B (14:22)

Foreign.

A (14:29)

If securing your network feels harder than it should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the time, staff or patience for complex setups. That's where NORD Layer comes in. Nordlayer is a toggle ready network security platform built for businesses. It brings VPN access control and threat protection together in one place. No hardware, no complicated configuration. You can deploy it in minutes and be up and running in less than 10. It's built on zero trust principles so only the right people can get access to the right resources. It works across all major platforms scales easily as your teams grow and integrates with what you already use. And now Nordlayer goes even further through its partnership with CrowdStrike. Combining NordLayer's network security with Falcon Endpoint protection for small and mid sized businesses. Enterprise grade security made manageable Try Nordlayer risk free and get up to 22% off yearly plans plus an extra 10% with the code CYBERWIRE10. Visit nordlayer.com cyberwire daily to learn more. Tony Scott is CEO of A company called Intrusion and also a former federal cio. On the most recent episode of Caveat, my co host Ben Yellen sat down with Tony Scott to discuss evolving regulation and the realities behind critical policy shifts.

C (16:12)

So before we get into some of the content, we're going to be talking about the double edged sword of regulation. I just wanted to learn a little more about your background. You've been in some incredibly influential organizations. You worked in the federal government under President Obama. Can you just talk about if there are common threads that have guided your approach to security technology across these kind of different spheres?

B (16:37)

Yeah, well, as you mentioned, I've had some pretty fun and cool roles. I was the federal CIO for the last two years of the Obama administration, and before that I held CIO roles at VMware and Microsoft, at the Walt Disney Company, I was CTO at General Motors, ran infrastructure for Bristol Myers Squibb, and before that a bunch of jobs in various, you know, large corporations. I did two startups, started my career at Sun Microsystems. And the common thread among all of those roles is I noticed even early on that cybersecurity was playing a larger and larger role in everything I was doing. There were more and more incidents occurring, and it just has been sort of the common thread in Throughline for all of the roles that I've ever had. Two or three weeks after I started the federal CIO job and I was still kind of learning where the bathroom was, we had the breach of the OPM systems, which was the Office of Personnel Management, and 21 million identities were compromised. And, you know, that was probably the, the worst of the things that occurred, you know, while I was in a role. But the roots of that stemmed back several years. So while I got, you know, a lot of credit for sort of, you know, the actions we took after the incident had happened, the real preventative things could have and should have been done years and years earlier.

C (18:37)

Do you see a difference in the private and public sectors in terms of the pace of your ability to create change? Is that something that has frustrated you only in the, in the public sector, or do you think that that's something that exists in the private sector as well?

B (18:55)

Well, I think it exists across the board. And it's true. Whether it's cybersecurity or any other initiative that is important, if it has strong leadership and the commitment of leadership and the right amount of resourcing, you can get it done. If it's just, you know, sort of hand waving that, you know, oh yeah, we're, we're doing this, but there's no real leadership or, you know, resourcing, then it's not going to get done. In the case of the federal government, the law and regulation that was requiring two factor authentication had been passed 10 years earlier.

C (19:40)

Wow.

B (19:41)

And by the time the OPM breach occurred, there's only around 50% adoption across the federal government. And it was clearly a case where good idea, solid idea, but in most cases, the leadership, the funding and the resources to really get it done hadn't been prioritized. And then after the OPM breach, everybody got religion real quick. We launched the cyber security sprint and within, you know, six to eight weeks, we went from 50% adoption to mid 90% adoption of two factors. So, you know, it tells you that it can be done, but clearly there hadn't been the focus on it that there needed to be.

C (20:36)

And that gets at something. I mean, people focus on cybersecurity after the high profile breaches. I've never heard more discussion of the need to protect local governments, for example, than when I was living in Baltimore and they suffered a terrible ransomware attack. So is there something that policymakers can do in the interim between these high profile breaches to kind of raise the salience so that you can institute these policy reforms before the storm hits?

B (21:05)

I think there's a couple of things that you can do. One is continuous monitoring and testing of your core infrastructure. That is the bedrock of all cybersecurity. People who just do an occasional pen test are kind of missing the boat. I think it's like taking a picture of your house on a sunny day. You know, that doesn't tell you much about, you know, whether the roof is good during a heavy rainstorm or, you know, other things that might be wrong with the house. And so I'm a firm believer in sort of continuous testing. The second recommendation is, and this is a question all boards and leaders should ask of their IT organization is, you know, how modern is our core infrastructure? You know, and are we replacing and upgrading regularly? A lot of the issues that I've encountered in, in my career are due to just old aging infrastructure that wasn't suitable for the, the mission that the organization was now undertaking. And to me that's just a cardinal sin. So to me that's number two on my list for sure.

C (22:34)

Just looking at the federal landscape now, does what's happened in the last year, the difficulty in renewing CISA 2015, some of the staff reductions at CISA, the agency, are those concerning? And have you started to see Real world impacts of that in the work that you're doing, or is that not something that's really shown up yet?

B (22:58)

I don't think it's shown up yet, but I guarantee you it will. And I lament a lot of those cutbacks and drain on resources. There's a view, and I've seen this over and over and over again, that, you know, we want smaller government, we want fewer government employees, you know, all of that sort of thinking. And it's admirable in its intent. Right. Which is to save money and, you know, reduce costs and reduce taxes and all of that. But the alternative is to do those functions. We then outsource to, you know, a commercial business or a private sector business and so on, which, again, could be fine. But over time, what that does is erode the expertise that we have in the actual federal government and we turn government employees into just procurement specialists, you know, contract administrators and so on. I saw this when I was at gm. We had outsourced to eds, turned all of it over to eds, and so the internal IT organization at GM was a handful of people at one point that lacked the technical expertise to sort of lay out a strategy for the. For the Future. And in 1996, GM abandoned that approach, made EDS an independent company, and then started bringing back into the organization, you know, a real cio, people with the right technical expertise and so on. And I joined in, like, 99 after this repatriation, if you will. So by bringing these capabilities back in house, saved a ton of money, but probably more importantly, developed a much better strategy for it, for the company.

C (25:21)

And I know that political winds can shift, but is this something in 2029, for example, that you can try to recreate and rebuild that institutional expertise, the people who actually know the technology? Or is. Is that something that can't really be rebuilt once it's been?

B (25:40)

No, I think it can be. And I think GM is a classic example of that. Where there's a will, there's a way. I think the good news about my experience in it, and this was true in the Obama administration, and it was true in the first Trump administration and also in the Biden administration, that it was not looked at as a political football, generally speaking, you know, good. It doesn't wear a D or an R or any of those other, you.

C (26:14)

Know, symbols, those vaunted letters. Yep.

B (26:18)

Yeah. And it can be practiced well by people of. Of either party. So I hope that continues.

A (26:28)

Yeah.

C (26:28)

So to close out, I just kind of wanted to take advantage of the fact that you offer a lot of wisdom based on your experience going back decades and the kind of breadth of your experience. So a couple of questions along those ends. You've worked in pretty intense scenarios. Obviously, OPM is kind of the one that's top of mind for me. What did that teach you about your own style of leadership and how leaders in the cyber field can and should react in those situations?

B (27:03)

You don't have the three weeks. I could tell you about all the lessons learned there, but a couple of them stick out to me, which is don't waste a good crisis. Number one, OPM was big. It was huge. It, you know, was terrible that it happened and so on. But we could have just said, oh well, that was opm. Everything else is fine. You know, we should just try to fix OPM and stop there. But I realized once we did the survey of all the federal agencies and discovered that there had only been 50% adoption, I went this is a big, terrible problem that we've got to go figure out how to address and which ultimately we did. So and I've used that in other roles. Whenever there's a crisis of some kind, you know, recognize it, get after it, and don't let it fester. Those are, you know, sort of the top level learnings that I've had over and over and over again. It's not a one and done sort of thing. When we turned over the administration, my successor was really good about following up and making sure that we didn't slip back to, you know, a bad, a bad state. And it became, you know, a continuous focus of the Federal CIO office to make sure that we were maintaining at least where we had, where we had gotten to. And there were a number of other ongoing improvements that were undertaken. So to me, those are the big takeaways from, from that experience.

A (29:05)

Our thanks to Tony Scott from Intrusion for joining us. You can check out the complete version of our conversation on the Caveat podcast. Wherever you get your favorite shows, The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Code Copilot is your AI assistant for work built into Word, Excel, PowerPoint, and other Microsoft 365 apps you use, helping you quickly write, analyze, create, and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 Copilot this episode is brought to you by Indeed.

C (30:00)

Stop waiting around for the perfect candidate. Instead, use Indeed sponsored jobs to find the right people with the right skills fast.

A (30:07)

It's a simple way to make sure.

C (30:09)

Your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

A (30:29)

And finally, according to a new report from cellebrite, smartphones have become the star witness in modern policing talkative, portable and almost impossible to ignore. Based on interviews with 1200 officers in 63 countries, Cellebrite's 2026 Industry Trends Report finds that 95% now see digital evidence as essential to solving cases, and 97% say the public expects it. Nearly every respondent pointed to smartphones as the top source of evidence, though the devices often arrive locked, uncooperative and fond of complicating investigators. Weekends officers report juggling multiple devices per case, growing data volumes, and the joy of explaining technical findings to non technical audiences. While many see artificial intelligence as a potential time saver, policy barriers and trust issues loom large. As UK Police Commissioner Matt Scott notes, public consent matters, especially after high profile data mishaps by police forces have left confidence in law enforcement technology on rather thin I. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittman. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning, and real innovation. I'll say this plainly. I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.