Data Governance and Digital Transformation in the Public Sector
A recent Kitecast episode featured Chet Hayes, the Chief Technology Officer at Vertosoft, who discussed data classification, data governance, and the role of AI in cybersecurity
Kiteworks | Your Private Content Network
Kiteworks Private Content Network
Vertosoft’s CTO Chet Hayes is a technologist at heart and has kept his finger on the pulse of the public sector for much of his career. Early on in his career, he cut his teeth in technical software architecture roles in organizations such as Sun Microsystems, Hughes Information Technology, and BEA Systems. Based in Virginia, much of his customer-facing work was with the federal government. For the past 15 years, Hayes has worked in various senior leadership positions serving the public sector. While government organizations face many of the same technology challenges as private sector organizations, they also have unique requirements. Federal government agencies and their supply chains, in particular, tend to be ahead of the private sector when it comes to the use of cybersecurity frameworks. In this Kitecast episode, Hayes discusses how the NIST CSF, CMMC 2.0, FedRAMP Authorization, and other federal cybersecurity standards are driving the adoption of zero trust and other security best practices. Discover what he thinks are some of the biggest security opportunities and challenges facing the government sector today and how data privacy exposure risks play into both components by listening to this podcast.
Patrick Spencer 0:24
Welcome, everyone to another Kitecast. This is Patrick Spencer, your host for today’s show. I’m joined today by Chet Hayes, the Chief Technology Officer over at Vertosoft, which is one of the partners that we have here at Kiteworks. And I’m really excited to speak with you today. Chet, thanks for joining me.
Chet Hayes 0:42
Patrick, appreciate it. Looking forward to the conversation.
Patrick Spencer 0:45
Now you have a background, you and I were speaking beforehand, and our paths have sort of crossed we know a lot of folks who we work with at Sun Microsystems, I don’t think the two of us unfortunately ever had a chance to meet when we were there. But it your background has evolved over the years, obviously, a technologist you were in the Sun Java center, when you’re over at Sun 15, 20 years ago, we’re both getting old, I hate to tell you.
Chet Hayes 1:16
That was a long time ago.
Patrick Spencer 1:17
And we might talk a little bit about that Sun background because I assume it probably feed some of the things that you do today, as the CTO over at Vertosoft you were one of the founding members of the company back in 2016. Tell our audience a bit about you know, why did you start the company and what is its charter look like? And what do you guys look like today?
Chet Hayes 1:36
No, I appreciate that. Yeah. My background largely has been both on I’ll call it the software development side, as well as the product management side for both commercial software companies and, and focused on the public sector. And back. After Sun Microsystems, I joined a company called BDA. Another one of those companies that was acquired by Oracle, but it was all about the, you know, the Java, the Java application server at the time. And while there, I met Jay Colavita, we work together. And that’s where we first met, and Jay is the main founder of Vertosoft. And, you know, we got along well, and when Oracle bought us we both went our separate ways. We were friends, we stayed in contact and after that he was at IBM and AmEx and I was at SAIC and some other smaller integrators. And we J realized in terms of what he was doing, he saw all these small companies coming to these big resellers trying to get help, that they weren’t set up to help these emerging tech companies. And on the flip side, when I was at SAIC, we were always looking for the next best thing, these emerging tech companies to that we could use on a program to try to give us a good competitive differentiator in our bids to really help us win. And I remember one we were one day, we’re having lunch at McCormick’s there in in Tyson’s Corner off of West Park and jays, like I think I got this idea. And a few years later, everything sort of gelled around that. And in 2016 Vertosoft was born with really our focus is helping these emerging tech companies who really don’t know how to do business with the government to help them crack that market. And at the same time, we work with the system integrators and the government to bring some of this emerging tech into that into these organizations to really both impact the mission from a government perspective, and help the system integrators give them a competitive differentiator in their bids. Interesting.
Patrick Spencer 3:51
Now, I assume, you know, many of the, the partners, the channel partners that exist out in the marketplace for the technology companies, the founders, and the folks in your role probably don’t have the breadth of technical experience and expertise that you bring to the table as the CTO with your Sun Microsystems background that we talked about, and so forth. That gives you an advantage because you probably have a better grasp in terms of how that technology works that you’re trying to integrate for these government agencies.
Chet Hayes 4:22
Well, I hope so. That’s why they come to us. One of the things I think that we do well, is we understand how the government issues RFPs how these projects work, we understand how the system integrators look to go to market. And so when a product company comes to us and says they need some help, they will they’ll explain to us how their product works in the terms of bits and bytes of hey, we can do X really well. If it’s machine learning, we can generate models faster than x or whatever it is, but we can take that and turn that around and translate that into the IU hook that means for either the agency or the integrator to help them position themselves in terms of, here’s how we’re going to, you know, win that contract. And so understanding how that fits into the broader ecosystem, who it has to integrate with, I think we provide a lot of value in that and, and how to help them take their marketing language and turn it into proposal language, so that at the end of the day, they come off in a better position to when
Patrick Spencer 5:29
you bring up an interesting topic, this topic of integration, you and I’ve been around a long time. Everyone’s talked about it for years and years and years, right? Everything sits in its own silo, everyone has a new solution, we’re going to break down all those silos, and we’re going to integrate everything, you’re going to have one dashboard, one view, one throat to choke, and so forth. Have we made progress on that front? Where are we at? You know, and where is the government at in terms of realizing that the bigger vision
Chet Hayes 5:56
I guess I would say progress is getting made, but there’s still a long way to go. Right now we’re seeing a lot of activity around the concept of governance. There’s a lot going on in the machine learning artificial intelligence space. Again, if the buzzword at least of today, you’re hearing these things called data lakes and data fabrics. Organizations are trying to get their hands around that on all this data. There’s, there’s this data sharing, how do you get data from one agency to another agency securely? So it’s, it’s all coming in that Genesis of rent, how do you govern it? How do you make sure the provenance is good, the pedigree is good, that if this is really the right data, so we’re seeing a lot of activities around that across all agencies, both civilian and DOD, and the IC? But I still think there’s still quite some way to go.
Patrick Spencer 6:53
And you’re talking about all this data, it’s unstructured, some of its at rest. Some of it’s shared between systems shared in different ways, emailed, file sharing, Managed File Transfer, web forms, variety, different ways, FTP, all that sort of stuff. Yeah, exactly. How do you protect all that when it comes to governance, you know that you’re seeing some progress, or there’s at least a focus on using governance controls and tracking in a centralized manner, that probably reduces your risk, both risk in terms of cybersecurity, as well as you know, the compliance regulations that are out there, because the agencies, their feet are being held to the fire? And we’ll talk a little bit about more about the like, executive order 14028 and CMMC, and so forth later on in the podcast. But you know, what’s happening on that front, from your vantage point,
Chet Hayes 7:41
You know, we’re, again, buzzword compliant, we’re seeing a lot of talk around zero trust organizations realize that the call it the old school way of creating the hard outer shell, the castle on the moat type of thing, right, you build this perimeter that you try to make secure, and then anything inside, if anybody who can get in who’s on that, that trusted network, if you will, is should be trusted and, and so we’re seeing a lot of activity around realizing that that’s not actually not a good approach. So you’re going in and moving saying, okay, just because you’re on the network doesn’t mean you’re, you’re going to be trusted until you go through a variety of different things. So zero trust is a big thing right now, in terms of data access. It we’ll probably get to it as we talk about maybe some of the other stuff. But the I would say the architectures today of what we’re seeing, especially with the advent of 5g, we’re seeing the data center, expand out from actually the four walls of an organization out to the edge. And as the network pipes get bigger organizations are trying to figure out how do we govern and secure this data, whether it’s within the data center, or whether it’s out on some mobile device somewhere in a theater of operations. So a lot of a lot of activity around those things. Right now.
Patrick Spencer 9:05
We’re getting ready to work on our annual survey report that we produce here at Kiteworks. And one of the areas of questions that I’ve formulated is in relationship to data classification. So you have these government agencies that have all different types of data. It’s unstructured, it’s spread all over the network, like you just said, lots of different applications, lots of different content types. Where’s the government at when it comes to classifying their data? Is it still a manual process? Is it automated? Or are we still we still need to start that process? Where are we at?
Chet Hayes 9:39
Somewhere in between that, depending on depending on the organization, we’ve worked with a couple of different organizations where they have rolled out an enterprise data catalog where they have done a pretty good job of, of collecting to understand and understand where or what all the data they have. They’ve been able to provide some guidance to the fidelity of that data, is it good bad, they’ve been able to say, Hey, if you need to get to this type of data, here are some standard queries that we’re going to put out there that you know how to get to. So data governance is has come a long way, I think we’re some ways to go there. One of the we’ve worked with the Advanta program where they have, you know, an enterprise data catalog that’s there largely around initially financial data. So organizations who are trying to, you know, work with like, unmatched transactions and some other stuff, there’s, that data is going in there, and people can figure that out. So, again, depends on the organization, some are more mature than others. But I think people are understanding that, hey, we need to get there, we need those types of things to get us there.
Patrick Spencer 10:45
I assume that’s a foundational element when it comes to protecting your data and ensuring that you’re in compliance, you got to know what types of data you have and where it resides. To start with.
Chet Hayes 10:56
Yep, you got to know where it’s at, you got to know understand where the system of record is, you have to understand how it moves. There’s, there’s a lot of conversation that we’re hearing about data in motion, you’ll hear different companies talk about that type of architecture versus focusing just on you know, standing data. But in order to be that be effective with that, you have to understand what that data is, to your point, the data classification. A lot of it is still unstructured, being able to process that being able to manage that know where it’s at. Is Yeah, again, they’re, I would say the industry and the government itself is making strides on that we’re seeing lots of lots of activity around that. But I think even this next year, I think we’ll see a lot more focus on that as well.
Patrick Spencer 11:47
You mentioned artificial intelligence, do you foresee that AI will be used in that arena? And what other areas when it comes to cybersecurity and governance, do you foresee that AI will play a critical role?
Chet Hayes 12:00
Yeah. AI is definitely here to here to stay, I would say if you’re not doing are looking at some form of machine learning or AI, you’re probably behind the times, regardless of what space you’re dealing in, whether it’s security or anything else. You know, from a data about data classification, obviously, AI is used heavily in that there are several tools out there that are that are quite interesting in terms of its ability to do basic entity extraction, doing link analysis, building out these very complicated relationship models. From a graph perspective, there’s we can talk about, you know, the current buzzword right now, ChatGPT, if you’re from open AI, and some very fascinating things that that they’re doing on the generative AI type of type of approach, but on the cyber side, you know, a lot of organizations are using machine learning to help identify, you know, call it event security events, what’s something broken or something not broken? And we’re seeing a significant uptick in that.
Patrick Spencer 13:06
What you brought up the interesting subject, I actually published a blog earlier this week on ChatGPT. And how cyber criminals are using it already. It’s been outlet. Took them about two days before they figured out that it was something they wanted to use and so much for those guardrails that were put in place right beforehand that would prevent cyber criminals from using it in a malicious manner. They figured out the workarounds, which they always do, right. But chat GPT has been successful, because it does take a different approach to AI, as you will know, and it actually involved humans to vet that whole process. When they did the supervised learning. You think that’s right, we’ve heard a whole bunch about AI and, you know, for years, right, and you had sort of a quiet period in the 1960s and 70s, where, you know, they found that humans were actually more effective than the AI technology that they were using, right and the machines, and they cancelled a few AI projects, and then IBM and others resuscitate it, and we have deep learning, you know, which delves into, you know, identifying trends and analysis, psychographic profiling a bunch of other cool things that you mentioned. But when it comes to cybersecurity, do you think it’ll at supervised learning aspect, it’s going to have to involve both machine and the human to really tune it to the point where it’s as effective as we’re seeing with ChatGPT today?
Chet Hayes 14:32
My gut says yes; I think from a cybersecurity perspective. organizations who are using machine learning are going to actually have to have a strategy around how to protect their models, the model integrity. There’s been, I would say some fair amount of research as of late as organizations are trying to as we deploy these models, right, they’re trying to figure out okay, now that we got them, how did we prevent especially in this situation where we’re looking for model drift or data drift, and we’re continually training the model, how do we prevent somebody from interjecting data that potentially could tweak the model one way or another to be a detriment? So I think, from a, from a cyber-perspective, you know, I think it goes back to that the data fidelity, and the data pipeline, and controlling and managing all that, and securing all that I think is going to be critical. And I think humans are going to have to be part of that at this point to, to help keep that all in check.
Patrick Spencer 15:41
And I would assume, you know, anomalies that crop up with your data at rest, suddenly, a bunch starts moving out of your environment, or you see a lot of changes happening in an area where, you know, no changes have taken place for years, over a period of time. For that, which is at rest, but then that which is in motion, you pick up on anomalies as well, so that you can become rather than reactive from a security standpoint and become much more proactive. What’s your, your view on that front?
Chet Hayes 16:12
No, I think you’re spot on in that analysis, right, you know, with with some of the tools that we have, you can quickly identify data exfiltration much easier, right? It’s like all of a sudden, we’re seeing this, you know, traffic anomaly, we’re all of a sudden data happens to be going out, we’ve got it, we should be able to do something with that. When you start thinking about going back to the whole concept of zero trust, and instead of just encrypting and protecting the transport layer, you’re you are, everything’s encrypted. So whether somebody can have to transport that, if they’re getting the data, the data itself is encrypted, it makes it much harder to to lose the fuel the crown jewels out of an organization.
Patrick Spencer 16:56
Now, the government we spoke to you spoke about zero trust, you know, it’s got to be broader than just the network its applications, we argue, it’s got to be content as well, as you know, you’re Kiteworks partner, with executive order 14028, which probably everyone in our audience is familiar with. And we’ve had a couple, but three or four different addendums, we keep piling up, the paper gets taller and taller, as often is the case when you talk about the government. It embraces this concept of zero trust with those addendums it adds more and more to the fray. You know, how successful do you think we are on that front? I think the implementation for deadline is, you know, still a couple years away, where are we at? You see some further evolution on that front?
Chet Hayes 17:41
Yeah, definitely the zero trust, again, we’re seeing every organization at least try to do something with that and try to figure out where they’re at what they need to do. So I think, I don’t think we’re going to get there, everybody’s going to get there. In a couple years, I think it’ll take be above and beyond that, but at least they’re moving that direction. To add on to that, to the decade Executive Order, one of the more interesting things that has sparked a lot of conversation right now is the concept of the secure supply chain, which it ties into that, that whole zero trust aspect of it. But specifically, with the concept of being able to generate a software bill of materials, we are seeing a lot of interest in that. Both, you know, sis has got a working group about the s bomb activity. We’ve got, we’re seeing contracts, these large G wax that are coming out, they’re putting the secure supply chain language inside these contracts. And as these two things come together, especially this concept of s bomb, it’ll be an interesting time for software companies who are building software that they want to sell to the government on what’s going to happen with the whole F bomb thing. They’re going to be forced to generate it and provide it. Lots of conversation around that. Now we think that’s very interesting for a lot of our manufacturers going forward.
Patrick Spencer 19:05
Yeah, CISOs is certainly a year and a half ago, talked a lot about it with the solar winds hack, but then there’s been a bunch of others when it comes to supply chain.
Chet Hayes 19:17
J thing was probably the most recent and one of the things that’s really kicked that conversation back into gear that the love for J and she most recently,
Patrick Spencer 19:24
yeah, now you’re spot on there. You know, when it comes to data privacy regulations, if in Europe, they have GDPR. But then in California, we have the one that was passed there a year, a year and a half ago. Now this year, we have four more states, Colorado, Virginia, Utah and Connecticut. I believe I remember the four that are implementing their own. I think one went into effect at the beginning of the year. The last one goes into effect at midnight on December 31. I believe, you know, do one, you know that’s at the state level. what implications does this have for software vendors or for just you know, government agencies in general, or entities that are aspiring to conduct business in those states, I assume you have clients are coming to you. And they’re asking you, what do we do? And do you foresee in the second question in the long run, it’ll actually get a national data privacy law. So we don’t have 50 different regulations that we need to try to figure out.
Chet Hayes 20:23
Yeah, this this is we’ve had lots of interesting conversations around this, right? I mean, historically, excuse me, historically, the US has really been well, we’ve allowed organizations to collect data, and we’ve done it more on a harms prevention basis, right, you can collect it, you know, you think about things we sent around HIPAA, and there’s the what the child online privacy Prevention Act, COPPA or something like that. And there’s another one with the Family Educational Rights, there’s, there’s a few like that, but we allow this. And these are written so that it’s all about preventing harm, if something were to get leaked. If you look at these laws that are coming out, now, the both the total of five, that are more modelled on, you know, the EU’s GDPR type of laws. That approach is more instead of a harms based types of approach, it’s more of a rights based approach where there the individual in effectively, it says the individual owns their data and has the legal right to determine what happens with that data. It’s a very different approach. So and that’s going to force organizations and self-organizations who collect this data to think differently about how they collect it, how it gets stored. And if it’s if it’s getting transmitted, all these things they’re going to have to think about in order to make sure that they are, are compliant with it. And I, I actually believe, I think you alluded to it as well. I think these five are just the tip of the iceberg. I believe that we will see several more states adopted. And to your point, I think there’s already been conversations around a national bill to try to codify that and have more of the user right type of approach to get the data
Patrick Spencer 22:10
when we’ve had even the federal government with one of the recent executive orders that I think was issued last year, attempting to accommodate the EU and some of their concerns. So there’s reciprocity, I think, right? So we’re, we’re seeing some of that, but you can only do so many executive orders without bringing Congress into the fray. Right. And, and getting has teeth in it. There’s a lot being talked about around some of the regulations, you know, we’ve had sock, we’ve had ISO for quite a while, you know, NIST is really seemingly coming to the forefront as the cybersecurity framework that the government wants to embrace. And then that obviously filters down into the private sector as well. What are you seeing on that front? And, you know, is it being baked into all these governance standards? Which one? Do you need to follow are all the above all and does it vary from agency to agency?
Chet Hayes 23:12
It’s a good question. It’s fascinating. We’ve been watching all throughout CMMC. Right. That’s, that’s been out there on the DoD side. Now for several years. It’s gone through a couple you got one Dotto. It’s gone through a couple of machinations. Now. We’re in CMMC, Two Dotto. There was a report just recently where I think the rulemaking on that is going to take a little bit longer. So it may still yet another year before we see that actually become a formal rule. But the goodness with that, and to your point about NIST, I think it’s has been around a while, if we go back and we look at this point, you know, 801 71, and even 853, right that those if you’re if you’re following those 101 71, you’re probably in pretty good shape. We know a lot of a lot of our software vendors, they’ll come to us and they’ll ask us, Well, hey, what should we be doing? And a lot of them are going down the sock two type two Avenue. And that’s a reasonable approach and a good approach, especially if they’re SAS base because that will be a good starting point when they start moving into FedRAMP. That’s the fact that they’ve got that foundation that’ll help them with their FedRAMP activities. But we always tell anybody outside of that, so go back and look at 801 71 Because if you’re doing that you’ll probably have the majority of what you need and you’re supposed to if you’re doing stuff in the DOD, you should be doing 101 71 anyway but it it’s an it’s a great starting point for them to look at and even CMMC to Dotto, the baseline of that they went back and mapped it to the NIST controls there. So I think that is a great Good place to start for most software companies,
Patrick Spencer 25:02
when you brought up CMMC, that’s a good segue. That was my next question for you actually, when you deal with a lot of DOD suppliers that are coming to you probably needing help, your guidance in terms of what technology stack they should put into place. I, we had a webinar this week, actually. And there’s an interesting data point that I called out, I believe it’s, like 71% have done their self-esteem station for level two. Or it’s of those who’ve done self-esteem stations. 71% say they’re compliant. For those that have gone through the DoD 29% say they’re compliant. That’s a huge gap when you think about it, right? There’s an overconfidence, it sounds like probably, and maybe they need to be looking to system integrators and experts in this space to help guide them through the process. It sounds like,
Chet Hayes 25:02
yeah, one of the things. Yeah, absolutely. To your point, and there are some there’s some great I will say some great some great technology that exists out there in the market that can help them with a variety of things. You know, there’s a reason that we’re that we’re working with kite works, you know, kite works can definitely help with a lot of that from a data protection perspective, and data transport. Some other things from what you think about mobile device and protecting the stuff at the edge, there’s some stuff that most organizations just may not have internally, they’re going to need some help with. So it’s going to be a combination of making sure you’ve got your policies in place. And if they don’t know how to do policies, there’s, there’s definitely companies that that can help them craft that. But at the end of the day, you’ve got to implement the policy. And so it’s a variety of different ways to do that. And, and so we, we try to hook up a lot of our partners with each other, where we know that it can help them check those boxes and, and make them compliant, help them become compliant.
Patrick Spencer 27:00
Yeah. Are you finding that most of this DoD suppliers are coming to you now? How far along? Are they in terms of CMMC? Certification? Are they just starting the process? Are they rejected? And they found that they had 30 different controls that they still needed to address that they didn’t pass? Or, you know, what are you seeing on that front?
Chet Hayes 27:23
It’s a good question. I mean, it’s hit or miss depending on the organization. Like I said, if an organization has already gone through the site, the sock two type two stuff for their own for on the commercial side that they were doing. They’re in decent shape. For the most part, we’ve seen. We’re seeing a lot of folks right now. And we’ve talked to him about it saying, you know, Hey, guys, you guys got to be looking at this. A lot of them are still I’ll say, dragging their feet a little bit from purely from a CMMC perspective, or they’re kind of waiting to see what happens with the current rulemaking process and where things end up. We definitely try to encourage everybody, okay, if you’re going to drag your feet on at least CMC MC specifically, at least, make sure that you’re, you’re looking at the 801-171 stuff, because if that’s going to be the foundation, you’re going to need anyway going forward, especially for DOD.
Patrick Spencer 28:14
Yeah, we agree with you on the NIST 801 71. Front, that certainly needs to be your baseline framework. If you’re covered there, you’re in relatively good shape. FedRAMP. There’s a lot of talk about it. There’s our vendors in the marketplace. Some that do business through you, who aren’t really FedRAMP authorized, they haven’t gotten a certification, they claim that they’re FedRAMP. Like, there is a difference when it comes to those that are certified, which Kiteworks fortunately, is right. And those who aren’t, you know, is that something that you evaluate when you determine which technology companies you want to recommend to the federal government?
Chet Hayes 28:55
Absolutely, I mean, as of as of December, right, the National Defense Authorization Act actually codified and put a FedRAMP as an actual law. So it but even before then, all the civilian agencies for sure, were like, hey, if you’ve got a SAS, if you’ve got a SaaS offering, it needs to be FedRAMP. And most of them would not talk to you or want to do any have any do any business with you unless your offering had had a FedRAMP authorization. Now, sometimes it could have been that FedRAMP Moderate, or sometimes it could have been FedRAMP. Low. Very, on the civilian side. Very rarely did we ever see the need for high but they absolutely look at that the DoD early on didn’t care as much about FedRAMP. But we’re seeing them even some agencies now asked about it because that they’re able to go back and point to the control mapping and say, Okay, that’s a good starting point, starting point for us. But I think now with like I said with that passing of the Defense Authorization Act in December, that’s going to be I think put more even more of a focus and more of a driver to, for organizations to, to go through the FedRAMP process and get that done.
Patrick Spencer 30:09
And it’s great interesting. When you look at your business, you work with the federal government, you work with state and local governments as well. There’s a difference between their requirements, you know, what, what’s similar? And what’s different. And if you’re, you’re a business out there that wants to do business with the federal government or mayor, and you’ve been doing business with state and local governments, you know, what are some of the things that you need to tackle in order to prepare your business to do so?
Chet Hayes 30:41
That’s a great question. Obviously, federal, we talked about FedRAMP. If especially if you’re a SaaS, SaaS offering that that’s really critical at this point. On the state and local, ironically, it’s, it’s sort of like the wild west to some degree, but each state gets to do their own thing, we are starting to see the advent of this thing called State ramp. In some cases, Texas has a Texas ramp. The good thing is if you do have FedRAMP, there is some reciprocity between the between the two other things. But if you don’t have state ramp, or sorry, if you don’t have FedRAMP, but yet you want to do business in the state and local arena, and maybe that’s what you’re offering is really targeted toward some states are going to start that that concept of state ramp. Now, if you go back, again, a lot of it is built around the SOC 2 type two control sets. So again, if you’re back, and you’re looking at that, that’ll help you get there. But I would say I think we’re seeing more and more of that we’ll probably see more and more of those types of things spread out into the state and local spaces as we go forward.
Patrick Spencer 31:52
When it comes to content to go back to that, we talked about classification, so forth, governance controls, you know, where do you see that going today, there’s some app, some solutions, like how it works that allow you to control it at the user level, right? I want to share something with you, but I only want you to view it, I don’t want you to send it outside of your organization. Maybe I’m collaborating with you, I want you to be able to edit it. I don’t want you to download it and so forth. There’s lots of different permutations on that front. But a lot of these regulations that exist at the government level, wanted control of that system administrator level where and reported on it at the same time, right, from a tracking standpoint, that, you know, check could do this, this and this, it’s just not Patrick controlling that access, but it’s controlled at the higher level within the organization. What do you see happening on that front? Is that going to become more and more prevalent? And will they begin to put some teeth in it with some of the regulations that exist today by adding those components?
Chet Hayes 32:54
That’s a great question. I think we will see more of that, especially in the more tightly regulated, regulated industries. And the areas like you think of like, health care, my background, I spent a lot of time doing some stuff in the IC. And I think about how some of the data flowed there and how they wanted to control it. So the answer yes, I think we’ll see more of that. And the ability to, to manage and track and provide the governance around who can see what can they see, you know, is it edit only can they see parts of it, can they see all this data, or only parts of the data that will just continue to grow as especially as organizations start to share more and more data with each other? I think that becomes a bigger issue.
Patrick Spencer 33:41
And your reference to the supply chain and s bombs, obviously, that this element of supply chain risk in the supply chain risk management plays into that factor as well, because a lot of this contents just not staying within the confines the walls of one organization, but it’s literally being exposed to 1000s Based on your study last year of organizations 1000s of third parties.
Chet Hayes 34:07
Yeah, absolutely. And in even in the government, if you think about the federal government, there are there are certain programs that require the collaboration of multiple different agencies to share data amongst each other you think of the health care exchange, there are, it’s not just, you know, CMS, who controls all that data, they’re pulling data from other agencies as it comes in, and a lot of that is, you know, PII data and other data and being able to control and manage that and make sure that you know, only the right people can see what they’re authorized to see becomes critical. And I think we’re just going to see more and more of that as, as we see more and more collaboration across agencies.
Patrick Spencer 34:48
From a cyber-threat standpoint, you know, we’ve seen a lot about the supply chain in the news the last few years, as you will know, specific vulnerabilities AI. And then you know, the nation states are obviously increasingly more and more active and some of the worst hacks either coming from them directly or through their affiliated organizations that are getting funding or at least coverage within those malicious nation states. What do you see happening on the cyber threat front today? And, you know, what should our audience look for in the coming year or two?
Chet Hayes 35:28
I think here in the short term, again, software, we talked about secure supply chain s bomb type of stuff, but I think we’re seeing more and more on cyber physical systems. So if you think that concept of the extended Internet of Things, so OT type is operational technology types of stuff, so when you start going from your self-driving vehicles, to smart buildings, to your electric grids, things that are physical in nature, but have an element of it, that tie into it, I think there’s going to be a lot more focus on securing those things. Every once in a while we’ll see in the news, there was an outage somewhere, like recently in the Carolinas, they were concerned that there may have been a maybe a cyber-hack there. So I think we’re going to see a lot more around that. As 5G becomes more ubiquitous and more in use in the government agencies, you’re going to see a lot of concern around, hey, this this concept of what my organization is, changes, right, instead of being in your four walls of your building, or wherever you’re at, you’re now your organization now extends out to, you know, a handheld device anywhere. So I think there will be a lot of focus on the security of not just the transport from the location to the to the edge, but how do you protect all of that from an edge perspective and the data back and forth? And the collaboration of that going forward? I think those are some of the very near term types of things that we’re going to we’re going to see a lot of here in the next year or two.
Patrick Spencer 37:09
Any cybersecurity trends, you know, in the technology itself, what do you see, you know, what, what exciting things do you see on the horizon there
Chet Hayes 37:19
Exciting things? Well, I, a lot of the exciting things are really focused on some of the application of like machine learning and AI to do different things, both for the good and for the bad, right? You mentioned, like the article about chat GPT being used for nefarious, nefarious reasons. Just the other day, we had an email come in, probably the best phishing email I’ve ever seen, that came in to one of our employees, and they had the wherewithal to at least question it and ask and say, Hey, this is this real. I think we will see a lot of that both again, for good and bad. be used to try to you know that the bad guy is trying to stay ahead of the good guys in terms of getting access and infiltrating the systems. There’s some cool stuff there. Again, the application of that both into threat intelligence, there’s so much going on to the bad characters, they’re out there trying any which way to either get to your data, hack your system, whether it’s just for data purposes, or whether it’s to install ransomware, or whatever it is, they are, there is so much generated so much data generated that that concept of threat intelligence and being able to share that with organizations so that they are understanding what the threats are, I think will continue to grow and become just vitally important for organizations to be a part of just so they can keep up to speed with everything that’s going on. 5g, I say that just in general, I think that that truly is a game changer. And I’ve even heard folks start talking about this concept of six g, but you think about the amount of bandwidth that becomes available. And the dynamics that that creates for an organization in terms of its ability to do compute and where you can process and instead of having data all move back to things that data processing at the edge becomes very interesting.
Patrick Spencer 39:21
on that network that just never ends, right. Doesn’t stop at all in your organization. So this has been a fascinating conversation. Chad, I really appreciate your time. So for organizations that want to engage with Vertosoft, you know, who should engage with you and where should they go to find out more information or to schedule a call with you?
Chet Hayes 39:42
I appreciate that. We always love to talk to people, they can reach us just generally at firstname.lastname@example.org. The types of organizations that we work well with are the ones who are trying to you know, crack that government market. They need help they need to understand how to sell how to be proposals how contract vehicles, all the terms that generally are foreign to them, that’s where that’s where we can help them. And we love to work with, again, the emerging tech companies. We know how to help position them. We’ve got some great relationships with our reseller partners and our system integrators. So again, email@example.com is the easiest way to get to it. You can reach go to our website, there’s a couple of easy links that go right to our team, and we’ll happy to have that conversation.
Patrick Spencer 40:29
So thank you. I’m sure you’ll be hearing from some in our audience. Chat, I appreciate your time today. fascinating conversation. We’ll have to do it again in the near future.
Chet Hayes 40:38
Thanks, Patrick. Appreciate the time.
Patrick Spencer 40:40
For anyone in our audience who would like to find more Kitecast podcasts you can go to kiteworks.com/kitecast. Thanks for joining us.