Bridgeway Insights

An Interview with Tony Scott, former CIO for the US Government - Part two

An Interview with Tony Scott, former CIO for the US Government - Part two

Posted by Keely Brooks 18 June 2021

Following on from our recent webinar with Tony Scott focusing on navigating the zero trust journey, Keely Brooks, Marketing Manager, and John Airey, Business Unit Director at Bridgeway caught up with Tony for a two-part blog series.

Part one focused on Tony's history, with his top tips and advice on how to become a CIO. Here we follow up with part two, discussing why Tony thinks zero trust is the future and how the west can improve cyber defence capabilities.

 
John: What about zero trust gained your attention and led you to want to implement the principles of it?
 
tony-scott-interview_clip5
 
"Well, I think there's a couple of things that early on led me to that conclusion. The first one was just the realisation that with cloud and virtual machines and the growing dominance of software in general, that we were going to be in a world where the complexity would be so great that using traditional tools to manage it would be really hard to do.
 
Secondly, that the surface area is not only complex but is enormous as well. With networks, we've moved very quickly from a world where I interacted with a few very well-manicured connections to the outside world, and I could understand the activity that was going on with those connections pretty easily. In today's world, if you're an enterprise, you likely have hundreds of thousands of connections to the outside world, and they're very complex. It's your whole supply chain, it's all of your employees, all of your business partners, and there are tons of different things going on and you're working in the cloud.
 
You may have a bunch of stuff on-premise, and there's no human that can really understand all of those connections at once. So, you need automation, number one, and then when you start to look at that environment, you say, wow, because this is all connected in some way, I need a better framework or better rule set for what I allow. You need one thing to talk to the next thing in that complex environment, and so you pretty quickly come to realise that zero trust is the best way to do that, rather than making assumptions that everything is ok to talk to everything else.
 
I'll go back to one of the earlier questions (see part one of this blog series). We talked about my first experience with computers. It was pretty simple, it wasn't networked. The only input was coming from me on the keyboard, and there were zero security concerns around that environment because I was the only one who could get the software out in any meaningful way.
 
As soon as I eventually hooked that Apple II Plus computer to a network and connected another Apple computer to it, it occurred to me… ‘Oh my goodness! We are now in a different world!’ And so, I started thinking even back then about what all the implications are of these things being hooked together and saw a drone become complex and the surface area get great.
 
I just had this sense that the traditional approaches to security, whatever they were at the time were inadequate and really behind the power curve in terms of the reality of what we were doing on a business front. So, I kind of got there over time, but that notion was there pretty early on."
 
John: Once you came to that conclusion, and you knew that change had to happen, there's obviously going to be some quite big changes in the way that people were interacting with systems across the organisation. How did you get the people you needed to help, make the change, and how did you get them on board with the zero trust story?
 
tony-scott-interview_clip6
 
"Well, mostly by telling stories and sometimes by using analogies. First of all, it's important to get your CEO on board, because without the CEO agreeing that this is good stuff and it's important, the board's probably not going to pay much attention.
 
Also, my peers. Again, you don't want to go into a discussion like that with your CEO and the board. If everything else they're hearing is ‘I don't know what this is, and I don't think it's important’. So, it takes a little setup to happen in the right way, and then you can tell real stories of business impact and show areas where there could be vulnerabilities and investment is needed as well as what’s already done pretty well.
 
I think you really want to have a conversation and a dialogue and get their input as well. I can't tell you the number of times when I thought I had it nailed in terms of what was important from a business standpoint, and in the middle of the discussion, there was a ‘aha’ moment among one of the people on the board or an executive committee and they would ask the question of ‘what about this?’ And it was something I hadn't thought about. And then I had an ‘aha’ moment, like, maybe that is a little more important than this other thing that I've been focusing on, and we all have those blind spots and that's why you’ve got to have the dialogue."
 
John: What would you say was the biggest blocker in terms of introducing these principles? What's the main challenge organisations are going to come up against while trying to introduce zero trust?
 
"I think time is the biggest enemy. In all the corporate environments I've worked in, we've had processes, procedures, and governance. We were pretty good at all of those things, but the hackers that are attacking us and the bad guys, they don't have to observe any governance issues. They don't have to necessarily get approval from somebody, they're highly motivated to do the bad stuff that they're going to do.
 
So, I think time is our enemy and speed of action is critical, and we're always going to be in somewhat of a defensive position, I think, but we can be better if we have an architecture that's built to withstand a bunch of different kinds of attacks and is resilient, and all of those kinds of things. So, creating that is I think, where we should put our efforts as a defence against people who are not operating on the same timeline and with some of the same constraints that we have and there's strength in numbers as well.
 
So, if we do really good information sharing at a broad scale, I think that helps us a lot as well. There's an old saying… The police don't have to have the fastest police cars. You could have a Ferrari trying to get away from you, and you're never going to catch it with a police car, but the police have police radios, and if you have several police cars and information sharing, you can't outrun a police radio with a Ferrari. I think the same thing is true in our world. If we have good information sharing, the bad guys won't be able to outrun us collectively."
 
John: Would you say zero trust is becoming or will be considered the default security architecture and that we'll start to build a network by default in this sort of way?
 
"You may have seen recently that the department of defence here in the US has announced their zero trust framework. They have been doing some good work with NIST, and President Biden has just announced as a part of his executive order that zero trust effectively is the way to go for federal agencies and people that do business with the federal government. I think that puts an important sort of stake in the ground in terms of the future of this, and I hope in some ways doesn't end the debate but accelerates our movement towards zero trust.
 
It shows that it’s time for action, let's get on it."
 
John: So micro segmentation is seen as an integral part of zero trust, why is that?
 
tony-scott-interview_clip7
 
"Well, I think it's one of the building blocks of a good zero trust framework.
 
Having an inventory of your assets, whether they're hardware or software and all of the things in between is critical, but then defining trust zones is another layer of defence, and micro segmentation helps you do that. And then as I mentioned earlier, automation on top of all of that.
 
So, like anything that's well-built, there's a number of different components. Network segmentation is one of those pieces that can be a great part of that architecture, and I think a necessary one actually."
 
John: What can the West do to improve our defensive capabilities against the cyber aggressors? Like as we see China and Russia at the moment, and the splinter groups, obviously that aren't nation-state per se, but you know what I mean?
 
"Well, let me make a distinction between officially sponsored nation-state activities which have a focus that's somewhat a little bit different than some of the quasi sponsored or unsponsored, but happened to be resident in those countries. And so, I think of it as several layers of the same cake to some degree. There are shared tools and in some cases shared knowledge, shared financial responsibility even, but I think each of them has a different approach, depending on what we're trying to accomplish.
 
So first of all, we've got to be good at what we do. Adopting zero trust is one of the ways to do that, but we also have to engage in the worldwide community to say, you know, just like we have throughout history, get some common agreement around what we should tolerate and expect, and what's intolerable.
 
It's pretty unclear still what an act of war is. For example, when it comes to a cyber-attack you can ask questions, like ‘how much of the electrical grid or a water system or a gas pipeline would somebody have to take down before we'd consider it an act of war?’ We've historically always distinguished between nation, state, actors, and criminal activity, even though they might do the same thing.
 
I think we need to clarify that in this digital world and be clear to our world partners and our enemies if you will, where the lines are in that discussion. And so, I think there's ample opportunity at this point to do good work in that area and we should get on with it."
 
John: Would you say that as an open democracy, we're always going to be more vulnerable to attack than perhaps some of the less democratic, less open States and regions?
 
"I don't see democracy as the deciding factor in that necessarily, you can be just as vulnerable if you're a dictator as if you are in an open society. I think it depends a lot on what the practices are and the decisions that you make in terms of how you architect the technology in your country.
 
I like our system of encouraging innovation and providing innovation capital to create advancement in technology, and I think that's a lever that we can use to our advantage when it comes to that question.
 
I do think there are certain vulnerabilities that we have as an open society that wouldn't necessarily be the case in a more closed society, and we need to be cognizant of those and take appropriate defensive measures. Again, we need to strive for more global agreement on what constitutes acceptable action and what's tolerable in some cases, and what's not. I think we've not had enough focus on that.
 
John: Do you see any organisations that are on their way to potentially being that global organisation that can begin to implement these standards?
 
"I don't see any at the moment that are of the scale and at the right level of discussion, but I think it's getting there, and I'll just give you an example at a US national level.
 
About four or five years ago, there was a very small number of our elected officials that you could have a cyber conversation with who had enough knowledge that you could have a meaningful discussion. That small handful has now turned into a useful number and dispersed more broadly across the set of elected officials here in the US.
 
It's a much bigger issue than it was four or five years ago, even, and I think that's a good thing. When you can create awareness at those senior levels. I assume the same thing is true in a lot of the Western world where more and more people are educated on this as an issue, they see it as a potential threat to their economies or their livelihoods.
 
We'll bring this to the forefront, and so awareness then creates meaningful action at some point. I'm doing everything I can now to increase that level of awareness so that the right conversations can take place."
 
For more insight from Tony, as well as a live visualisation demo from ColorTokens, you can watch our recent webinar 'Navigating the Zero Trust Journey with Tony Scott' on-demand now:
Watch Now
 You can also fill out our contact form here to have an informal chat with someone from the Bridgeway Team to find out how we can help you.
 
Tony Scott, the third CIO of The United States Federal Government in the nation’s history, is one of the world’s foremost security and IT experts. Prior to his tenure as US CIO, Tony was the CTO at General Motors, and CIO at Walt Disney, Microsoft, and VMWare, he now services as Chairman of The Tony Scott Group and he’s also currently a member of the ColorTokens board.