Steve's Inspiring Shift from Med-School to Cybersecurity

Speaker 1: 0:00

How's it going, Steve? It's really good to finally have you on the podcast. I'm very excited for our conversation.

Speaker 2: 0:06

Thank you for having me today, Joe.

Speaker 1: 0:09

Yeah, absolutely So, steve. You know, i, i, i feel like you hold a very interesting role within Intel. But before you know, i eagerly jump into that. How about we discuss? you know how you got into security? What was it about IT in general? you know, that kind of piqued your interest and made you think like, hey, maybe this could be a career, maybe this could be something I go down right.

Speaker 2: 0:36

Is a really interesting question there, because that wasn't the original plan. I was a hacker as a kid, you know, playing around with computers and software and figuring how things worked and how things fell apart. You know, in the early days And at that time when I started, you know, sort of thinking about OK, what I want to be when I grow up and what focus area should I have. In college I had two main loves. It was, you know, computers and that kind of stuff, And then biology. And in 1989, when I sort of had to make a call on that, there was a lot of out of work COBOL programmers And it really wasn't the sexy career we know IT to be today. And so I went the bio route I actually did. My direction was research, biology. I was going to be an MD, PhD and work in a lab And that was going to be what I was going to do. And after I graduated and had a year of doing some graduate research, had a year off before starting med school, an opportunity arose where someone had some money that they were thinking of doing this startup thing in the security space. They didn't know really what they wanted to do, but they knew they wanted to do it And I got introduced to him and he's like you know, you know this, you're a hacker guy, you know the security stuff, you know you want to do this. I'm like I thought you know this would be a good idea, Make a little bit of money before I go to med school, because med school is not cheap. And so in early 95, we kicked off a startup looking at looking at desktop security, And after three months I had fallen in love. I was all in. This was an exciting time to be in security and to be in technology. It was right around the time. Netscape was about to go public, It was early days of the internet and everything was possible. And so I fell headfirst into into security and into IT technologies. At the early stages I had some amazing mentors along the way who taught me where I like to joke, I suck their brains dry of all their knowledge and information on the security space. In this, in the cryptography space, Bruschner was one of my mentors and really opened my eyes to the deeper side of the cryptography side of the camp And I can, my career sort of took off from there, doing multiple security startups throughout the 90s and 2000s. It took my parents a little bit longer to figure out that I wasn't throwing my life away. because what do you mean? you're not going to be a doctor. That took a little doing But you know, did, like I said. Multiple startups helped create some new industries. Web security, xml security was acquired by Intel in 2005 and was going to do what most people do when they get acquired serve my six month sentence and then go do another startup. And the head of the division at the time came to me with a proposition And she basically was going to look at sort of the near term research. If you think about you know, intel does the five to 10 year horizon research in the lab. So looking out, way out in the future, what's the next generation Hardware going to look like? What's quantum going to look like? now is a key area, so what's coming next? Well, but they saw back in 2005 was there was a gap in sort of innovative research in the two to five year horizon, so sort of with current hardware, hardware that's about to come out, what's interesting and novel that you could do with that, what new use cases are emerging now that we could take advantage of. And she wanted to do this cross multiple domains And she said, steve, would you like to do this for cybersecurity?

Speaker 1: 3:56

And I mean like I said I get to play like a CTO with Intel's VC budget.

Speaker 2: 3:59

I'm good with that, and so for nine years I ran security pathfinding where we looked at innovative, innovative cyber security use cases that can either leverage hardware to be more efficient or to get better security, or to use new hardware features in interesting ways to accomplish cybersecurity goals. And it was an exciting time And we did a lot of innovation around malware detection, agent protection, being able to do cloud security and virtualization security using hardware as a root of trust, and that led me to really expand my horizons beyond just cyber security to the broader set of technologies that Intel plays in. And in 2013, intel was going to focus on, put a renewed focus onto the federal government from a technology domain, not just from a sales or enabling domain and was going to stand up a capability And I was tapped to lead the technology team for the federal market, be the federal CTO for Intel, and so I jumped on board with that and have been doing that now for about nine years, and it really allows me to continue to do interesting, innovative stuff with cybersecurity, but also now with AI, with high performance computing, with cloud, with everything that the federal government is challenged with and that Intel and our technology and our ecosystem can help support. So got there through a weavey path to get to to IAM today. But I think the key thing is that back in the day, just the opportunity to go off and cause trouble in the security space is always what keeps me interested, wow.

Speaker 1: 5:33

I mean, there's so much to unpack there. You know, going from a potential like med school student to IT, specifically security, do you think that there's any you know related skills that you may have gained in your studies to prepare for med school, to be the doctor, that are like translatable in IT? Is there any? I mean, i honestly I don't know. So I think that's a good thing. I mean, let's look at it from a couple perspectives.

Speaker 2: 6:05

So there's the. There's one answer which has less to do with biology and more to do with. I'm not a CS major in my background And I think what that's afforded me throughout my career is sort of two key things. Number one I'm not been predisposite predisposite to doing something a certain way, like I haven't been trained. Well, that's the only way you got to do it. So it opens the door to out of the you know the art of the public. So it opens the door to out of the art of the possible. You know you haven't been beaten into submission by your professors that this is how you code, or this is how signals work, or this is how data flows, and so you think differently and you bring a different or more diverse perspective to problem solving And or, as some of my her text user joking, you're not smart enough to know that that's the wrong way to do it. But what's interesting is that you and I've used this throughout my career of my teams, of building diverse teams from various backgrounds, because really that's how you solve those big carry problems is thinking outside the box. And that's not just well, you've got a smart architect who can think differently. It's coming from different backgrounds, coming from different experiences, you look at problems differently, and I think for the from the bio specifically, especially on the research side, but even in the diagnostic side, those that problem solving, that sort of there's a challenge here. We're trying to cure a disease or understand how a system works, and that's a lot of the same mental processes you do when you're when you're a cybersecurity person. You want to see how a network falls apart or how to get in through the, you know, see where the seams are. It's like looking at a biological system or a disease vector or how a drug works within the systems. You have to understand the system and understand where it breaks in the case of a disease or a cancer, and then you are so looking at how is this drug going to interact with that system. So a lot of the same mental sort of leaps and hoops that you go through are similar between those two domains. There's been multiple folks that have written over the years around. You know, can you treat a network like biological system? And I think there's been some innovative research about, you know, looking at how viruses propagate through bodies versus how they propagate through networks and drawing co-rollers there. But I think more practically it's the thought process of seeing how things fail is really how good cybersecurity people approach the world.

Speaker 1: 8:22

Yeah, i, you know that makes a lot of sense And I always recommend it to people because, you know, i talked to some people that are more junior in their career. They're trying to get into IT or security, and you know they're worried about failing, they're worried about kind of pressing the envelope right, and I mean I always go back to when I started, right, when I accidentally dropped a database of a company, of our product, of a company's, and was like, oh okay, now I have to troubleshoot and figure out how to restore this thing from postgres logs, and I've been on the job for six months so I'm probably fired. You know, like I'm already fired. They're just milking me for the last bit of time. You know like it's. It's those times, though, that you learn the most. You know, like I learned. I learned so much more than postgres than I ever wanted to learn, you know, and I actually find it interesting. I understand the syntax now, i understand how it operates and whatnot, and so I find it interesting. But it's like I didn't go into that job to learn about postgres or Linux or anything like that. I went into it with an open mind and I learned all that I could and I made a lot of mistakes along the way, and that's really when you learn.

Speaker 2: 9:43

Yeah, we. The key is to fail forward. It's not to let not let your failures get in your way, but actually learn from them. Try not to make the same mistake more than once. But I, you know, if I think about my startups, you know much of what we were doing was trying something and never been done before. And there are lots of ideas that never you know, that made it into code, that never got compiled, never got into the product because they just didn't work, they were inefficient, they were flat out broken. But you tried it and you learned from the experience And really the really fun nuggets are where you did something because it worked And it wasn't the reason. But then later you come back and realize well, that decision has actually enabled you to a whole bunch of other things. One of my early startups we were looking at how to better secure mainframes and be able to provide sort of end to end encryption and end to end authentication From an edge component, you know, from a client if you go all the way to the back end using PKI. And it was a challenge And we figured out some ways to do it And we were using some really totally new protocols, something called SOAP and WISDL and XML to help transfer the data between the systems in a common format, and that was because it was efficient, it was easy, fast forward. You know, a year later and we're working with our customers and they're having trouble getting data off those systems And they want to be able to do it in a more web friendly kind of way And like well, we already have a SOAP server running there. We actually have already accomplished that goal. It takes a little bit of coding on the back end to automate a couple of the clicks And we actually were able to provide a wholly new solution to be able to do, you know, sort of getting at data that was already on the mainframe, because we'd already created that tunnel For a completely different use. And that's where sometimes your mistakes or your interesting tries actually come back to pay you in dividends much later on.

Speaker 1: 11:32

Yeah, that's a really good point. You know, in my career I've had the fortunate or unfortunate opportunity to run into the most random issues with basically every product I touch, stuff that just boggles the developers that created it, right. But I learned early on always take notes, right, take notes on every single thing, and later on, you know, nine times out of the 10, it actually, you know, helps me, because I may not have the best memory right, like I can't recall, things that I don't take an effort to, i don't know kind of like solidify in my mind somehow, and writing it down always solidifies it for me, so it's easier for me to recall. And so you know, after I would go through an issue, there'd be like an after action report and I have to I have to, you know, go through and describe exactly what I did, why I did it, what the outcome was, and I had the best troubleshooting guides out of everyone at the company eventually, and eventually everyone just used mine because it was so much better than even, like, the developers troubleshooting guide You know you talked about, you know, early on in your career when really the industry was just getting started. So that sounds like an extremely exciting time to me, and also I mean more exciting, a little bit of a nervous time, i guess. right, because you may not know what will succeed and what will blow up. You know, and did you feel like at that time that you could basically, just, you know, throw a stone and hit water? and now you're, you know, in a successful startup that you created, you know, two weeks ago or something like that? like, was it that kind of environment or is it different?

Speaker 2: 13:24

So it's interesting that we look at it back now and say, oh, some of those things were so easy. And I joke that our my second startup. I had the idea on an international plane ride. I was coming back from an overseas trip And you know when you're stuck in a seat and this is the early days. You didn't have the ability to have a laptop on a plane back then And you know, all you can do is think. And so I had this interesting idea. I landed, i called my mentor, i called one of my partners and I said, hey, i've got this idea. What do you think? And from the point of having that idea and jotting it down, jet lagged in my you know, at my home to having money in the bank and are off to the races was two months. I mean literally from idea to funding was two months. That was the beauty of the 90s. So it was a lot easier And all we had, you know, i did it with like two pieces of paper and a set of bios And that was all it's got. Now it takes a lot to go from that initial seed round to actually executing a product and getting it into market, but I think one of the things that was interesting about the early days different from now is that you didn't have as much noise. You know it was a smaller industry. There weren't you know when you would come out with an idea. That was maybe one or two competitors. If you start to get real successful, you could get to five competitors. Now there's like a thousand people doing all the same thing you're doing. So it was it's. Back then it was much easier to get your message out. The flip side problem is that you had a high barrier in it in the CIO or the precursor, you know, the director of architecture, because they didn't have a CIO back then Oftentimes to convince them they needed your technology. It was a lot less understanding of the cyber threat or of what the technology was going to do to the architecture, And so we had a lot more education we had to do about the problems to convince them that they needed our widget or the jure that was going to solve their big problems that they didn't know they had yet. So it was a balance of we had to convince people that there was a problem. We knew there was, but at the same time I didn't have to. You know, try to separate what I was doing for 50 other things that were sounded like they were doing the same way. So there was a balance there. I do remember some funny stories about early conversations on cybersecurity with VCs because while IT people could basically understand the idea of firewalling and authentication and some of the cybersecurity principles, unless that VC had already invested in a security company, they were completely unaware of what that meant. And it just I remember there was one VC didn't want to give me his business card because you'd heard I had done hacking as a kid And like that made him scared of me. And I'm like I'm totally not threatening, it's just something you know. The lot of education and what we did back then is we went with very visual demos. So and it's something I still hold on to today that people do better when you show them a visualization of what's going on. A lot of demos today where you see a little peak in the poor man's benchmark and like, yes, look, we can do this and we can do it 20 times faster. It doesn't tell me what you're doing, it just tells me you're doing it faster. Or we can, you know, spin up a thousand nodes, but what do you actually see, see a blinking light on a screen. I find that for the end customer, when you can sort of make it tangible for them what does it mean to me? and show them, and so we would actually lug around demos showing you know, here's the attack, here's our thing, detecting it or here's our thing, blocking the actual attack. Making it real is really what it would have helped in those early days, because they didn't have the understanding or they didn't know that they had that problem. And there were great examples where we had one of my startups, a symptom. We had built a. We had an application firewall, one of the very first web application firewalls. We built a scanning tool to basically show that you had vulnerabilities. That's why you needed the firewall. So we created a little tool that would scan your website and identify all the little places where you had cross-site scripting and SQL injection and actually could demonstrate it for you to prove that you really did need that application firewall. What would happen over the course of that company is the interesting thing. That scanning tool became the most valuable asset. The firewall was important, but it actually wasn't the thing that blew up. The scanning tool became the powerful tool because it allowed auditors to show their internal business units. You've got these issues and I can prove it. It allowed the quality people that beat up on the developer the developers be able to fix it because they can identify it. So that was the game changer was having something that could show the problem, and then the thing that actually fixed the problem became almost less of an importance, even though we know in security it's equally important. But it wasn't the visual ah-ha, i have that problem.

Speaker 1: 17:57

Huh, that's really interesting, going from a place that you're trying to sell one thing and this minor tool that probably took someone like what two hours to code or something like that. I mean, that's not extraordinarily difficult to do. I'm a pretty poor coder, but I can probably clump that together. That is very interesting. Yeah, i will say that scanning web apps.

Speaker 2: 18:27

Back in those days, though, you think it was easy, but we have to remember how completely horrible web programming was back then and how everyone made it So having something that could crawl without crashing actually took some real coding. The first tool took a couple of minutes, but back then the crazy stuff you'd see people do in HTML like that. it was wild west in the early 2000s, so I will say that it took some good engineering to build that, to be a quality scalper. But yeah, the tool originally was a side project by one of our chief architects.

Speaker 1: 18:57

That's really interesting. I guess I've been so removed from the early 2000s that I mean I never noticed it. I guess I wasn't thinking I was going to go into IT in the early 2000s. I was more preoccupied with playing with my other friends in fifth grade and whatnot. You talked about that. You were on the plane, you wrote down this idea and you called up your mentors. So how did you find mentors? How did you even just identify the mentors in your life that you would be able to bounce ideas off of and trust and gain their respect and whatnot? That's maybe the biggest question that I get the most often. That is difficult to answer because there's so many different avenues to doing it. But actually doing it is the hard part.

Speaker 2: 19:55

So I would say that I wish there was a one shot approach of here's how you get good mentors. I can tell you a couple of ways I came to the people that I treat as my mentor. So in the case of my early mentors, like Bruce Schneier, he had written the Bible, applied cryptography and, on the advice of one of my business partners, he said well, why don't you reach out to him and see if he's willing to answer some questions? And so I did. I emailed him and I said, hey, bruce, i have some of these ideas. I loved reading your book, would like to talk to you more. And he responded and we became friends and he came on, went on to help mentor me across two of my companies and is still a valuable friend and colleague, and some of it is just taking the gumption and reaching out and not being there to say, oh, i love your stuff, you're awesome, but really to ask intelligent questions, because the smart people like to be query, like to answer smart questions, like to be challenged, like to have problems with, sink their teeth into as well, and so being able to reach out to people that you're looking for mentorship from and treat them like they're not up on a pedestal, they put on their pants the same way we do every morning. But they are. They really are smart people And I live by. Surround yourself with people smarter than yourself and listen. So one is definitely being proactive. Reach out also, leverage the network. So being able to from from from Bruce, being able to reach out and understand and talk to his peers and hear from them, and you know, and create relationships And it's a lot of it is the soft skill of creating relationships. And then the others. The other side of the mentor is is, i would say, two things. One, as you're going through your career, there will be bosses, or oftentimes you know, bosses of bosses that you will interact with. Build relationships with those people, because the people got into those positions because they knew what they were doing And they're, they are looking to, just like we are. You know, i am in other senior leaders to mentor the next generation. And so, again, as you interact with people within your own company, you know, reach out to the, to the senior leadership, get on their radar, create your relationship, have asked them to mentor you and you'll find, more often than not, they're more than happy to do so. And then the last piece of advice is go, you know, think outside the box on your mentors. I have probably too many cybersecurity mentors over the years, or people I would go to who are the super Uber smart cybersecurity experts in their domains, but the mentors that have also been a key factor have been the business people, salespeople, marketing experts that I, that I, you know, that make me a better, more rounded person in my career. You can be an absolute, unbelievable top security architect, but what makes you a successful startup or successful business person, a successful executive, is having that more round, rounded focus and people in my life. You know my VP of marketing at Sanctum, diane Freeman, has been a key mentor for me through, you know, long beyond the company after after we exited Sanctum. And again, a marketing person I mean just an exquisitely smart marketing person and knows how to communicate whether it be technologies or our interesting ideas to different audiences. And that ability to learn how to communicate and also how to you know to give talks in a consistent way, how to tell stories, and she's helped me considerably to be a better or more effective person in my career by understanding those tenants, and so it's the diversity of mentors is equally important to having really good mentors within your domain, because ultimately, those soft skills are how we are successful. Longterm VCs aren't going to, you know. Don't invest in technologies, they invest in people. And so they want to know, are you going to be successful? with whatever weird widget you're coming up with, they only extend a little bit of they're looking at. Are you the kind of person that can be successful?

Speaker 1: 23:49

Yeah, i think Warren Buffett talks about that a lot is how you know he doesn't. He looks at the company overall, but the deciding factor is actually the leadership of the company And if he thinks that they'll be able to be successful, if they'll, you know, still work his heart after they after you know he gives them this money and will they still strive for the same greatness. You know, like even it's interesting. You know where life takes you and what skills you learn along the way, like even just with this podcast, i've had to learn so much more about marketing and conversation skills and soft skills And I ever thought, going into it, that I would need to know. You know, i I don't know why I didn't think that I would need to know how to market my podcast, but I do, you know, and now I'm learning right, and it's something not related to IT at all, but I'm figuring out how to, you know, get new interesting guests on like yourself that add value to the podcast and add value to my audience, which it's been an interesting ride. You know you never know where something is going to take you until you go down that road.

Speaker 2: 25:04

Absolutely. And then how does that, how does that skill you've learned for your podcast now translate into you, into, you know, potentially, i'll say, a day job in IT? better communications with management across business units can get view the need. I mean, one of the really cool use cases I've heard is CISOs that you know, that. You know we learned how to better market and communicate or took training. We actually went out and was proactive, took training on it communicate better to the board and to the executive team. And what that really boils down to is when they're trying to describe a risk or threat that they need to mitigate. If you just come in and say, oh, we're going to get attacked and it's this kind of risk, you're going right over their heads. But when they could communicate quickly what they find and the numbers bear this out, they get better. You know more and more sustained budget because they're communicated in a term that the board understands. It's around business risk, about brand risk. It's about being able to do things. You know cost efficiencies that will pay it over time. It's a different language than I've got 12 new. You know 12 new data breaches that may be happening. I've stopped 16 non-petschas on the door. Like that, information doesn't communicate to a board, and so those soft skills actually help their day job and actually makes them more successful in getting bigger pieces of the budget or making sure they're sustained, funding things along those lines that are actually crucial to the CISO's job.

Speaker 1: 26:24

Yeah, it's an overlooked skill that when I was getting into security, you know, i never even thought about that right. And then you have that one right CISO that you know is a little bit more open than most other CISOs because they want to like kind of foster that development, which is always very much appreciated, and they start, you know, kind of showing you the soft skills, they show you how to do it and they demand it in the meetings that you're in with them. If you're presenting something, you know this is how you should be presenting to executives. This is the template that you use. This is, you know, the mentality that you have to have with it. It's something totally different that is not taught, you know, with a technical skillset or anything like that. It's more of, i mean, i view it more as hands on right, like I need to put a boardroom to sleep before I know how to entertain one. That's at least my mentality with it. Okay, so you've had a fantastic you know career and whatnot. Let's fast forward a little bit to Intel. So Intel, you know, obviously one of the largest companies in the world. I am sure that Intel has its own unique challenges with just merely being that size, you know, with just having the market space even that it has, you know it seems to be extremely competitive. and you know I'll be full disclosure here. I think I've only I've only bought Intel CPUs right. I built computers but I don't, like, i don't, dive into the nitty gritty of these CPUs. I watch Linus Tech Tips, i see what's going on there and he'll tell me which Intel CPU to buy right And I just go buy it like every three to five years and I build my computer. But really the space is so much more competitive than that because you have AMD and they're doing performance potentially in a different way And Intel is focusing on performance in a different way from that and they're marketing and gearing their products slightly differently. but it has to cover a broad range of of spaces. You know, when you got acquired by Intel and you were considering staying on, what were you? what were you thinking through at that time? What were the areas that you were thinking through of if you wanted to stay on and whatnot.

Speaker 2: 28:51

So you asked a really good question about what was the opportunity, and I have to tell you, like, coming from the software security space, intel was not the place I thought I was going to end up. You know it's a hardware company. What do they know about? you know software security, but then once you got on, you know behind the curtain, if you will, and you looked at it. one of the things that I thought was interesting and it's even more so today is that even though Intel is known for the chips and where you have chips, you know when it says Intel inside, we are inside everything from the laptops to the network, to the cloud, to the H5, performance computing and everything in between. There's a lot of software that runs on top of those chips that's developed by or enabled by Intel. Commercial software and open source software that runs on Intel runs best when code that Intel developed is delivered to those companies or into those ecosystems, and so we produce a lot of software, and so when it comes to security capabilities that are in the hardware, we do a lot of that enabling we actually build a lot of the connectors for securing commercial and open source software running on Intel platforms. So what I found was there was a lot of interesting opportunities to be able to leverage security in a novel way. And I think you know, looking back on one of the very first projects I worked on at Intel after the acquisition and I'll give you a comparison So Sanctum, which was probably one of my most successful startups, we had half of Fortune 5, of the Fortune 1000 companies using our product, which is a big success. That's a key indicator Half of Fortune 1000 and mid 2000 using your products at scale. The first technology I worked on at Intel went to 40 million PCs. I mean, at the end of the day, it was the impact you can have in a large company. Now, in any large company there's bureaucracy and process and procedures that you don't typically find in a nimble startup. but the scale and impact, the ability to affect actually the day-to-day lives of the populace or to make businesses successful, that was one of the things that kept me. that's kept me at Intel even to this day the scale and impact you can have by doing the thing you do with that specialty area and where it ends up, because you are supporting millions and millions of PCs, servers, clouds, all running on Intel. I think that you talk about the highly competitive environment. One of the things that makes Intel somewhat unique in the hardware space is that, unlike some of the competitors and I'll pick on, let's say, the GPU market they just do GPUs. They're really good at certain aspects of GPU. They're looking at that kind of workload across every step, from the client to the cloud and everywhere between. Sometimes a GPU, like our max GPUs, is the right answer. Sometimes it's not, and you don't have to force fit it into a GPU to make it work. there You can provide different hardware architectures. maybe an FPGA, maybe an accelerator would be the right choice. When I look at Intel and how we approach the problem, we look at it more holistically and you can look across a heterogeneous architecture of capabilities. From a security person's perspective, there's a lot of opportunity to innovate in a variety of areas. Am I solving a problem of an embedded system that's a skate of control on a factory floor which is its own set of OT problems, or am I looking at something that how do I protect secure transactions at scale for high-speed trading? These are the kinds of questions that you ask when you work at a company in it, because our stuff is in both of those kinds of systems. I think one of the things that makes Intel somewhat interesting from even other big players in the market whether you're a cloud provider or an operating system vendor or even OEMs is that, other than, like you said, some of the hardware vendors, we're really not competing with our channel. At the end of the day, when I talk to a customer and I talk about what their problems are, i'm agnostic to what OEM they go with. I'm agnostic to what cloud provider they end up choosing. Some will be more advanced than others, but at the end of the day, they're all running on Intel. My job is not to push one or the other. How can I help you in customer In my case now the federal government how can I make you more efficient? How can I secure your data better with the technologies that are at our disposal through the channel? It provides a much more interesting conversation that I find thinking back to my old days and startups, where I had really good relationships with CIOs and CISOs but at the end of the day, i was still trying to sell my software package. Now I have these kind of relationships with the CISOs and I'm not trying to really sell them anything. I want them to remember that Intel was there, but they're going to buy their stuff from whichever vendor is their vendor of choice. It's a much different kind of conversation, which I find fascinating.

Speaker 1: 33:28

Wow, that is. I mean. Once again, there's a lot to unpack there. It's also very interesting, i found, when you said that they're not necessarily at least Intel is not necessarily competing with other competitors in the space. They have their own space, they have their own designated purpose that fits millions of devices. As a security professional, i just come from the mentality of I want my work to mean something. I want my work to have an impact on someone. I guess that may sound like I don't know self-serving or something like that, but that's just my mentality. I want it to mean something. That must have been a very eye-opening situation When you created that thing and now, all of a sudden it's in 40 million devices all over the planet, protecting them in different ways, that these people probably never even thought of.

Speaker 2: 34:41

It is. Again, it goes to what you were talking about. From a cybersecurity professional, whatever area of cybersecurity in, i look at it as sort of two things that drive us as security people. Number one give me a hard challenge. I like to get my teeth into hard challenges, whether it's how to hack a system, how to protect a system from a hack, how to solve a problem. We're all problem solvers. We want to present it with a unique hard challenge that we can go solve. We're problem solvers. The other part is you want your work to matter. You want there to be an outcome, whether that outcome is you've protected a whole industry or, if you're on the offensive side, you discovered the next big hack that everyone's talking about. You got a new item that shows up in the Wasp Top 10. For that. You want to have an impact so that you know the work you're doing matters. I think those two things are some of the key drivers. You look at cybersecurity professionals, whether in IT or in the vendor space, or in academic research or other kinds of areas. It's those two things. Go give me a hard, juicy problem and let me know that it makes a difference to whatever their constituency that I'm targeting. That's what drives a lot of IT people. When you look inside corporate IT, especially in IT security, good CISOs help their organization understand why it matters. A lot of times people, if you're doing firewall administration, it can feel like I see blinking lights every day. I'm updating a rule here. Why does it matter? What I find is really good CIS organizations communicate down, not just up, that same dashboard. They're showing the board about how good they are. This week, the team that actually helped build it number one sees the same dashboard. More importantly, oftentimes they get brought along to the board to see the outcome. When you present here. Here's how many active exploits we blocked today. Here's the team that did it. That's how you connected us. Even inside corporate America, where you're trying to, your day job is to keep the systems running and keep the bad guys out. Sure to the folks that it matters to helps them realize the impact. I think that really good CISOs recognize that they need to highlight the teams and communicate in both directions Because, exactly like I said, it needs to matter, because that's what gets us up in the morning.

Speaker 1: 37:02

Right. I think some of what you discuss, or what we discussed throughout this entire conversation, is thought leadership and how that can really shift an organization, shift your mindset and work for you or against you. I guess Can we talk a little bit about what thought leadership is and how it can impact and really drive your career in a positive way, because I feel like that is a underrated skill, almost as someone that is not in senior management or anything like that, you're still an individual contributor. How do you get to that next level? How do you get the skill sets? I think a part of that is thought leadership being able to form these revolutionary ideas or even just simple ideas of what to change, how to change it and leading people through it. Can we talk a little bit about that?

Speaker 2: 38:05

Absolutely. Thought leadership can come in a variety of forms. Looking for opportunities to provide thought leadership Again, some of it's going to depend on the organization. Some of the organizations are okay with people presenting papers at conferences. Others aren't. Depending on where you are and what you're doing, there are lots of different kinds of opportunities for thought leadership. One easy way is most companies have what they call brown bag sessions or training sessions. Trying to speak to be the person who talks about the security topic to Jura, or be the one to say hey, what's this large language model thing everyone's talking about, talking about it even within the organization. Then you become the go-to person that they say they knew what they were talking about. I want to go to them for more information. You're building micro thought leadership in the company. The first step is just going out and doing it, having an opportunity to talk, having something to say. And again, you don't have to be the absolute expert in something to start talking about it. You need to be conversing in it. Your job isn't to be the number one guru on the planet in that particular area. Your job is to help educate the rest of your team or an audience on something they may not be as familiar with A thought leader isn't about being the guru. The thought leader is being an educator. Not really an educator is a thought leader. When you do that, it gives you the opportunity to push the conversation. So let's say you're giving a training or giving a brown bag on a particular topic. It is also the opportunity for you to put out there hey, i have these really interesting ideas about how we use language language models to maybe optimize IT processes. Now that gives you a forum to start to push the boundaries And so finding opportunities to get your message out there. But it starts with A going off and giving the talk and having a message And it takes work. It's not something that happens by accident, but you'll find there's lots of opportunities to do. I was one of the things that I was doing recently. I was looking for to help some of the company customers understand how the semiconductor process works. I was looking at some of our trainings that we have for our own employees. What I found was interesting is there was one name that kept showing up on a variety of these early sort of one-to-one level trainings, and so I reached out to the guy and I said are you still doing trainings, like, yeah, they bring me out every once in a while to go train whole new developers and partners that are trying to learn about our processes. So, even though his day job is building SOCs or whatever he's doing, he's still the thought leader for how to train people on sort of the manufacturing process, and so he's become the SME just because he has the content out there and you can go to it and you can see it, and so there's a lot of opportunities to do thought leadership If you do work in an environment where they're okay with you publishing papers. Go speak at conferences, join associations and go to their events and then become a speaker. Today there's a lot of organizations you can remember, but some good ones for cybersecurity, like SANS, isaca, on the audit side of the camp, there's a variety of these organizations. They hold regular conferences. They do call for papers, go off and speak. One of the environments that I think is really fascinating is there's conferences now, like a conference for defense and a couple others, where there's a whole track called like the Practitioner's Track and it's a track of IT professionals for IT professionals, and they're not there to talk. You are not allowed to talk about a hack that you came up with. It's not about the cool hack that you're, it's you're coming in and say here are the best practices that we found worked. And it could be something like how do I scale identity management to remote workers? Or how did I deploy a secure microservice? What did you do in your environment and help train your peers so everyone gets better at it? And so what is your motivation? sharing That thought leadership is about your day job. It's not you have to come up with some exquisite new idea. It's sharing of best practices and that thought. Those conferences foster that kind of thought leadership. So I guess the answer to your question is get out there and start speaking, find opportunities to get your message out there, record a podcast, put out a paper into an article, speak at conferences, attend conferences and talk to people, and then do it both externally and internally. I mean, i can't stress enough Internal thought leadership is almost as important, if not more important, than external thought leadership, because external thought leadership, like brand management, is about increasing your brand for you or your company, but internal is how you advance your career, get on the radars of a more diverse set and more senior folks by being the one that they go to for information.

Speaker 1: 42:47

Yeah, that's a very good point. Something that I recently learned was you don't have to be the world's foremost expert in a topic to discuss it. You really just need to be able to captivate an audience. I always thought that I would have to be I don't know 10 levels above. Where I am, no one's going to listen to me because I'm not coding Intel CPUs, i'm not breaking into their protected memory and whatnot, like I'm not doing those things. And I went to this talk at Defcon a couple years ago and this guy was talking about how he was reverse engineering Intel CPUs and breaking into the secured memory and stuff, and I mean 95% of what he said just went right over my head. I mean it's like my God. I was more captivated by the way that he was able to engage us in a way that was interesting. It made me wonder what was coming next, what his purpose was behind it and everything like that. And I feel like too often as individuals, we get too much in our head and we think, oh, i'm not ready for that, i'm not smart enough for that, i don't know enough for that, it's going to take me 10 years to get there, when every single time that I have thought that I was wrong Every single time that I thought that I'll tell you what this podcast I sort of started a year before I actually did. I thought about it for a whole year. I tried to plan it all out, kind of think it through in my head. I couldn't think of a logo at all. Actually, there's a reason why my logo changed a year in is because, like, oh okay, that's what I want. There's so many different facets to it, but I was already in the place where I should have been having a podcast. It would have probably propelled my career forward with having that thought leadership space. Because now I get interesting opportunities based on just my ideas, because I'll have an interesting guest like yourself. Come on and we'll just talk about different aspects and I'll talk about how I think and how you think and how you think through problems and how I do. And that gives these other executives and whatnot the chance to hear about me or kind of inadvertently interview me without interviewing me. And I have the job before I even interview. It's like a side phone call. It's like, hey, do you want this or do you not? Which is something I never thought of. I never thought that that would happen. I never thought that that would come from this podcast. I figured, if I have 10 downloads a month, man, i'm cooking. And then I hit that almost immediately. It just blew me away. It's like, man, i should have been doing this a year ago.

Speaker 2: 45:52

People are looking for good information. And I think one other thing I've been very stick lab out throughout my career and a lot of good speakers are Like I said, you don't have to be the guru. You stand on the shoulders of others, give credit. So when I quote, when I show a vulnerability or an attack or a defensive measure, i absolutely make sure you quote the people that you're leveraging and that you're using, and so it's about some of it is about making sure you give the proper assertion at the station to those that you are borrowing from or that you're leveraging, but also it's about creating that community. You find that if I'm quoting his work, he's quoting my work and you start to see yours, and again, it helps build that thought leadership. But it's the right way to go about it, because if you've got an idea that's built on other people's ideas, make sure to give them the credit as well, and it builds the whole community. The idea is we're a community, we're building ourselves together.

Speaker 1: 46:45

Yeah, that's a very good point. You know, whenever I use someone else's work or material, i don't want to be the one that's called out to speak about it, right, and so I always make sure that I call out like, hey, i got all of this from this exact resource, from this person. You know, it's like almost like a research paper citation, right Like at the bottom of my work. It's like this is exactly where I got it. I am not that smart. Do not trust in me to you know, explain this at length, or anything like that. So, steve, you know we went 48 minutes now and we haven't even talked about your role at Intel. Right, with some of my guests we get into this mode where we just go down these rabbit holes and we forget, you know, what we originally set out to talk about. So can you talk to me a little bit about what it's like to be the CTO of the federal side of the business for Intel? Because I would assume, just working with the federal government myself earlier on in my career, that's probably extremely interesting And it's probably even a it's probably even a interesting set of people that you have to look for just for that kind of job. Because it's not. It's not something for everyone. There's a lot of people out there that think that they're, that they want that life and that they want to be on those those cool sites and those calls and everything like that, but it's totally different than what you would think.

Speaker 2: 48:13

So it's an interesting conversation around what it, what it might. My job is And I would say it really falls into three camps. A large amount of my job is working with those government customers to help them understand both today's technology, future technology and how it fits into their mission or enterprise needs. How can we help them solve their problems with technology available today. So you know, speaking government speak about the government's mission from an architectural technology perspective. The other half of my role is turning around the other direction and being able to translate government speak back into Intel speak so that our developers and business units can build the features and capabilities that the government's going to need to meet their mission. Enterprise And the two way communicator is where a large majority of my job is and being and helping to apply both directions. And then the third part is the being able to do interesting, interesting innovations And so driving. You know, sometimes you define here's the problem the technology isn't there today. We may get it in five years when the next chip comes out. But what innovations can we do today? What can we solve or what can we apply from what's currently available and advance the art today and do innovative projects, innovative technology to meet mission need, and so that's. I think that's the three aspects of my job that you know, and it's really what makes it interesting. Exciting is that you're talking to. You know a variety of different topic areas. You can be talking IoT, hpc the government itself is a really interesting vertical in its own right, unlike you know financial services, which have a common set of of of. You know enterprise applications and missions and capabilities across the financial services, such as cash management. You know certain kind of logging, certain kind of transaction processing. Healthcare has got its own. What you find in the vertical is it's a macrocosm of all of them. You want to talk financial services. You know CMS, medicaid, medicare and IRS do billions of dollars of transactions. We want to talk healthcare. The VA is the world's largest health insurer and health provider. We're going to talk logistics. Dla Defense Logistics Agency, you know, gets things where they need to be on a global scale. So they have, you know, a representative of almost every vertical within the federal government, and so it really affords you to see the broader industry in the, in the, in the boundary of the government, of the government agencies, and the other thing is the government has the scale that many of these, others don't. So the sheer volume of data that's number of systems, the number of people in you know, in the case of the VA, how many veterans are being serviced by the VA? you know something like 16 million people. That's the scale and scope presents really interesting challenges of how do you take a technology and scale it and make it stable and operationalize it and get the efficiencies and tuning you need, secure it, because it is, you know, the adversaries are absolutely after the federal government, and so it's those kind of big problems that you get in the government and the variety and diversity of those problems that makes it exciting as a market to focus on. And what you do then is and this is really the reason for Intel federal existing is taking commercial capabilities and federalizing them for the government. So taking what's done in commercial let's say 80% and making it work for government that 20% needed for government but also looking at government use cases, building things there that then can be commercialized to the broader industry. If we solve it for the US government, well, it will work for everyone else, and so that is. I think that's what we know. The reason why that's it's an interesting place to be at Intel is because we are servicing both of those sides of the camp.

Speaker 1: 51:37

Hmm, yeah, something you mentioned was being a two-way communicator, being able to translate the customer's needs into you know what the company needs to do to address them. And I encountered this very early on in my career when I when I led federal contracts and you know government contracts that we had, because you know, i was basically the only one at the company authorized to speak to these people just on the phone You know, let's throw out in person, just on the phone, i was the only one authorized to speak to them. How I got approval, i have no clues, 23 year old kid, you know, fresh out of college, and I'm the one at this company that has approval. And I found out there was a lot of friction, you know there was a friction between what the what our customer wanted and what our company thought that they wanted or needed. And so then there was a. There was a, i guess, a dispersed effort in creating things that they thought that basically the developers and my executives at the company thought that the federal government wanted and would need versus what the federal government actually wanted. And I would have to translate you know these needs into real world examples of saying like Hey, this situation happened on this base And because this other system failed them, they didn't know where this emergency was happening. They had no clue of where it was happening, and so now they have to clear, you know, a thousand acres of land to actually ensure that the threat is eliminated and the base is secure. And once you know, once you kind of find out or figure out that that's a part of it that's probably 50% of what I have to do The world becomes a lot easier. But now it's even more difficult because now the customer, the federal government, you know, is expecting, they're expecting that higher level of service. They're no longer expecting the friction and I'm absorbing all the friction And it's. It's an interesting world, for sure, because they have they have some of the most unique use cases for technology that I've ever seen. I mean, i, i went to one facility and I had four, four buildings. They were all connected before very distinct structures, and so I was like, okay, it's just normal, normal building. You know, they got a lot of people working here, obviously. So I go in and maybe the third time that I'm there it's finally discussed like why there's different sections of the building and why I'm locked down to one section. And they said it's because they purchase entirely separate tech stacks per environments of the building and they physically separate it in the building And then they also, you know, logically separated technology wise. And so if Cisco ends up having a you know critical vulnerability, they just shut off that whole side of the building. They shut it off and they're like okay, go home, like, do something else until we patch this. And then they, they fire up the whole other side of the building and they just kind of switch over that traffic to these other systems. And I'm that completely blew my mind. It still has me thinking right even to this day, because it's just like where else would you ever see that? You would never see that anywhere else. It's so unique.

Speaker 2: 55:15

Exactly, and so they do have unique use cases. But then when you think about it, when you look, they're sometimes a vanguard for what you find out in the in the commercial space. So something like that sounds really weird. Today you know in one model, but then you start thinking about, you know ITOT, separation of having operational environments, that's Skated Controls separated from IT controls and having that diversity. Well, now something that starts to make sense in those kind of unique environments. You can see that oftentimes the government it may be a crazy reason, they did it, but what you did there will have that ability in other places.

Speaker 1: 55:47

Yeah, absolutely. Well, steve, you know we're coming up to the end of our time here, unfortunately, and I mean I'll just have to have you back on Like I had such a good conversation. But before I let you go, how about you tell my audience you know where they could find you and potentially you know if there's a separate Intel federal website or something that they could go to to learn more?

Speaker 2: 56:08

Absolutely, And thank you for having me today. Joe, Best place to reach me is on LinkedIn. It's S O R R I N So LinkedIncom slash. You know, soren? And then if you want to learn more about Intel in the public sector, Intelcom slash public sector, our Intelcom slash federal will get you there.

Speaker 1: 56:26

Awesome. Well, thanks, Steve. I really do appreciate you coming on and I hope everyone listening enjoyed this episode.