In this edition of the BORNSECURE Security Influencers podcast, we talk to Nicolas Chaillan, the first US Department of Defense CISO, and the architect behind one of the most complex DevSecOps engagements in the world.
During the conversation, we discuss topics such as:
- The reasons why Zero Trust and high permission granularity are the key technologies to manage authentication and authorization at a scale of hundreds of thousands of developers and applications.
- How Nic led the way for the DoD to open-source Platform One, an $80 million investment that became the largest contribution of the DoD to humanity.
- Why GitOps is the future of software development so that everything in the SDLC including configuration, infrastructure, and application security becomes code that lives in a repo.
Check out a video of the podcast below, or feel free to download using your favorite podcast platform. We are also including the transcript of the conversation if you prefer to read the conversation.
Nic, thank you for joining us. Welcome to our podcast.
Hey, thanks for having me.
So let’s go straight into a hard question. So we have very large security budgets; many security vendors, some of them with very high valuations. Why can’t we write secure software?
Yeah, that’s a great question. I think you know, security is so difficult, right? For us, you look at talent and engineers really not taught well: how to do it, right. I think it starts with the basics: new programming languages and new ways of doing things create different kinds of risks. Of course, the pace is moving so fast. People are trying to compete and there’s not enough investment made in DevSecOps to have security baked into the process. When it’s an afterthought, you have so much technology that the trend of having to deal with months of issues. And not many companies are willing to say, “Hey, you know what, I’m going to take the time to take care of it.” And instead, they keep pressing, keep adding more features, compounding the problem.
The more you can start day one with a full DevSecOps pipeline, proper scanning, proper testing, and really make this part of the process. And yes, maybe you’re going to take a hit in terms of velocity, a 5-10% every two weeks for your sprint cycles, but that’s going to save you months of tech debt down the road. So it can actually save the entire company. When you see some of the recent breaches, the impact financially on some of these companies is so drastic that effectively there is no choice today, really, but to do DevSecOps. I think back in the day, people used to get away with it, and many companies had no impact when they had breaches. I think particularly for a small company is going to be a drastic impact. I think the bigger guys still get away with it, unfortunately but I think the startups and medium-sized companies will not get a second chance. And so the more you can do early on and do continuously and have this part of your process, the safer you’re going to be. And honestly, it has to do with competition learning. I used to give an hour a day to our people at Platform One to go and learn and not get stung. And behind you have to invest in your people and there has to be some training around security and best practices in of, you know, full-stack DevOps that learn effectively how to build proper software.
You’ve mentioned developer education and having the right DevSecOps methodologies and I think actually that’s how you became so well known in the security community: in particular around DevSecOps at scale. Let’s talk about that a little bit. I think you might have led one of the largest engagements for DevSecOps in the world, if not the largest. How did you rank, how did you prioritize all the areas that would come to mind in terms of deploying this methodology across so many developers, so many organizations, so many teams, how do you rank and prioritize the initiatives?
Yeah, that was a big issue. We had, without a doubt, the largest organization on the planet, probably a hundred thousand developers, you’re also looking at the largest budgets, but also the higher risk. I mean, you don’t want to mess up with space and weapon systems. So you want to do that right from the get-go. We don’t get a second chance –it’s not a mobile app that’s going to crash and make people upset. So that compounds the issues for me: security was always the first thing but you also don’t want to create an environment that’s so secure that it’s unusable. So you want to find the balance between the developer experience, The operation side, the continuous delivery, tracking the metrics, and having that baked-in security on day one.
And so for me, Zero Trust was the first investment, because I knew how important it was to really have that mitigation and the ability to mitigate and reduce your attack surface. So bad actors that potentially get into the system will not be able to laterally move too much, at least to your crown jewels. And so limiting, tracking, and having continuous monitoring and behavioral detection AI/ML, really pushing best of breed in decoupling being modular, cutting into Lego blocks, and being very flexible and not locked-in. I think for me, part of my role for the taxpayer and the warfighter was to make sure we’re not getting locked into a call provider or to a single company or platform. You can’t afford that because you want to have diversity, I want to have options because it’s so much money. We shouldn’t put ourselves in that situation. And so that’s, what’s always important to abstract and to decouple and to cut and to be able to be modeled on reuse and try to use best-of-breed.
And really the foundation of open-source was so important to me because I knew about the ecosystem and the Cloud Native Computing Foundation partnership. We were the first government agency to join CNCF. All this stuff we’ve done was so essential for us to get where we wanted to be. At the same time, I can tell you that I probably achieved in terms of the full vision of what I had in mind from day one, I think I achieved 10% of what I wanted to do because the tech debt and our current state were so bad, I had to take a step back and fix the basics before even going to the real meat.
So I’m a little bit disappointed because obviously there’s so much more I could have done, but at the same time, I think what’s important to prioritize based on very clear you know, metrics. You want to really think about what is really important, right? What is, what is the outcome that you want to get to? And for me security is essential, but at the same time, I think it was more about the balance between the developer experience, the usability, the user experience, and you know, the security. So it has to be balanced: if it’s just secure but no one can use it, then you’re not solving the problem. So I think it was a mixed bag and there is so much more I wanted to do in terms of the cyber side of things in terms of multi-party signing and, you know, making the pipeline something you can not try to bypass and make it even more ephemeral so if a bad actor gets into your DevSecOps pipeline, which by the way, is now your crown jewel because if someone gets into your DevSecOps pipeline, they can tamper with your entire source code software laterally move into many systems. So they have the keys of the kingdom in their CI/CD pipeline. So all these concepts are essential. And so making the pipeline as secure as it can be. And in fact, I was always thinking of the DevSecOps platform as a weapon system.
Very cool. You mentioned a lot of ideas there, you mentioned that Zero Trust limits lateral movement. You mentioned metrics, you mentioned the adoption of open-source to avoid these vendor lock-ins so many other cool things. But if you have to pick one, which one would you think was the most impactful of our contributions?
I think it’s open-source. Of course, Zero Trust is important, but if you look at the adoption of what’s going on in the service mesh space and, and Kubernetes, they bring Zero Trust, right? They are things you would trust now. And so you would end up getting Zero Trust just by using the open-source stuff. So I think overall having access to that ecosystem and community and best of breed and not getting behind is probably the biggest impact.
Gotcha. I was going to say something similar. Now, when I was looking at your work a little bit, these last few weeks, I was very impressed by the stack you have put together, which is a very cool hip stack. It could be the stack of the latest hot venture capital-funded startup in Silicon Valley. But you have managed to sell that to the largest, arguably most conservative organizations in the world. So how was that? How was the process of selling this collection of very, very hip, very cool, very new tooling into the One Platform, if you want, that’s how you call it, right?
Yeah, Platform One. So how, I guess, was a little bit mixed. I think there was a piece of education training for the engineers so they can see the value and understand the concepts of it.
You didn’t have to ask for permission from anyone. It’s just, you just recommended these tools?
You go on it. I think that if you lead the way and you show it’s possible and you start incrementally and you grow and you crawl, walk, run, and you show the light. When I started, people didn’t even know what a container was. They thought I was trying to ship containers to Afghanistan or something. Like physical shipping containers. So there was a massive learning gap. And so and then, you know, savvy smash, no one even heard of it. Most people in DoD have not had agile training, just basic agile training whatsoever. They still use waterfall. The barrier was huge.
So we created all this training: we brought curated unbiased training because, you know, you have a lot of these companies providing DevSecOps stuff that have their own training, but it’s very biased toward their product and you don’t want to use that. So we partnered with the Linux Foundation and CNCF, and O’Reilly (the books) to create content and create curriculums for different kinds of personal, based on how much they wanted to learn.
It was a lot of me selling. I was a sales guy. I was doing briefs and public events and, “ask me anything” events with a thousand, 2,000, 10,000 people, sometimes, talking about all this stuff and the benefits, and you have to lead with the outcomes, right? You don’t want to talk about the container if you don’t explain, what’s the benefit, why are we doing this? what do you get all of it? So you want to lead by that once people see the benefits and the outcome you, you pick the that, that you’ve picked X, Y, and Z thing to do it. No, nobody really cares.
For the open-source part, I was surprised that I didn’t get as much pushback as I thought I was going to get. And when we open-source’ed all of Platform One, which by the way, was the largest government contribution to the world in history: it’s an 80 million investment. The government usually open-source stuff is when they stop using it all day and they transition it. But this is something actively used, something that we still improve. That’s rarer, right? The AC is doing some of that, but that’s, that’s about it. So I think that was the biggest contribution as well.
You just have to lead the way and show it’s possible. You know, the first thing I’ve done, people told me, why don’t you start with something simple? I said, “no, no, we’re going to take, you know, the F16 jets, 60 years old hardware, and we’re going to pick your maze and savvy smash and you know, bunkers right. In 45 days, you know, and we’re going to show you as possible”
And running Python I think
Yep. Python. I think there was Python, Java and, I’m blanking, one more cool language, Go. And that hardware was running C and C++ stuff before, and ADA. So, without changing the hardware!
That was the first language I learned in computer science, ADA. But we recommend the audience and we got to the show notes, this kind of ecosystem that I was talking about of tools and processes that Nic shared because it’s actually very cool to see.
Switching gears to something a little more technical about application design and going up to the top layer. So Zero Trust has the implication that you can’t make any assumptions at the application level about who’s coming in. So how did the teams account for this in the design of the applications? how did they modify the authentication and authorization knowing that you were pushing for Zero Trust, and how did you automate all this?
The key piece to understand is when you start moving to Zero Trust in the system-to-system communication, not just people within the system, the system-to-system communication, particularly on the microservice side, and you start making them very small. But, but that compounds the problem.
If you don’t have the principle of ruthless automation, you’re not going to succeed. You’re not going to scale. It’s not going to work. So first for me, always, the principle of ruthless automation was the centerpiece of that engagement. And then the Identity Management and the ability to track the non-personal entity. The system-to-system authentication was essential. Short-lived certificates. Self-rotating and short-lived. Automated. We do have Istio as a service mesh, and we use Envoy as a reverse proxy and the Istio control plane to issue the certificates and rotate them and tie them to our PKI in Vault. We really designed the stack to be automated and streamlined, and then, you know, build the, using the proxy layer. Then you can create the proper rules. And, you know, we started using open police agent and OPA to start doing some type of access control enforcement and your Istio is also bringing a lot of pretty cool new next-generation access control capabilities as well.
So you start to see a pretty granular ability to create rules, to define who gets access to what and when, and how all the way down to the data level with data centricity. You know, so, so like a field in a database could be you know PII or PHI or whatever. And you don’t get to see that based on who you are.
We can be very, very precise and not just talk about the north-south, east-west traffic floating between the containers and the clusters, but also even within the data centricity aspect of the system that you can start labeling things and using Abac to enforce access to specific data fields and types. So that’s, that’s exciting. When you start getting there, your maturity starts to rescale, and now you can do some pretty cool things.
And I think it’s very cool that you bring it down to system-to-system of authentication or authorization, right? So the infrastructure could be Zero Trust, but there is a lot of kind of permission and authorization rules, as you said, going on, right. And this ties a little bit to infrastructure-as-a-service, right. Something that you also are a big advocate about, right? Like automation takes you to infrastructure-as-a-service, right? So basically all your infrastructure or your Istio networks, or your Kubernetes networks are defined by code. So, you know, everything is ephemeral, everything is very, it’s very automated, right.
Yeah. GitOps, infrastructure as code, configuration as code.
How do applications find out about this? I mean, because in my mind, as a recovering developer, the application knows not so much about the underlying layer. So is that something that was part of the design, or it was something that emerged as the easiest way to authenticate and authorize?
Yeah. I think you have to make it easy, right. If it’s the easiest way to do business, then, you know, application layers will consume it. I would argue that’s something you probably want to mandate anyway as a business, right? Because of the benefit of Zero Trust and, and the ability to track what’s going on telemetry and the metrics you get out of this. So you know, if you build a good service, people will use it, but if they don’t want to use it for whatever reason, that’s the kind of thing where I don’t think the management, particularly in Zero Trust should probably be mandated. They shouldn’t be two options. I’m, you know, when you think back on the DevSecOps stack, we had 23 databases, 66 programming languages… plenty of options for different things. We had 900 containers on Iron Bank. But then some things where, you know, that’s, that’s the one way, right. That’s rare.
All of them share this vertical authorization and identity management, right?
Yes. And that’s one of the few things that you probably want to mandate, and have only one option. The rest, you may have a couple, sometimes you want to have a three or four. Sometimes you want to have 20, 50 because you want to bring diversity to your development team, but you want to bring the right diversity. And for some things, you know, if you look at Zero Trust, you cannot federate a policy enforcement point. Because the whole principle of Federation will be to blindly trust the other PP, in which case that’s not Zero Trust, you’re just trusting somebody else. And so if you start using two Zero Trust stacks that are completely disparate and they don’t share, policy enforcement code in the same repo and same enforcement layer, then you really are just back to not using Zero Trust.
Okay. And this identity management layer is open-source?
Yeah. we use Keycloak and of course, all the basics: JSON web tokens and passing that to Istio with a mesh. And then the token had labels and access control labels baked into the token. So then you can do very granular things. I could know what device they use, you know. If they are authenticated with the right multi-factor options based on what you use, if you’re on a personal mobile device, maybe you don’t get access to the same stuff that you would for your government device. So we had all these great mechanisms to then a white-list and grant access to different things based on the device used, based on the identity of the user.
So, “me authenticated with my mobile device” will not get the same access as “me connecting with my government device”. So that’s when you get, you know, we call it “comply to connect” when you enforce a device date. And we would check the patching state of the device, check if it’s up to date, all that stuff. If they have implant protection software installed on it. And so that would rank the device risk posture, and then tie this back to the user identity. And based on the component risk, then you get access to different things based on the risk.
I think it’s very good to have that granularity. There is no “all or nothing.” It’s not a “yes or no” binary decision system. It is based, as you said, on all of those parameters.
It goes to the application layer. Do you want to give this to the app, right?
I think there’s common sense, but there wasn’t anything like that up to a few years ago. I only heard this concept. I think it was in a Google talk about exactly what you described, basically customize the access level, depending on this matrix of, you know confidentiality levels or secrecy levels and the security of the device that you’re using. Having this matrix, I think it’s called one sentence about, I don’t think, I don’t think we were anywhere there just a few years ago. So I think, I think it was very cool to hear that.
Google created the concept that was Beyond Corp and I kind of, I won’t call it, “stole it”, but I bought it.
No, I think it’s common sense. It came from Google, but I think this is the first case that I see it used at such a significant scale with, so much at stake. So that’s very cool.
We ended up talking about development, identity management, applications, and all that takes me to your developer background. It seems like it’s a common pattern to have security experts, that became security experts after being developers. Or founders of development companies, even launch companies. We had Larry Maccherone last time, and he was first a huge developer and a founder of startups. And I think in your case is also a very similar background. Jim Manico also had a similar background. What’s up with this combination, do you think it’s a huge requirement, to be a very good developer to be very good at security?
Well, I think it’s certainly important to not just think security as the only important thing. So I think by being a developer, you want to take into account the user experience of the developers. And if it’s not something you would use, then you build a product in a vacuum. So I think it’s important to balance security with user experience and ease of use and all that. So there’s abundance and its competing interests, right? So I think it’s good to have someone that’s both a cyber guy and a software guy because you can then find the right balance between the two. And you know, when it comes to innovation right now, with a move to GitOps and the move to everything as code effectively, all the cyber experts will have to become somehow somewhat of a developer to some degree. At least understand code enough because we’re not going to connect to a, to a Linux box and SSH and root access and patch stuff. You’re going to make changes in code in a Git repo and the pipeline will be the thing pushing to the staging and production environment.
Ideally, you should not have people in Production, no humans in production anymore, and everything goes with the pipeline and you never bypass the pipeline. So that, that means all these cyber experts have to reinvent themselves to know how to make the same change they used to make by patching Apache on a Linux box, but by going into an app, Archie Docker file container, and updating that container, that’s a drastic change. That’s a complete relearning of everything there. Now it’s the same outcome, but it’s automated. There is no drift between environments. It’s GitOps centric and that’s the future. And so obviously having software experts come into the cyber world is going to make this happen.
That was a beautiful way of articulating that. I think I’m going to steal those sentences because in my mind it makes a lot of sense. I mean, why would you have someone SSH in, into an Apache box and doing things in that specific box where you can just do that offline with all the security that you have, and when you are sure that that works and you are not exporting anything, then you repeat that into these automated fashion in the actual production environment. Right? So that’s, that’s a beautiful concept. I hope it grows.
So we are a security vendor. What’s your opinion on the application security industry, where the vendors are going at the same tends to be a lot of capital flowing in that space, which is, which is great for us. But do you think he’s what’s the reason behind these, this attraction of capital, and is there any application security technologies that you are excited about? You know, any, any standards, any new ways of doing things? So let’s talk about application security as an industry.
I think it’s interesting because, despite the fact that there’s all that money flowing, I see very little innovation. We went from SAST to dynamic application scanning, to IAST and all these things, continuous monitoring aspects now. But, but honestly, I think everybody’s still missing the point which is to do GitOps right.
Can you define, can you define GitOps? What, what do you mean exactly?.
GitOps is effectively “everything is in git”. Your source of truth, your declarative state, everything as code is in your code repo, as your configuration changes. Everything is in git. So GitOps is that automation process to ideally pull from getting that push because that way you’ll CI/CD pipeline does not need to have the keys to your production and staging environment. So we pull, we use flux all go city, right? To do that. So you can pull from, get every minute to see if there is a change, and apply the change. So that concept of “pull from git” is essential. So you have no drift, no human in production. You have an ephemeral state design, your design stays and gets, you can audit at any time, you’ll get reports and know exactly what was your state at a specific time because you can go back in time, you can revert, you can do a lot of different things.
The GitOps concept is essential, but that’s going to change the entire cyber landscape. And I don’t see a lot of companies embracing it yet. What I’m talking about is if everything is code, that means now companies should do two things. One is we need to scan the runtime and see what’s running on the cluster, compare with a Git repo and compare to see if anything is different. If anything is different from your desired staying git source code and your runtime. So your source code is different from your run time. That means either there’s a malicious actor or someone that went in and, you know, made changes that they shouldn’t have made that bypass the pipeline. So any difference between your source code and your runtime is a problem. You need to scan your runtime and see what’s running and be able to scan your source code repos, manifests, your Docker file, helm charts.
And then when you look at all these scanning companies, they often apply the change in runtime in production. We don’t want to do this anymore. We want to make their change into source code. So now let’s say they find, you know, this can the runtime and they see these it’s all version with a CV of Apache, whatever, right? They, instead of patching Apache on the runtime as they do now, they should push a merge request to my git repo to make the change proactively. And then a human has to go in and say, yes, I want to approve the change that triggers the pipeline and deploy the updated version. So it’s a, it’s a complete shift from, you know scanning the runtime and applying the change in production directly to apply, you know, proposing the merge request in my git repo to apply the change and push it to the pipeline. But it also requires the application of the company to be able to compare the run time and compare the source code and see what’s different. So for that, we need to scan the source code and understand it enough and understand the YAML, understand all this code, to know exactly what that would create in run time to see these new differences.
That’s actually super cool. We are a runtime security company and when we do demos, we actually start with that. We show them: “Hey, this is your deployment in production. This is what it looks like, in terms of environment, in terms of applications in terms of CVEs, but we just stop with it. We just say, Hey, this is what you have.
That’s the next step
The next feature is to understand how dramatically. Yeah, yeah, yeah, no, that’s, that’s very, very interesting.
You know, some of the hardest I would argue, it’s the hardest piece, right? The runtime because scanning source code and docker files and YAMLs it’s not rocket science. I think. I think, you know, you can probably do the matching and then proactively look at drafts and say, Hey, you know, this thing running has a different you know, state in YAML than this YAML file. So why, why is that change? Why is, is that a hacker that got in and made a change, right? Maybe open pulse or assigned to run stuff is not supposed to run, or maybe there’s a container running that’s not in the git repo. So where did that come from? I mean, if there’s a container running that you didn’t have any gear and that’s clearly an indication of somebody shows behavior, someone, in studying stuff that shouldn’t be there. So I think it’s pretty easy to get.
We don’t get so much at the container level, but we really care for example, about API discovery, which is more than our application layer. So that’s one of our key features for the next few quarters, which just basically show you your endpoints, the signature of your endpoints and what, what is the security posture of your endpoints.
You would be surprised at how many companies discover zombie APIs, old versions of APIs, dashboards that maybe they were using for development. And then, of course, they end up in Production. So this visibility today in 2021 has a lot of value, of course. For 2021, 2023, finding out a way of comparing the idea of the state and the real estate, right. This “digital twin” comparison.
That’s the future right there.
What else? I have a personal question about my interests, which is your position on, in defense and geopolitics and all that. I think it’s very cool. Maybe it’s because of the movies that I watched growing up spies and all that in the nineties. So I guess that is a growing trend of a nation states using cyber weapons, right? In the beginning, it was mostly espionage use of these tools. Like basically just get into a very specific target, analyze, collect information, you know, basically data collection espionage, then you move to more sabotage operations, like very targeted operations where you hit a critical infrastructure and then you leave. So it seems like the natural, next step is an escalation to cyber conflict and attacks at a national scale.
I don’t want you to tell me anything that you’ve seen in your professional experience because of course, that’s confidential. And I don’t know if it’s a fair question to ask to separate these two points of view, but are you more concerned about a nation-states acting on kind of ideological or geopolitical motivations or more like raw, eh, groups acting with more economic motivations, right. So you have these two groups of bad actors, which one is most scary in your, in your mind?
You’re going to find out many of the rogue groups are funded by nations too anyway, but not all of them, but some of them. I think I’m more concerned about the national groups because they have different desired outcomes, right? The rogue groups just want to make money. Right. sometimes they want to make a statement, but that’s pretty rare. So money is, you know, they can’t get money and, and, and, and be done. They’re not gonna put lives at risk or destroy things or, or kill people. You know, I don’t think that that’s a thing, but nation-states could be a different story. So I think that is probably the biggest risk we’re facing right now. And you know, when people keep saying that China is behind the US, I think that’s actually very wrong. I think China is actually leading the pack when it comes to both AI/ML and cybersecurity and when it comes to cyber-offense as well.
Very cool. Do you think BGP is a weakness on the internet right now?
It seems so. Right.
It seems to be one of them. When you were hearing about the Facebook incident this week, did you think it was a malicious action or just bad configuration?
It could be both, right. I mean, it’s very easy to mess this up and then knock yourself out and then your remote, and you can go onsite and you can’t fix it until someone gets in. And, oh, by the way, your entire system and small card, and all the way to get into the building are now not working. So you can’t even access the building anymore. So I can see the ripple effect of depending on technology so much that you created a number of ripple effects, right. So it is possible, but it’s also very likely, I guess, that is an attack. I don’t know if we’re going to get the transparency report, because the incident effectively did not bring loss of data, or, I mean, it was the loss of service availability. But supposedly at least there was no breach of data. I don’t think there’s a legal requirement to report what happened to anybody so effectively there might not be transparency there if there is no PII or critical information leaks. Then that’s just a liability thing. And look, I think when you look at how many people use WhatsApp and things like that I mean, other things like Instagram and stuff, people can survive without it, but WhatsApp, sometimes it’s used, in, in very remote locations to, to save lives sometimes. To enable communications and get people to places. And, and so that potentially created loss of life.
It made me think about, well, maybe at some point we should have some sort of paper fallbacks, you know, about routes configurations.
I think cold storage is correct. I think that’s, by the way, a huge mistake. I see people make, you know, when it comes to backups, they have their backups on the same cloud. You know, if the cloud account is compromised, it was everything. That’s very foolish, you know, not having any kind of hot disaster recovery elsewhere. Well at the very least a cold storage where you have at the very least weekly backups, but can you even do weekly? That is good enough. Right. Can you, are you okay losing a week of data in 2021? Right. So and that, that, that process is expensive, right? Cloud providers. I’m not doing very well when he comes to, of course, you can get an Amazon snowball or whatever to get your data back and all this stuff, but, but having a daily backup process, so, or maybe doing a backup of Azure on Amazon, Amazon Azure, or whatever, right. Google you could do that. But even that I think is not enough. I think you want to have something local, right? Somewhere that you control, not on the third party service.
It makes me think about these. I don’t know if you’ve heard this seed vault, so what in Norway that is under eyes saving, we should, we should have something like that. We keep media and, you know, these internet basics protocols, very well-defined and even routing,
We used to do this for the big backup storage stuff. But with the rise of the cloud, people are getting complacent. And I can tell you, there’s going to be a, I’m confident there’s going to be an event one day, like a protocol board of cyber, where people are gonna wake up and he’s gonna, is going to hurt is going to be bad. People should proactively invest in. It’s so expensive to bring data, particularly when you have a high volume of data, I get it. But at the very least the critical crown jewels bring this every day. And look, you have to put yourself in a position, you have to think about it. Is it even enough to have a date? You know, are you okay losing a day of data? Are you okay doing a week of data? What are you going to tell your customers? If your mission is critical, can you know what’s the impact of you losing a day of data a week of data?
Yeah, no, I read this fiction book about the potential effects of an EMP electromagnetic pulse. And since, since I am kind of obsessed about that and looking at the sky and hoping that…
The good news is most, most data centers, at least the modern ones usually have some type of shielding to protect usually. But I’m more afraid of a cyber offense. Okay. So I mean, EMP, I install stuff at my house to protect from the NPS in my house. Because I’m, I’m the same, I’m a prepper, you know, I’m crazy this way. I have generators and everything I need to survive for two years if we lose power. But I think when you look at the state of the grid, you know, and you know, by the way, that happened after I worked at DHS for 18 months and I saw how bad the grid was insecure. And I can tell you, it’s a disgrace. It’s very likely that someone can get in and create massive issues in the grid. And look, if you lose power for a week, people are going to go nuts. That’s not going to look good.
It’s called The Purge. It happened in Ukraine. It sounds remote, but you know it was subject to that, the same offensive. So it’s good to end up on a good note like this.
What’s next for you and Nic, what’s the next thing you’re in your, in your career, what’s next in your life? You’re taking some time off, do you have any ideas about future opportunities.
What’s next? Yeah. so, you know, first, I really wanted to spend time with my kids. You know, when I started this job, I had no kids. Three years later, I have twins and an older daughter, so I have three daughters under three. So it’s interesting and I missed a lot, you know, so I want to spend time with them. I spend way too much time working in DoD. So I’m going to do that. I’m also going to join a few bowls, you know, just so I don’t become too stale.
And I’m probably going to think about maybe doing a new startup, you know, I’ve done 12, I don’t need to work anymore. So that’s always good. You know, something around, yeah. I sold 12 companies before this. For me, that was also the benefit of going into the government with no conflict of interest. No need to make more money. Right. Som I don’t care, I do what’s right for the taxpayer and the warfighter. And that really helped me a lot. And I think, you know, for me, funny enough, because of that, not many things keep getting me excited. Right. it’s like, yeah, whatever, you know, like some fields I’m like, yeah, I’ve seen this. I don’t, I don’t care.
But space, I think space is the only kind of market that gets me excited. I have always wanted to go to space. So I think my next engagement will have to be something around space. So on or around software and space. But it’s going to be pretty brief and you can think of probably all of the stuff we talked about today brought as-a-service for space companies. So they can focus on their mission software. I don’t have to build all the platforms, the DevSecOps to GitOps, all these things and make that capable of running in space. And on the ground and have a mesh and have the connectivity and the security and the ability to push data.
So that’s the kind of stuff that I think can get me excited, but I promise one thing, I’m not going to sell back to the government. If the government needs it, whatever. But I hate when people leave the government and they come back to sell stuff to the government. So I’m going to focus on the commercial space side, not the government space side.
Very cool. Well, thank you so much. We don’t want to take too much time out of your very deserved break. So I just wanted to thank you for your time, sharing your insights, and for stopping by the podcast.
No, thanks for having me. It’s so exciting. Thank you so much.