further behind. The technology is proven, it is ubiquitous across the public sector and the private sector. There are many examples that CIOs can look at for stories of success. It is way past time to keep hoping that your legacy technology and your infrastructure is going to help you. It is not. It’s got to be cloud modernization.
Patrick Moorhead: I love that. That’s actually even better than a hit list. It’s literally the number one thing, which actually people appreciate even more. And the great news is, I mean, I agree 100% with you, and by the way, going cloud doesn’t mean it’s always going to be out of control and out of you. You can have a cloud model sitting right on your premises as well.
Juliana Vida: Yep.
Patrick Moorhead: Great. Great.
Juliana Vida: Excellent.
Patrick Moorhead: Yeah, good feedback.
Daniel Newman: And of course AI, but we’ll come back to that later. Juliana, I want to thank you so much for joining us here on the Six Five. Hope to have you back soon.
Juliana Vida: Oh my gosh, it’s been my pleasure. Thank you.
Daniel Newman: Thanks. All right everybody, you heard it here, we are at .conf here in Las Vegas for Splunk’s 2023 event. Pat, it’s been a good one here.
Patrick Moorhead: Yeah.
Daniel Newman: There are so many more. We hope you tune into all of them. Hit that subscribe button, join us here for the Six Five On the Road, and of course all of our other episodes. But we got to say goodbye for now. We’ll see you all soon.