Cyber at the Top: The Need for Speed: How High-Performance Computing Is Reshaping Cybersecurity - RSAC

Summary7 min read

Podcast Summary
RSAC – Cyber at the Top
Episode: The Need for Speed: How High-Performance Computing Is Reshaping Cybersecurity
Host: Hugh Thompson
Guest: Dr. Phyllis Schneck, VP & CISO, Northrop Grumman
Date: April 16, 2026

Overview

This episode of “Cyber at the Top” explores how high-performance computing (HPC) and artificial intelligence (AI) are redefining the cybersecurity landscape. Host Hugh Thompson talks with Dr. Phyllis Schneck, Chief Information Security Officer at Northrop Grumman, about the impact of increasing compute power on defensive and adversarial tactics, risk management, infrastructure design, and the importance of speed in detection and response. Dr. Schneck shares real-world insights from her role, highlights the evolving arms race between defenders and attackers, and offers grounded advice for CISOs and technology leaders preparing for the near future.

Key Discussion Points & Insights

1. Dr. Phyllis Schneck’s Role and Mission at Northrop Grumman

Dr. Schneck leads the security and defense of Northrop Grumman’s electronic assets, which includes safeguarding systems that support mission-critical operations, especially those essential to national security. (01:54)
“It’s protecting that mission and protecting the cyber parts and the technology parts... that enable the great mission for Northrop and our technology.” — Dr. Phyllis Schneck (02:10)

2. The Transformative Impact of High-Speed Computing on Cybersecurity

Three Core Areas of Change (03:06):

Speed & Decision-Making
- Increased compute power enables faster, more effective pattern recognition and risk mitigation.
- However, "the faster we move, the faster and more clever we have to think about what our protections are so that they're enablers and they don't get in the way." (03:38)
AI Acceleration
- Fast computing powers AI and also empowers adversaries. Automation makes exploit creation and detection “shockingly” faster and lowers technical barriers.
- “The adversary... they are manufacturing zero days like they're jelly beans right now.” — Dr. Schneck (04:29)
Lower Barrier to Compromise
- With sophisticated tools, attackers can succeed with less effort—sometimes just with the right prompt or social engineering—while defenders must use HPC and AI for both proactive and reactive security.
- “You use high performance computing to protect high performance computing. You use AI to protect AI…” (05:51)

Memorable Analogy:
Comparing the evolution of cybersecurity to the history of vacuuming — from manual and disliked chores to automation, freeing people for higher-value work. "Kind of like the Roomba, most people don't like to vacuum... if you take a task that most people don't want to do and automate it... you get a balance." (06:44)

3. Speed, Analytics, and Cyber Incident Response

Speed = Lives Saved
Dr. Schneck draws a parallel between weather forecasting and cybersecurity, demonstrating how real-time analytics can surface hidden patterns and indicators of attack, enabling earlier preparation. (08:04)
New Challenges for Response
The paradigm shift includes needing methods for rapid restoration after incidents like poisoned machine learning models, and understanding downstream business impacts. (09:46)
“It's going to reframe how we have to look at electronic incident response.” (10:23)

4. Innovation: Vendors vs. Startups, Community Effort

Most innovation comes from both large vendors and startups—both are crucial.
The challenges facing vendors are immense; they must continuously patch, innovate, and respond to highly resourced adversaries (11:14).
“Highly paid, very smart individuals have all the resources in the world to poke one hole in you.” (12:32)
Dr. Schneck highlights the need for collective, proactive effort: “What is AI going to demand of us next and be part of shaping those requirements.” (12:57)

5. The Adversary’s Upside — Zero Days and Automation

Zero day exploits are being discovered and deployed more rapidly, likely with automated tools.
"Now... it's kind of like potato chips. There's always another one in there." (14:09)
Automation is making the generation and use of exploits much cheaper and less risky for attackers. (14:35)

6. Speed as the Difference Maker: Historical and Modern Examples

Early internet worms like Code Red were much harder to contain due to lack of compute and data visibility. Today, high-performance computers assist in rapid log analysis, simulation, and risk assessment to make timely decisions. (15:18)
Speed is not just processers—it’s also organizational agility and practiced, prepared response (16:12).

7. Infrastructure for Secure, High-Performance Environments

Design must be forward-looking: redundancy, traffic management, cloud vs. on-prem, remote work needs, adequate bandwidth, power, and cooling.
Common Missteps:
- Relying on outdated infrastructure for too long (“if it’s still running, why fix it?”).
- Failing to upgrade communication speeds in tandem with computation speed, causing bottlenecks. (22:00)
“Your infrastructure includes cooling, it includes power for that cooling... a very specific and sophisticated expertise that we're only just beginning to develop.” (21:38)

8. Nuances & Risks of Automation

Automation amplifies error propagation: a minor mistake can escalate quickly in high-speed environments.
Not all risks are adversary-driven: “Not every risk with high performance computing is caused by an intentional adversary. Some of it is escalated because we're running so fast and it's a mistake.” (26:46)
Outsourcing can be viable for small companies; large organizations must balance in-house and external resources, always considering disaster recovery and proximity (distance-induced latency). (25:41)

9. Balancing User Experience with Security

Security solutions must be as or more user-friendly than the alternatives; otherwise, users will bypass them.
Transitioning from passwords to PINs or touch-based authentication is possible now due to advancements in hardware cryptography (28:54).
- “That processor in your iPhone is calculating a key that's far longer than your any password and it's far better protection.” (30:17)
"If someone doesn't like something, they're not going to use it... we can't expect our employees to have to climb over an infrastructure to get their work done." (29:10)
Painful user experiences drive unsafe workarounds: “If you open up that laptop and it takes 20 minutes to light up for you, you’re going to go to your phone.” (32:08)

10. Final Advice for CISOs and Technology Leaders

Focus first on your mission and what you’re truly protecting—before worrying about specific regulations or vendors.
Purpose-driven leadership, tied to the organization’s tangible impact, provides motivation and context (33:26).
“Think about why you're here and your purpose in that role... Everyone had such an expertise on their small part of this big beautiful bird that to me gave me as a human being, not just a CISO, a lot of purpose.” (33:34)

Notable Quotes (By Timestamp)

"Computers are not smart, they're super fast... more math, more calculations, better decisions, more pattern recognition—but also, more attack surface." — Dr. Schneck (03:19)
“The adversary... are manufacturing zero days like jelly beans right now.” — Dr. Schneck (04:29)
“Automation is like the Roomba… most people don’t like to vacuum.” — Dr. Schneck (06:44)
“Speed isn’t just a stack of processors, it’s also how we practice and how we exercise.” — Dr. Schneck (16:10)
“If you tell people no, their creativity is unfathomable... so if we can avoid spurring that in the user base, that would be a massive breakthrough.” — Hugh Thompson (32:47)
“Success in cybersecurity is putting yourself out of a job.” — Dr. Schneck (21:13)

Timestamps for Important Segments

01:54 — Dr. Schneck’s role and mission
03:06 — Three areas high speed computing changes cybersecurity
04:29 — AI and the adversary’s accelerated capabilities
08:04 — Analogy: weather forecasting and predictive incident analytics
11:14 — Where innovation is coming from in the vendor ecosystem
14:09 — The new era of zero day exploits (“like potato chips”)
15:18 — How speed made the difference in real incidents
18:53 — Foundations of secure, high-performance infrastructure
22:00 — Common infrastructure missteps and the importance of upgrades
25:41 — Automation: opportunities, risks, and advice
28:54 — Balancing user delight and security with high performance computing
33:26 — Dr. Schneck’s closing advice for CISOs

Tone and Language

The conversation is energetic and collaborative, blending technical depth with real-world analogies. Both speakers emphasize community, resilience, and balanced optimism. Dr. Schneck is pragmatic and insightful, using humor (“ministry of no,” “Roomba analogy”) to make complex ideas accessible. The dialogue is focused on empowering security leaders to act with both urgency and thoughtfulness.

For Listeners New to the Episode

This episode will give you a nuanced, practical perspective on how high-performance computing and AI are setting a new pace for both attackers and defenders in cybersecurity. You’ll gain actionable insight into building robust infrastructure, the necessity of user-friendly security, and staying ahead in a technology-driven arms race. Dr. Schneck’s expertise, paired with Hugh Thompson’s thoughtful questions, make this a must-listen for technology and security leaders navigating a rapidly accelerating threat landscape.

Loading summary

Transcript36 lines

[00:03]
A
Welcome to cyberatthettop, a podcast from RSAC that unpacks real experiences, lessons learned and practical strategies from CISOs at some of the world's leading organizations.
[00:20]
B
Hello, everybody, and welcome to this edition of Cyber at the Top. Thanks for listening in. I'm your host, Hugh Thompson, Executive Chairman of rsac. Speed is becoming one of the most decisive factors in cybersecurity as high performance computing and AI reshape both how organizations defend themselves and how hackers operate. In this episode, I am absolutely thrilled to be joined by the incredible Dr. Phyllis Schneck, Vice President and Chief Information Security Officer at Northrop Grumman, to explore how high performance computing is reshaping cybersecurity from real time detection and response to the infrastructure and discipline required to make speed an advantage. We'll discuss how increased compute power is changing incident response, accelerating automation, and raising the bar for defenders preparing for the next wave of threats. Let's get into the discussion. Phyllis, thanks for being here.
[01:29]
A
Thank you. It is so great to get to talk with you and thank you so much for this opportunity and to participate with rsac. It's exciting.
[01:37]
B
Oh my gosh, it is always great talking with you and I love this topic. I love this topic. Before we get into it though, just for context, can you start by telling our listeners just a little bit about your role and your mission at Northrop Grumman?
[01:55]
A
So, thank you. So I am the Chief Information Security Officer for Northrop Grumman and that means I lead the team that's charged with the protection and defense of our electronic assets. And what that means for Northrop Grumman is protecting a company that helps make things safe for the warfighter, for our products, and is one of the top technology companies in the world. So when you think about what worries us day to day, it's protecting that mission and protecting the cyber parts and the technology parts. But first and foremost, that enable the great mission for Northrop and our technology.
[02:37]
B
That is awesome. Northrop is so lucky to have you. I'll say that from knowing you for years and knowing the incredible things that Northrop does to defend this nation and many nations. And so let me ask, ask you about high speed computing. So it's, it's changing so many industries. What does it mean, though, specifically for cyber security? How do you think it's going to change the landscape over the next three to five years?
[03:07]
A
So if I back up a little bit in the context of Northrop Grumman and we talk about the things that we build, leading the world in Military and space exploration. The need to act at space speed in our manufacturing, in our thinking, in our design, in our process, in our user experience. The cybersecurity that goes into that is about protecting that business and that experience and enabling new technology to really be a part of our world and our culture and to do it safely. And the way that I see high speed computing changing that for our industry or any industry, is I'll put it into three areas. One is if you can have more compute power, you can make decisions faster. Computers are not smart, they're super fast. So what you have to think about is I get more math, I get more calculations, I get potentially better decisions, I get more pattern recognition. But in the end I also get more attack situation, surface or decision space. I have to really think about as risk mitigation. And so the faster we move, the faster and more clever we have to think about what our protections are so that they're enablers and they don't get in the way. I'd say 20 years ago, we really got in the way as cyber. In many ways we had a good time doing it, we blocked everything. But I think now it really is about in the past 10 years, it's about risk mitigation and about enabling that business. So one way high performance computing can affect cyber is just the speed. The second part is fast computing is what's enabling artificial intelligence. So the driver and the main innovation behind artificial intelligence is in two parts. It's in math and it's in the computing that enables that math. And there's the adversary that can also leverage that. So they are manufacturing zero days like they're jelly beans right now. And it's much easier, right? If you can write a high school essay with this, you can also think about, extrapolate how you'd use it to also put probabilistic content together to create code that can find an exploit. So you've lowered the bar as far as an exploit and a sophisticated one even in the world's best code that could potentially grab the next instruction to be fetched, which is when, when you execute your will on somebody else is when you own them. And I think the third piece on the hard part is it lowers the bar to compromise. So even if you're not able to go ahead and be the next instruction on my set or find a spot in memory where I now control you, if I can engineer a prompt the right way, I'm in because I'm still controlling what you're doing or what you're Manufacturing, or what I'm asking for, or what I can look for, I'm still doing something on your network. I just didn't work as hard. But the flip side is this technology is fantastic. And so part of protecting it is you use high performance computing to protect high performance computing. You use AI to protect AI in many cases. So we can use, as we all have for many years, very high speed analytics in our threat analytics at our cybersecurity operations center, as we always have. You can also use it to proactively find other exploits and seal them. And we can use agentic AI to automate a lot of processes that frankly, we don't always want to do. Kind of like the Roomba, most people don't like to vacuum. I say most because I got called out once. I know somebody now that loves to vacuum. But if you take a task that most people don't want to do and automate it so that you could put your bigger brains onto things that matter more and check that automated work, you get a balance. So high performance computing is enabling AI, it's enabling the adversary, it's enabling our ability to protect the adversary. But again, it's enabling our business. And that's why we're here.
[07:08]
B
I love it. And I just for the record, so you know, have two people, I actually find that can be very therapeutic. Remember, I just don't, I just don't get that same level of satisfaction that I've completed a row or so. I, I, but, but I get the analogy.
[07:26]
A
My family welcomes you to vacuum.
[07:29]
B
Thanks. Okay, thanks. I'll remember that when I come over. So, but let me dig into maybe some specifics of what you said. If you think about this, then arms race, the good guys are getting faster, the bad guys are getting faster. AI is enabling both. How do you think about high speed computing accelerating AI, specifically automating actions, for example, within cyber operations? Just give us a window into how you're thinking about that.
[08:05]
A
It's a great question. I think with all this compute power, the world runs on data. That's our fuel. And the more we can do with that data to not just find patterns, but tie things together that we never had the resources to do before. And I mean the speed, it's a little bit like 10 or 15 years ago, I studied high speed weather forecasting and you look a lot at tornado modeling because not everything is random. And if there's a chance you can see rotation or certain parameters that are lining up in a harmful way, even minutes sooner, you save lives. And so there a lot of work went into the same kind of philosophy, and it still is. There's a lot of applications scientifically here. You can apply that to cybersecurity. Are there events all over the world that are 1, 2, 3, 7 events that might tie together to a greater pattern later? In the old days, denial of service attack, distributed denial of service attacks showed themselves with first a little test bump in the traffic and then the big delivery, because the adversaries of that attack wanted to make sure their infrastructure worked and those that were able to detect that sooner were able to prepare. So a lot like weather forecasting, this speed will give us analytics that gives us hints we never knew we could find before. I firmly believe that on the flip side, we have to be ready for a different kind of cyber incident response, not just faster, but when you look at a poisoned large language model, how do you get to last known good very quickly? It's different than in a cyber event or where data is destroyed because you have a backup in AI, you have backups in these models, but you have to be very meticulous about how those are taken and kept and when something was disrupted, because all the activities and all the data and decisioning that was based on that model could be offset once it's compromised. So your job is not only to refresh the data with something that isn't compromised, but to understand, my goodness, what happened as a result of the decisions that were made, also at speed. And so it's going to reframe how we have to look at electronic incident response.
[10:31]
B
I love your analogy of weather, because in my mind it's just so chaotic and there's signal, there's noise. You're trying to just deal with so many parameters at once. And I'm curious, how do you feel that the security industry, like the vendors, for example, are responding to this? Are you seeing innovation happening some of the very large vendors? Or is a lot of the innovation coming from startups that are coming into the ecosystem? Given just rapid adoption of AI, how do you feel about the pace of innovation coming from the community to be able to respond to this?
[11:15]
A
It's a great question. And remembering we were vendors, I was a vendor, I was a. Your competitor. Went way back when. That's right.
[11:22]
B
But it's the CTO of ad tech. Yeah, I remember.
[11:25]
A
It's a different view, I think as the consumer from a large vendor, we expect so much. And I always try to, whenever I'm in these positions to say this stuff works. 90 something, 99% of the time you can be on your phone in an Uber and walk into an airport still on the phone, only dropping it for security, be back on your iPad before you get on the plane. And stuff just works. And we don't stop enough to say, I appreciate that because that is a success. And I always say that before I say this. I think it's very difficult right now to be a security vendor or an infrastructure vendor because highly paid, very smart individuals have all the resources in the world to poke one hole in you. And then we complain, but the reason that we complain is because we want to keep our business up. And so I do think, and I have seen a lot of innovation, I can speak mostly to the IT infrastructure and cybersecurity parts of the large vendors, but a lot of attention to critical infrastructure, a lot of attention to cybersecurity, a lot of attention from large vendors saying, hey, these are the problems that we are facing, let's work this together. These are the challenges we have. And I do see a lot of innovation there, especially from the speed perspective. I think we as a community have to think about what is AI going to demand of us next and be part of shaping those requirements. I'm very careful, I don't like to, and I know you don't either. We're not the ones that are out there complaining that somebody got compromised their victims. I do think though, this is an effort of community going forward to get our head around what high speed computing will do before the adversary does that for us. And I think that's a we do that together.
[13:21]
B
It's such a great framing and you know, this community really has stepped up in the past for big challenges and come together. And it's interesting to think about it from the adversary side too. How are you seeing this reshape how the adversary is thinking about attack or you talked about the rapid pace of discovering of zero days, for example. How is this access to this kind of computing through the cloud or elsewhere changing the behavior of the adversaries or how might it change it?
[13:59]
A
So I'm not an adversary, so I won't pretend to know.
[14:02]
B
Okay, that's good. That's very good.
[14:04]
A
So one large thing I've noticed and I think my peers are seeing this together with me more zero days. And in a prior life there was a phrase called burning a zero day and what it meant was, you know, this, this exploit has value. So are you going to quote, waste it on something where you won't learn much or are you really going to Use that cyber weapon on something where you can either cause a large effect or gain a lot of knowledge. And now I see it. It's not just burning a zero day, it's kind of like potato chips. There's always another one in there and they're using a lot, they're much more frequent and they're at a similar level of sophistication. And my. I surmise that there's some automation in designing and finding those exploits.
[14:54]
B
It's a different, different world. It's just a different way of thinking about things. And I wonder, you know, these things often come so real with examples. Can you share an example where you feel like speed was the difference between containment and escalation of some incident?
[15:18]
A
It's speed of how quickly we can act as a community. It's speed of how I would think back to put it in sort of the eras tour here. If you think back to the time of Code Red, we didn't have the kind of computing visibility. We didn't have the kind of logs. We basically chased that thing by where it showed up next and it was crazy. Had we had the visibility we have today and the speed of compute that gives you the ability to go through logs, the storage capacity that lets you have all those logs, we would have nailed that. Right. If you go forward to where there was a series of large ransomware events. Right. Even then we didn't have all the procedures in place. And by the way, speed isn't just a stack of processors. It's also how we practice and how we exercise. We do a lot, as you know, in the community, tabletop exercises with partners, with colleagues. Our speed is how quickly we react to mitigate risk and how we're no longer afraid as a community to say that's an incident and not wait four hours to try to convince ourselves it's not an incident and to really move out. I think that's. That's people speed and that's our reaction to technology speed. And I think that's key and just go forward now to modern day when we think about a lot of understanding of what we bring on a network. For me, I'm all about prevention and detection and engaging methodology where success for us is mitigating a risk. It's not preventing everything because I know how to do that. I'll unplug the network and people won't be so happy or productive. Right. But if you're hardest part, I think of what we do view every day is helping people have a good user experience and build the amazing products that they build and not getting in the way, but understanding what the risks are and accepting them. And speed helps us understand what those risks are. We can run calculations, we can do simulation, we can understand even cost perspective. How much are we investing in protecting something and using it versus not using it? And what is the difference in the business? And so for me, it's what is the effect my team and I can have to help this amazing business at Northrop Grumman? And a lot of that is assessing risk and saying this as a company we're willing to do for the good of our work, and this we will not. But those calculations are the difference that speed's making every day.
[17:55]
B
That's such a great way to frame it. And I can see what you're saying. If we're more agile with our speed and we're able to take all these factors into account, we could possibly adjust the things that a human might have to do or, you know, even lessen some security controls in some circumstances. If you feel absolutely confident about it after these calculations. And I'm wondering, you know, I'm imagining somebody listening to this podcast. They're thinking about their own 1 year, 2 year, 3 year plans for defense. How should they be thinking about the kind of infrastructure they need to build behind it? Like what, what is a secure high performance environment need at its foundation?
[18:53]
A
So that, that's core for me. It means looking out, as you said, a few years and looking deep. It's not just the vendors you use, it's, it's how are you structured? Do you have some redundancy? So how your data flows? Are you running on data centers that are physically located? Are you running on with you, Are you running on someone else's data center? How much is in cloud? How much, for example, are you able to support with remote work? We had this interesting snow event here on the east coast in most of the country and infrastructure didn't flinch. But that's because people designed it not to flinch. And that was thoughtful. And it's balancing where your traffic is flowing and where the demand is and follow the sun to make sure that work goes on. And not just typing, but video. Video is computationally expensive. Making sure, you know, we don't look, as a friend of mine calls digital on the really enabling business. So good design number one. I'm a former coder and they always used to yell at us requirements definition first. I think two is not falling into that trap. And we all love this trap. It's very exciting and enticing of hey, it's still running. Why fix it? I had a 20 something year old car in grad school. I kept my next car to almost the same age. And I'm also the proud owner of a 2006 Mustang still. So I don't always replace my automotive infrastructure, but I do believe in replacing your IT infrastructure. And it's very tempting to keep it because it still works. But if you are keeping things that are obsolete and we all have a cycle, no one is perfect. And we're all on this journey together. What I think we're learning as a community is it's very hard for those large vendors to keep the older models updated. And so while it seems economically better in some cases to run it because it's still working, I do think that one of the things we have to figure out as a community is how to make it cost effective to, to go ahead and get a new one because it's easier to secure. So that infrastructure is there for you because the speed of computing has to match the speed of the network flow. And if one of those is out of alignment, you're still going to have the lowest common denominator for speed. And when you do these calculations and things burn hot. Your infrastructure includes cooling, it includes power for that cooling. And so all of this has to get designed holistically. And I do think that's going to be a very specific and sophisticated expertise that we're only just beginning to develop in the next generation of networking. And I think, as we've often said, success in cybersecurity is putting yourself out of a job. It's making it so that we don't need the discipline. We're clearly not there. And thank you for that. I love my work. But the networks of the future will have more self learning, self healing capabilities, just like our, our routers. Talk to each other right now and make sure everybody's still up. I think we'll be doing that in security going forward.
[22:00]
B
It's. I could see it being really easy for folks to make missteps along this journey. Right. And you highlighted two of them just now. Right? One, one misstep. Or maybe, you know, just a bad thought is that something's running, it's great, doesn't have any problems right now, but I'm not thinking about the future, so I'm not replacing it and keeping it current. You also mentioned bottlenecks like you might have the great compute infrastructure, but if you don't have the communications upgrade and the bus speeds, you can't really take advantage of it. What are some other common missteps that you've seen companies make while they try to pursue speed and innovation and maybe they don't have a strong foundation.
[22:50]
A
You can address some of the things I've looked at with colleagues all over the country and in different areas and even academically one of the, if you look at some of the stock trading applications, because that's a very high speed application we can all relate to. And it's true in manufacturing too. It's important to design your infrastructure if you're going to use very fast mathematics or high speed computing to do calculations that literally create what they call a digital twin. Or instead of having to, if an object is going to fly and you want to know if changing it a bit is going to fly the same way, 30 years ago you had to make a new model and try it out. Now you do a digital simulation that is hard, that is billions of calculations to emulate one small change in the physical model. If you're going to do that in real time, it turns out the distance from your computing infrastructure to where you are watching it matters. So the time, the speed of light, the time it takes to get the result to you for the simulation matters. So you wouldn't be doing something like that based on a data center overly far away. Now most applications don't have that much sensitivity, but some of the digital twin and simulation and certainly a lot of the financial applications do. And that's something that I think from an academic and scientific mind, those are fascinating problems to look at right now. And they go into how we design our infrastructure in all of our companies.
[24:30]
B
And you, you bring up such, such a fascinating point because folks usually don't think about that without a lot of experience and making those mistakes in the past or you know, they, they've seen all these best intentions but haven't thought about it end to end. And I'm, I'm wondering what advice would you give to an organization that wants to harness high performance computing? They want to be able to defend quickly. They want to look at all these signals as you mentioned, and be able to calculate risk act. How do they do that responsibly where they can get speed but not introduce new weaknesses that the adversary may take advantage of. It's an age old. Do we actually want to automate response response and if we do, how do we make sure that the attacker doesn't take advantage of that automation and trick us into shutting something down and we shouldn't. How do, how do you think about that.
[25:35]
A
You've raised like 50 great questions in there.
[25:38]
B
I know. Sorry, sorry. Yeah, that's like a compound question.
[25:42]
A
If I go from the last one. So an automated response and think about our operational technology too, that is connected. In some cases it's not connected, in some cases it needs to be for monitoring. But how we protect that and ensure that it is segmented so that it doesn't face outward and is not subject to the wild west of the Internet, I think is one piece where you can mitigate risk and add a lot of automation to that. The other risk in there though, of course is accuracy. Not just adversarial problems, but making sure if you make a mistake, there's a time frame to correct. If you make a mistake at high speed, that mistake propagates very quickly. And so how you design these things and as we grow as a community, look at this is holistic. If I'm a small company, I would outsource when I would get high speed computing and I would understand what the distance has to be from of the last discussion. But that's something that's readily available all over. If you're a large company, you still, you have a balance of what you outsource and what you bring in for a variety of reasons. And then you look at sensitivity and you look at how am I able to manage this and cost and facilities and geographic balance and disaster recovery. So I think a lot of it depends on financial models for your size too. But I never underestimate. Not every risk with high performance computing is caused by an intentional adversary. Some of it is escalated because we're running so fast and it's a mistake and I think we have to be wary of that too and understand how to recover.
[27:29]
B
I'll ask you this, which is kind of an age old question in cyber and I'm curious if high performance computing changes this in any way. And you alluded to this at the beginning of our discussion 20 years ago. We were seen as the people that stop things. The ministry of no inside of the business. It's kind of how the security office was branded at some point. And I reflect back on, for example, when the iPhone introduced Touch ID. It was one of those really rare occasions where somebody could be more secure and also have more delight or get into the phone faster because maybe they didn't have a pin on the phone and now they'll put a pin on, but all they have to do is touch it and now they're inside of the device. Do you see high performance Computing enabling us to further delight the user or ease the path of the user, basically. Again, another compound question, but how do you design security and just high performance computing impact that so that employees can move quickly without needing to think about the threats behind the scenes?
[28:55]
A
That's the holy grail. It could be considered career limiting, but I did commit to creating more secure solutions that are more enjoyable. To your point and one of the I did because I believe that's where we have to go to exactly your point. If someone doesn't like something, they're not going to use it. And in a company that moves as quickly as Northrop Grumman for the mission that we have from outer space to microchips, we can't expect our employees to have to climb over an infrastructure to get their work done. So one of the things is just a great example is we are implementing pins instead of passwords. So I can ask you to memorize a bajillion character password and I'm not popular for this because we did that for a while actually very secure. Or I can have you memorize a not so onerous number that you're probably never going to forget because you choose it and it's better because it's tied cryptographically to your identity. And I can cover all the corners of multi factor authentication because I can either do a have no or an R, but it covers the touch is cryptographic. And it's the high performance computing and the progress we've made in computing in general that lets us do that crypto fast enough. And I'll give you some humor. My PhD thesis at Georgia Tech way back Machine here was on high performance computing for cryptography and it was just how do I make the computer do the calculations quicker than it's supposed to be able to do? And now we have hardware that does all of that. So what we tried to do back then, which we did successfully do, and I am thankful for my graduation for that. But no kidding. But that touched that iPhone. We couldn't do that 20 years ago. That processor in your iPhone is calculating a key that's far longer than your any password and it's far better protection. And that's. You nailed it, Hugh. That's more of what we want to get as far as the security experience. And nobody's there yet. But I do think there are lots of touch points that can make that better. And that is an example of one.
[31:18]
B
That's awesome. I love a hopeful story for the user. I completely agree with you. If the user is in Pain, they're going to do unexpected and probably very unwanted things. So I'm completely aligned with your career limiting statement. As you, as you put it, nothing
[31:39]
A
more interesting or more risky than telling a bunch of smart people you can't do that. And it will be far more insecure, unsecure and far more risky than anything you would want. And so the trick is really, it is about a human experience. If, for example, there's a lot of security software on all of our laptops everywhere, if you open up that laptop and it takes 20 minutes to light up for you, you're going to go to your phone. So where is the secret sauce in making that stuff run faster or mitigate some of that experience? Because I would never expect someone to, to work with equipment that was unpleasant because you just can't think about what matters when you can't even log in. And I'm very sympathetic to that.
[32:35]
B
My gosh, you, you definitely nailed it. On the creativity of people, if you tell them no. And you know, Phyllis, I've got five young kids, whatever I tell them not to do, the kinds of ways they can figure out to get it done are just unfathomable. Like it's unbelievable creativity. And so if we can, if we can avoid spurring that in the user base, that would be a massive breakthrough for cyber everywhere. One more question to ask you and it's the advice question. So if you had one message for CISOs that are listening or technology leaders that are listening about preparing for the future and I have this big open ended question, what would it be?
[33:27]
A
Think about what you're here to protect. And before you think about vendors and requirements and regulations and acronyms, think about why you're here and your purpose in that role. And for me, I learned very quickly within the first couple of weeks of being at north of Grumman, my first visit out of the building where they greet you was to our operations center, of course, and just met that amazing team. And soon after they brought me out to one of our factories where I got to walk this amazing floor and watch them put together pieces of a fighter jet. And that wasn't cool enough. Just talk to the people putting it together and explain how every little part or everything is digitally guided. And everyone had such an expertise on their small part of this big beautiful bird that to me gave me as a human being, not just a ciso, a lot of purpose.
[34:36]
B
It's a mission that motivates and Phyllis, I, I, I can't thank you enough. Not, not just for being here, but for everything that you've done and you continue to do to keep really our way of life safe, and you're such an asset to this community. Thank you for everything that you do. And I wanted to also thank our listeners for tuning in. I'd invite you to please keep the conversation going on our RSAC membership platform form by visiting onersac.com membership and be sure to check onersac.com for new content posted year round. Phyllis, it's so great to see you. Thank you so much for being a part of.