Solving the cybersecurity puzzle with Arlette Hart and Meghan Good
Cybersecurity isn’t an issue that can be dealt with simply by using technology. It’s about working together to solve challenging puzzles, bringing together technology and people to solve complex problems.
This week’s guest on MindSET, Arlette Hart, Senior Technologist for Cybersecurity at Leidos, believes cybersecurity sits at the intersection between technology and people. For Arlette, if you want to protect against cybersecurity threats and vulnerabilities, both technology and people have to work together.
Of course technology is important, it creates an opportunity for us to better detect, sense and react to activities happening, and even predict them, but it also creates new challenges of having to then protect the things that you’ve just created. It’s a vicious cycle.
Joining Arlette in this podcast is MindSET host, Meghan Good, Cyber Solutions Lead for the Intelligence Group at Leidos. And what makes the conversation so rich is that, while they both have cybersecurity as their focus, including its challenges and innovations, they’ve come at it along very different paths.
On today’s podcast:
- Cybersecurity sits at the intersection of people and technology
- The various pathways to cybersecurity at Leidos
- The biggest threat to cybersecurity today
- The advancements in cybersecurity
- The impact of COVID-19 on cybersecurity
Arlette Hart (00:00): We really want you to be a part of the team that is securing the information. If you're a Leidos person, secure for Leidos. If you're for your other organization, secure your information. And if you see things that are going wrong, be a part of the team that is protecting the organization. It's important to everybody because attacks can bleed out to other organizations.
Bridget Bell (00:25): Welcome to MindSET, a Leidos podcast. I'm your host, Bridget Bell.
Meghan Good (00:30): And I'm your host, Meghan Good. Join us as we talk with pioneers in science, engineering, and technology, to understand their creative MindSET and share their stories of innovation.
Meghan Good (00:47): So today on MindSET, we're taking a different format. Our topic today is around cybersecurity. And as this is one of my areas of expertise, I joined the conversation along with our senior technologist for cybersecurity, Arlette Hart, one of my esteemed colleagues who in the past was the chief information security officer at the FBI.
Bridget Bell (01:09): So both you and Arlette discuss cybersecurity as not only a focus on technology, but the intersection between technology and people, and how working together you can really protect against those threats and vulnerabilities.
Meghan Good (01:22): Well, and certainly the technology is still important too. And it's ever changing, which creates both an opportunity for us to better detect and sense and react to activities happening, and even predict. But then there's also that challenge of then we have to protect the things that we just put in, creating this vicious cycle. We talked about the multifaceted challenge of how to keep on top of that.
Bridget Bell (01:47): So in the conversation, you and Arlette both describe cybersecurity as addressing a puzzle, and that it's not just technology but it's the pairing of technology and people to really solve complex problems and puzzles, which echoes a lot of what we've heard from other MindSET guests.
Meghan Good (02:06): One part of our conversation that I really liked was talking about the future of work as we're in this very remote kind of environment right now with the current pandemic. But how is that going to influence what we do in the future, what technologies we engage, what protections we need? We're already seeing it affect our new normal from a security baseline. And we need those cool technologies. We need AI and ML. We need better analytics, better automation, better orchestration in order to be proactive against the threats.
Bridget Bell (02:38): Well, let's get started with the conversation.
Bridget Bell (02:48): Welcome to MindSET. Today, we're talking cybersecurity. And since our cohost, Meghan Good, is the VP cyber solutions lead for our intelligence group, we're going to take a different format than our typical interview. Meghan is joined by Arlette Hart, who's our senior technologist for cybersecurity, and they're going to have a conversation digging into some of today's issues within cyber. So let's get started. You're both experts in cybersecurity but have had very different career journeys. Can you start with a little bit about your background and past roles?
Arlette Hart (03:23): Sure. Let me start first. First of all, let me also say what a privilege it is to be on with Meghan, who is clearly an expert in this field. She and I work together a bit, and it's always just a joy to work with her. But I had a relatively circuitous route to reaching cybersecurity. I actually started in politics. I had a history and political science major. And that is just not the first major you would think when you're saying what's your typical cyber security role. But it was really interesting because I came backwards into not just cybersecurity but technology. I started off on the Hill working in policy there. And with changes in people on the Hill, you end up looking for other jobs. And one of the ones I found was writing system development methodologies. And from writing methodologies, I started doing some system development that led to doing integration and rollout of some enterprise capabilities and developing and managing infrastructure, and then supporting procurement and those kinds of things.
Arlette Hart (04:25): And at one point, I was working for the Senate, actually at the Sergeant at Arms office, and said, "I really want to do something harder than this," because I was kind of getting bored. And I took a job, a random right in integration plan for cybersecurity capabilities at the FBI. I happened to have a security clearance that met their needs, and it was a six-month assignment that turned into a cybersecurity career. When I took that job, I was absolutely new to cybersecurity. I don't think I knew what an intrusion detection system was until I actually took that job. And I never looked back. It was really an interesting career progression. And from there, I went to manage program for cybersecurity and went on to become a senior technologist with the FBI, and went on to become CISO with the FBI, and then came to Leidos to be senior technologists for cyber security.
Meghan Good (05:16): That's certainly is a circuitous path. And I would say, for mine, it's a bit more straightforward. I started with Leidos as an intern while I was finishing up my bachelor's and my master's in computer science. So maybe not political science and history, a little bit more the expected route perhaps. But the team I joined supported information operations for the Department of Defense and our intelligence customers. So of course we can't say too much about that, but all in all this work eventually turned into what's known today as cyberspace operations and where, as a nation, we're striving to achieve information dominance in and through cyberspace.
Meghan Good (05:56): Over the years, I took on a number of technical leadership roles on key projects, including leading our consulting line of business for our commercial cybersecurity team at the time before focusing on applying data science and engineering to improve cyber operations, getting back to my roots. My focus area there has landed in how we translate cyber activity into terms that non-experts understand, and how to do that in a timely manner through smart automation and integration, as well as really cool graphics that tell a story and highlight where we can maneuver or fix next.
Meghan Good (06:31): As a Leidos technical fellow, I lead research projects in this area, in cybersecurity. And in my current role, I lead our cyber solutions development within the intelligence group, as well as direct our solution architect program for Leidos and host this MindSET podcast with Bridget. It's busy.
Bridget Bell (06:47): Yes. And as you can see, they're very two distinct journeys from the kind of circuitous, almost falling into a role that was supposed to be six-month assignment and turned into a career, to a more straightforward path and being with Leidos from your internship to now all of these leadership roles. So thinking back to the start, what got you interested in a career on cybersecurity?
Meghan Good (07:14): I think, for me, it certainly is a degree of hard work and luck. Because when I was at the time graduating, cybersecurity wasn't what it is today. But part of my coursework in college was in cryptography, and then following up with network security and data security. And I think I just got obsessed with the puzzle of it all. It's a matter of there's lots of moving parts. There's lots of pieces that are influenced by things you can control and things you can't control. And then there's the technology behind it, that no matter what it's always changing. And so you have to stay on top of technical fields and then you have to figure out the best way to secure it, which is really more about how you work with people, how you work kind of in these societal norms too. It's just fascinating to me.
Arlette Hart (08:05): I agree. And I take it a little bit from the other side of, also, I like a challenge just like Meghan on this one. And this one's a big one. It mixes technology and, believe it or not, a lot of social sciences, including political models and motivations and historical realities and real politic or whatever they call it now. And there's a lot of complexities. And it's hard. And I like things that are hard. The space is so multifaceted. And the range of disciplines, they mirror not just the realm of society, but they also mirror all of the IT world, from mobile to big data, to AI, ML and legacy versus innovative technology, and how to address all of those kinds of holistically. And protecting all of it is a big, big challenge.
Arlette Hart (08:46): It's easy to think of attacks being about technology, and they are, but there is a human being on either end of those attack vectors. And there's somebody trying to do something to somebody else at each side of it. And knowing why they're doing it or what they're doing and what their motivations are, there's a big part of that that goes to what does that threat really look like. And on the victim end, it's not just the secure at all costs because their motivations are also different. They may want to protect things, but they want to protect things at a level where they're not losing more money in the protection than they are in the value of the product itself. So it's a really hard question. Because learning how to protect things properly, it's easy to say, "Oh no, we want to just be secure." Because a lot of times people don't just want to be secure. They mostly just want that security to have happened to them. So the whole multifaceted realm of this discipline is what's really interesting to me.
Bridget Bell (09:40): I find it really interesting that you both describe your interest in cybersecurity by saying it's that intersection of technology and people. Because I think you're right, when you think cyber security you're thinking hackers and attacks and vulnerabilities and not necessarily the social and people side of it. So I really enjoyed that that's what brought both of you into these careers. And I also want to go more into your past experiences. So with Meghan, here at Leidos, and Arlette, with your more indirect path and being the CISO at FBI, what would you both consider the biggest threat to cybersecurity today?
Arlette Hart (10:22): For me, it is, I'm just going to broad brush one, unevenness and unknowns. When you look at cybersecurity, to me it looks like a fractal. At the top level, it's uneven and jagged. And as you go down into each and every organization, it's uneven and jagged. And the interest in it is uneven and jagged at different places in different organizations. So this is caused by a couple of factors, of course. One, obviously the people. Some people take it seriously and some people don't. And when they do take it seriously, they take it seriously in this area, but then they're like, "Oh, but not that." And so there's an amount of that. And some organizations are very diligent, and organizations that those organizations rely on may or may not be diligent. So that's the whole supply chain question, which you've probably heard of.
Arlette Hart (11:05): There's also the legacy versus new technology question. It's really hard to retire old systems in any organization. It just gets challenging to say, "Yeah, I don't need that anymore," because there's that one last little piece of it that some other critical capability is depending on, no matter how much you want to get rid of that. So then you end up, from a cybersecurity perspective, still protecting a legacy system that is barely able to function at all. And new technology is either delayed because it isn't protected, so then the organization can fall behind, or it's deployed without adequate protection so you have too much risk. Or it's deployed without anyone knowing about it so you have the shadow IT piece of it. So having that balance among those pieces is also hard. And the other piece is the cost of protecting versus the operational needs of the business.
Arlette Hart (11:56): All of these factors feed into your decision making about how much you're putting into cybersecurity. And both business and government have the same challenges with this. Government has its mission. Nobody in government has unlimited funds to devote to cybersecurity. When they start getting more money, the first thing they think of is not, "Wait, I should just beef up my cyber security." They think, "Oh, this is another cool thing that I can do", which just turns into the whole legacy versus new technology thing. To me, those two, the unevenness and the unknowns are the biggest challenges in cybersecurity.
Meghan Good (12:30): I wholeheartedly agree. And I love the way that you say that about things being uneven and jagged. Because really, when I think about this, it's the large attack services, but they're not even large, they're quite small. And the fact of the matter is that a vulnerability in one spot, there's such an asymmetric effect, an impact, that you can have on that, on a larger network, just by one unique vulnerability. And then you can propagate that further, from an attacker's perspective. And from a defender side, how are you ever going to figure out what that one thing was? It's almost impossible to see all those jagged edges that Arlette describes, unless you really are very honest with yourself, unless you can keep up with this with tons of sensor data, if you can store all of that information over time. I mean the cards just stack against you very quickly of what capability you would have to have to have that insight and that visibility and that knowledge, and then be able to act on it as well.
Meghan Good (13:36): We're at this limit. As Arlette said, there's a limit of how much you can spend on this, but there's a limit of how much that's physically possible for you to know and to action. And I think we're hitting to where we have newer technology in time to help us address that, but it actually makes it harder because there's newer technology to look after. And so it's this problem that feels like it keeps building on itself. And you can very quickly become overwhelmed by the threat there. And I think being overwhelmed is probably the third thing that I would add in to the unevenness and the unknowns as Arlette said. It's just the fact of the matter is there's just so much. But I think that we're at a pivotal time where we can go forward smartly and start to address those areas that we can control and bring it into some semblance of really knowing what we do know and protecting against even those things that we don't.
Bridget Bell (14:34): And that's a good segue into my next question. Because I know, with cybersecurity, you talk a lot about threats and vulnerabilities. But trying to look at the more positive side, what are those technologies, those advancements in cybersecurity that you're really the most excited, whether that's coming in the next year or more longer term, in the next five years?
Meghan Good (14:57): Right. And I would say in the recent past, as I just discussed, it's a lot about automation. And it's been workflow automation and how to get these use cases done so we're not wasting people's time. We can leverage machines. As we move forward, I think taking the next step, the one that I'm most excited about seeing mature is deception technologies. How can we mimic that uneven and jagged-looking network to a potential attacker so that they think they're handling one type of environment, but in reality we are more protected within some sort of a fortified wall and we're deceiving them of what they think they're going to be able to accomplish. To me, that's taking it to this next level. It's a bit sci-fi, but it's really one of those things that's emerging. And from the vantage point of cyberspace operations, it's a very powerful technology.
Bridget Bell (15:51): And I have to jump in because when you mentioned it's a bit sci-fi, I think a lot of the topics that we go into on MindSET do have that a little bit sci-fi feel. So Arlette, what are you most excited about?
Arlette Hart (16:05): So I don't know that they're the cutting edge technology, but I think we have under-leveraged them at this point in time for cyber in particular, so AI, ML of course. I think it can really make a difference. I think we're at the edge of being able to make a difference with it. I've been thinking about coining the term detect in depth and protect in depth, so we talk about recursive detection and protection capabilities. So it's like we don't look at things once, we look at things for their first level of, "Okay, that's a problem," but then we start looking at when we look at more of those logs, looking longitudinally, looking at patterns of behavior that you couldn't necessarily see just by looking at things at a point in time.
Arlette Hart (16:49): And one of the things, one of the capabilities that enables that of course is cloud capabilities, which just make it much easier to store your logs. Now, you have to store them correctly and safely so that you're not putting them at risk because that's sort of an important component of your world. But if you can put your logs in a place where you can store not just a day of your packet capture but do some serious amount of packet capture and then run big data solutions against your packet capture and looking at different kinds of ways that people will be taking your information out, then you can do low and slow and start doing detection at different levels than you were able to before. And I think those are the places where we really can make a difference in what the threat vectors look like.
Arlette Hart (17:34): I agree with Meghan about the automation and the orchestration. Let's get rid of some of these commodity problems. We shouldn't be spending a lot of time on those things, but we do need to make them actionable accurately with the the SOAR capabilities and getting the commodity threats completely out of the way. And the advantage of that also, we really want to make it more costly to the attacker to attack and make us hard targets. We don't want to be the easy thing that, as Meghan was talking about, the threat can just expand over time. We want it to be a hard target that is easily able to patch and manage the infrastructure and not have those vulnerabilities just exposing us all the time.
Bridget Bell (18:14): So two things stood out, Meghan describing it as that fortified wall that you're talking about, Arlette, making you stronger. But I also really loved the detect in depth and protect in depth. Because as you describe it as these jagged edges, that the farther deeper you go the more jagged edges there are in those unevenness and unknowns and overwhelming, but if you can detect those in depth and protect those in depth, you're going to build up that fortified wall. So we talked about what long term you're excited about. Let's bring it back and talk about what's happening in the more near term. So as we see more and more people working from home and having to access various networks remotely, have you all seen an increase in threats or attempted cyber attacks?
Arlette Hart (19:06): Kind of. There's more activity, but the more activity can just be because there's more activity because people are doing things differently than they did before. It's hard to really attribute it to because they're working from home. The traffic itself looks different than it did before. And whether it is because it's the time of year or because people are working from home or because there's an increased attack vector, it's hard to say, because causality is very difficult in cybersecurity. That said, we pay a lot of attention to that and we make sure that we are tracking aggressively what's going on. And when environments change, which is a thing that happens in cybersecurity all the time, we adjust fire and make sure that we do understand what that change in environment means from a threat perspective. This is just another new capability to a cybersecurity perspective. Working from home is just the same as mobility in some ways. You have a different way you are reaching your critical data.
Arlette Hart (20:04): One of the things that I think is true though is that "security is a team sport". I'm using air quotes. You just can't see them. And I think it's more true right now when people are socially distant than when we're all in the office together. Responsibility for reporting anomalous activities, this really is something that we would ask people to do all the time. We really want you to be a part of the team that is securing the information. If you're a Leidos person, secure it for Leidos. If you're for your other organization, secure your information. And if you see things that are going wrong, be a part of the team that is protecting the organization. It's important to everybody because attacks can bleed out to other organizations.
Meghan Good (20:44): I definitely think with that, I, first of all, cannot believe I said the word fortified wall before. But Bridget, you're so good to remind me of that because really it's one of those that there isn't a wall. It doesn't exist anymore. There isn't an edge to a network. And as Arlette says, right now people working from home, that's mobility, that's the way things have been. I think for us, we're experiencing that at a larger scale right now to keep our employees safe. However, our home networks just aren't the same as enterprise networks. The level of investment in security devices, and even our own practices, just isn't the same when you're at your house, in your yoga pants, versus at the office. I think you have a different level of decorum to that people side of what you would do and what you expect is normal than maybe what you do at your home, where some of your leisurely activities can take place at the same time as work ones.
Meghan Good (21:40): And that mixing of that traffic I'm sure is something that Arlette and the team are seeing, and that it just looks different. And we really need those good analytics. We need that good automation to help us figure out, "Is that really somebody coming in from an IP in Colorado or are they coming from some other country? And does that even matter?" It's just really different between home and the enterprise. But I think what is kind of interesting and, with the team of experts that I work with here, what I'm blown away by is there at-home labs that can rival enterprise labs and enterprise networks, so where they have way better security than some enterprises are willing to do, because they have the ultimate visibility on their house. And so I think we're seeing what are some kind of cool ways that you can implement some of these new technologies on a really small scale. I think if they weren't home, they wouldn't have the chance to really play with that. So that's a one silver lining to this situation that we're in today.
Bridget Bell (22:44): That that's a fun perspective. I am curious now for both of your home networks, what kind of security you have in place being two of our most cybersecurity experts in the company.
Meghan Good (22:56): I knew you were going to ask that. And I just have to say that sometimes the best security is obscurity. No comment.
Arlette Hart (23:06): I'd rather not give away my security posture.
Bridget Bell (23:10): All right, we won't reveal any secrets here. So if you were able to solve one cybersecurity challenge right now, I know it's going to be hard to narrow it down, but what would that be?
Meghan Good (23:25): I think, for me, it's information sharing. It's a concept that is talked about a lot between the government and commercial industries, and particularly for us within the defense industrial base of where we want to share when we discover a new attack vector, we want to share indicators of threat activity. But the challenge just becomes that there's so much and that some of the parts are valuable, some of the parts aren't, but all of that really changes over time and it's value changes over time, and it's hard to crack the nut. And I really think that cybersecurity isn't the only field with this challenge. I mean we're finding that right now with the news about COVID. When you know something about COVID-19 versus what you heard weeks ago, it's all different. But it still is one of those things that we're trying to figure out how we can share that information without breaking the internet and without making it so diluted that it doesn't matter anymore. I want that solved.
Arlette Hart (24:26): That's a good one. That's not the one I chose, but that's a good one. I like that.
Meghan Good (24:29): Well, thanks. I figured you'd pick something different.
Arlette Hart (24:33): I would wave my magic wand and make it easier to, well, do everything in cybersecurity because most of it's hard. But, to me, the most important would be to know what risk looks like so people can really apply the right resources and to balance their operational needs against the risk of loss. And the result would be something close to the right answer. There's been a lot of work in this area, but it's still just really, really challenging to do this. I mean back to the fractal problem, every edge is another place where you have another problem with this. Other disciplines like fires and automobile accidents and things like that, there's enough information to allow actuaries to understand what the risk means.
Arlette Hart (25:11): But with cybersecurity, we're really not there. And it's even harder, in part, because the victim still has everything that they had before the crime. So it's not like they lost their car or their house. They still have the data that they had, not always with the same level of integrity, but they still have it. But they don't know whether they are the only ones who have it. So they don't know, "Am I sharing it?" And what is it worth to them to share? So that's the piece that I would really like to crack because then you could make real decisions around what should my cybersecurity investment be and make it so that you have a real risk appetite related to it.
Bridget Bell (25:52): So in this conversation, we've talked about both of your really unique career journeys, and then also some of the technologies that you're seeing and are excited about for the next one to five years. So I'm curious, if we look back to when you first got into cybersecurity, is there a technology that we have now that you wish we had back then?
Arlette Hart (26:15): So I would go with big data analytics, being able to look and link critical elements together so that they can really see what is the vulnerability picture, especially when the attackers were much less sophisticated. Then we could have tied a lot of things and saved a lot of time and money and become much more sophisticated earlier if we'd had much, much better data analytics early on. I think that would have been a game changer 10 years ago. And we could have just changed the vector of how things are done. I think it also probably would have informed a lot of vulnerability management and helped get patching where it needs to be and had people focusing much earlier on closing the cyber coding or the coding gaps with some secure dev ops, instead of just dev ops, and really helped us push what the cyber narrative is.
Meghan Good (27:09): So Arlette, since you took the good one, I'm going to say SOAR tools, security, orchestration, and automated response. And, for me, for those of you who don't know, that's a capability that takes in inputs from different kinds of security sensors and detection systems that we have, it does things that a person would normally do and then starts to actually affect some of the other systems that are doing protection. So it's one of those that things come in and it takes action and then it makes magic happen for us. And it's all set to these different playbooks. And I think about the first set of automated tools that I coded up for our group way back when, and I just wish that I had them as playbooks. I wish we could have put them in. We would have been so much further ahead. We would have been tackling the more sophisticated challenges sooner. And I just think it's one of those classes of capabilities that are becoming a defacto standard across lots of enterprises thanks to a number of different vendors in this space.
Arlette Hart (28:12): I don't think I win on that. I thought SOAR was also a really good one.
Meghan Good (28:17): I think they work together though. I mean that's the best part is one tool alone doesn't do it. It's a bigger solution that we need. And it's finding the way that you're getting the right combination of inputs that give you the kind of insight and visibility that you need through those analytics, that you're actually actioning it in a way that really is protective.
Arlette Hart (28:38): And it's funny because both of them assume that you have the right information in there.
Meghan Good (28:42): Oh, that's so true. That you shared it, to my point before, but that you're also generating it yourself within the bounds of your enterprise, that you know what those devices are, you know what kind of software they're running, you know what you have out there to detect it. I mean it's a lot of those critical security controls, which I think sometimes we can feel like is a compliance checklist. But without it, we really can't do any of the good stuff. We can't do the good threat analysis. We can't do the good kind of protection that is absolutely necessary.
Arlette Hart (29:14): And that the sensors are working and working properly and giving you the right telemetry and the information that you need, and that you're getting it in all the time when you're supposed to be getting it in, and all those little heartbeat kind of things that are also truly critical to this.
Meghan Good (29:29): Right. And even beyond that, if you think about the kinds of deployed networks that we work with, they're in these remote locations sometimes, right? Where the network extends, that, even as we talked before about mobility, there might not be great bandwidth to bring all of that information back. So it's a matter of how you're choosing the right kind of data that is really going to inform those risk-based decisions that you talked about, Arlette.
Arlette Hart (29:55): Absolutely. Yeah. Yeah. Did we say something about hard problems before? Yeah.
Meghan Good (30:00): And multifaceted and interconnected.
Arlette Hart (30:04): Exactly.
Meghan Good (30:05): We could talk about this forever probably, Bridget, and hopefully we haven't lost you in our conversation.
Bridget Bell (30:13): Not at all. I love it. I just want to sit back and listen to you. So is there any other topics that you all want to dig into or talk through?
Meghan Good (30:24): I think the question I always have is what's the transition like to go from being with the government to really trying to ensure the security of a very mission-oriented agency to coming to a company like Leidos and looking at our networks, our reach, our data, what lessons did you apply in that transition?
Arlette Hart (30:50): It's so very different. The perspective from government is you're protecting the critical data for... Leidos has that same idea. We protect government's critical data also. So there's an element of commonality with that. But looking at it from the being in government and being the one responsible for making sure that that data is protected, you are on the front line in that place. And you're the one who is the reactor to that. When I left government, it was the, "Oh, okay. I'm leaving that piece," and there was no taking it back. It was the, "Okay. I now sleep nights instead of staying up all night." It was a big weight because it's very heavy doing that from the government perspective and making sure that the protections are in place and working with the people and making sure all of the elements are doing what they need to be doing 24 by seven.
Arlette Hart (31:48): I'm not saying it's not heavy here too, because I think it is. I think it is the same kind of weight, but the ultimate responsibility question is a little bit different. But when you come here, you still need to do that same level of diligence. It just looks a little different. And the mission turns into a different animal. From the government perspective, you do that from a, "This is what the mission is. We accomplish the mission." There's still a balance. There's still the, "Here is the balance. Here's the money that you have to do this thing. Here's the mission that you have to do within that type, that amount of money," but you don't have the financial incentive.
Arlette Hart (32:23): So one of the risk questions, when I talk about risk, when you do that from the private sector perspective, there's a financial cost to what the risk is on both sides. So it is, "This is what your cybersecurity budget is. This is what your risk costs, how you're monetizing your risk." When you do that from the government perspective, you can't really monetize risk that way. Yeah, they have budgets and things like that, but when they lose something, they don't lose money like that. They lose PII lives, things that have non-monetary value but are extremely highly valuable. So it sort of looks a lot different. Does that make sense?
Meghan Good (33:00): That does. And I bet the calculations there are completely different when you're talking about risk. It's not just the very rote or almost counting like look at risk. There's another nuance. There's a lot of shades in there.
Arlette Hart (33:17): Exactly. Okay. So me to you, what's kept you at Leidos this whole time.? What's kept you engaged all the way through?
Meghan Good (33:26): I think one has always been finding the next challenge and having advocates who support me in finding those challenges. So when I joined as an intern, the group that I worked for was ready to offer me a full-time position. Right? And it was one of those where I knew what I was getting into, but I knew that there was a lot of growth and room to grow with that group. And then, from there, I would say, as I look back on the course of my career, every 12 months to 18 months I've taken on a new challenge. Now, that usually means that I haven't let something go, hence lots of hats and roles. But I really like that I think at every turn I've been able to see what's the latest in technology and explore through different research areas, which peaks my interest and keeps the challenge going.
Meghan Good (34:21): But then at the same time, take on leadership roles where I feel like I'm giving back and supporting other really smart and bright people. I love connecting up different technical ideas. And I feel like as a tech fellow and as a solution architect, that's our calling here is to connect the dots, to solve these bigger problems, and realize that it takes multifaceted thinking that we all learn through different cyber operations kind of work. But it also takes figuring out where you need the mix of depth as well as breadth. And I see that a lot across Leidos. I find it really energizing and there's a lot of job satisfaction here. It's a lot about the people I work with and it's a lot about the opportunities that were given to really make a difference.
Arlette Hart (35:11): Yeah, I agree. There are a lot of opportunities at Leidos and there's some seriously smart people here, and it's just been really interesting to work with the people here. I agree.
Meghan Good (35:20): Sometimes it feels like a really long time, but other times it goes by so quickly. And I think, right now, we're really seeing this big evolution in how work is changing. And I can only imagine how much more we're going to be able to do virtually to really pull in our international team and our team with our customers, our vendor partners, as well as the technologists that we have here. It's an exciting time.
Arlette Hart (35:45): It really is. This has been a forcing function for how to really work remotely. And I think we're going to learn a lot from it. And I think it's got some serious up sides. So it'll be really interesting, yeah.
Bridget Bell (35:57): So let's wrap up with one final question. What guidance or advice do you have for our listeners as we close this conversation?
Meghan Good (36:04): Well, I would say, as a problem solver myself, what I would recommend is that you have to work through the fear that I think has come with cybersecurity and with the threats and the challenges that we've talked about and really start to identify what are the problems that you can address, and prioritize what's the order that you can do it. And I know that sounds very simple to say. We've talked a lot about technology. We've talked about people. That's probably the process element of it. But taking it step by step, you'd be amazed how far you come. And I think really having a plan, having some actions, being consistent about what you're doing when you bring in new technology, when you incorporate new security procedures and controls, all of that helps the greater good, as long as you can get through that process and make sure that you're reaching the goal that you want to get to. So take your time, work through it, and identify the problems you can solve.
Arlette Hart (37:02): Well, those were good. I also have three. And the first one is work and play well together. This is, again, a team sport. Remember the railroads early on, they didn't have standards for how far apart the ties should be or the rails should be. Eventually they got to the place where they had standards. What we need a lot is for industry to work together and establish standard bases for building so that we can all win. All of these boats can float higher. The rising tide raises all boats. No one wins as long as there's large swaths of the country or the world that are losing. It's kind of like a prisoner's dilemma. And it's like if one person just does all of their pieces but doesn't bring everybody along, we all lose. We all have to be together on this game to win this game.
Arlette Hart (37:48): For the big players, I would really like to ask them to consider eliminating a lot of those simple problems, patching and updates, make more things backward compatible, make it so that people can really support legacy. The objective is for them to be able to be secure more than for them to be able to upgrade, enabling people to really secure their infrastructure even if it's not what you want their infrastructure to be. I know it's easier said than done, but it really is important. It is a lot easier said than done. And I understand the backward compatibility and there's limits to it and all those kinds of things. But somehow we need to get past the place where a patch can break your entire infrastructure. And that's kind of where we are. So better attention to how to patch and what it means to update and making sure that we have better cybersecurity.
Arlette Hart (38:37): Finally, keep pushing the front edge. I think there's a lot of room for thought leadership in here, and we need to think in new ways and do things differently and we have to really make everybody a hard target. That's my input.
Bridget Bell (38:51): Yes. Thank you. Both Meghan and Arlette. This was a wonderful conversation. To all our listeners, as always, please, if you enjoy this podcast, share it with your colleagues. And to learn more, visit leidos.com/MindSET.