Charles Lyons-Burt
Cybersecurity industry veteran Eric Trexler is motivated by the complementary forces of technology and business. He began his career as an airborne ranger and communications specialist in the U.S. Army before pivoting to the private sector, holding roles of increasing responsibility at companies such as EMC (now owned by Dell), Salesforce, McAfee, Forcepoint, and now Palo Alto Networks.
The executive’s work took a number of focuses — including networking, storage, databases and virtualization — before he transitioned to a concentration in helping customers protect their information. Trexler is currently senior vice president of the U.S. public sector business at Palo Alto Networks, joining the company in September following a nearly five-year stint at Forcepoint.
He recently sat down with ExecutiveBiz to explore the economic impacts of cyber aggression, how zero trust plays into sunsetting legacy IT systems in the government, the importance of emphasizing outcomes rather than tools and more.
What is the biggest threat facing U.S. cyber systems today, and what is being done to protect against that threat?
I think there are two things. Many people would say that if you look at state and local education as well as commercial companies, ransomware is probably the biggest, most visible, most concerning threat out there. Ransomware is a real problem for organizations because they’re not equipped to address it and it puts a significant drag on them at a higher level. In addition to ransomware, I think the biggest threat is the economic impact on cybersecurity in general.
I came into this industry because I like merging technology with the business requirements. Unfortunately, the biggest threat we see is really the impact to those business requirements. There are a number of reports out there that show somewhere between 3 to 10 trillion of annual loss due to cyber activity. Summed up, that’s the third largest economy in the world behind China and the U.S. We are number one, China is number two, cyber loss is number three and obviously ransomware is in there and growing significantly. These numbers include loss of intellectual property, productivity, and everything in between.
It’s very easy for an adversary to reach into a business, an organization, a government agency or a country from somewhere else in the world. They don’t need a visa, they don’t need an airplane or transportation. They just need a computer and connectivity.
Economic loss is paramount here and it’s really diffused across the global economy. The average person doesn’t necessarily understand the impact to them when a business or an organization doesn’t protect their data or their information. Or, [the cyber aggression] causes loss and cost on the business, which gets translated to the individual.
Do you think the United States’ cybersecurity efforts are keeping up with demand? If not, how can we accelerate and broaden cybersecurity?
We’re doing a lot and the U.S. government—specifically federal, state, local and education organizations—are doing a tremendous amount. If you compare what they’re doing these days to what they were doing as little as five years ago, you’ll see it’s an order of magnitude more to protect our systems and information.
The challenge is, there’s such a significant amount of activity out there and a huge number of bad actors that we keep falling further and further behind. If you look at the loss numbers, they keep growing. If you look at the workforce shortage numbers, they keep growing. The number of attacks—they keep growing. We’ve got to do more. We’ve got to consolidate, we’ve got to do a better job of it. We have to change the way we approach the problem.
When you look at the government or a [commercial] organization, there are good people doing good work every day. We just aren’t doing enough of it, because we can’t. We don’t have enough people and we never will. We’ve got to take a different approach to this problem.
One of the trends we’re seeing is really a focus around the theme of zero trust. It’s a clear pivot from the old perimeter based security model to a focus on people, applications, and data. It’s clearly a frequently used, even overused term, for looking at changing the paradigm in cybersecurity, but it is a change. It’s really important to us. You must have a complete understanding of how an organization works: their users, their data, their applications, who should have access to what and limiting it to the minimum requirements in order to do their job with constant verification.
Today, that’s not the case. But zero trust is a philosophy or a framework in many ways that allows organizations to think differently about the problem. They can prevent more major problems and when they do have a compromise, they can isolate it and the adversary can’t move from application to application. The level of loss or impact is constrained to a big extent [under zero trust]. That is one of the reasons I came to Palo Alto Networks: we’re doing a great job looking at how we take large decentralized organizations’ activities, provide security as a platform and really isolate down to what matters.
Over the last decade the industry experienced significant change. We saw the introduction of numerous technologies or concepts such as the NGFW, Sandboxing, EDR/XDR, the enhanced SIEM, and many others. Mid-decade you started to see the industry focus on machine learning and artificial intelligence. All of these techniques, capabilities and components promised us better security. While security has improved, we’re not changing fast enough.
Enter zero trust. Zero trust is more of a philosophy, a way of thinking and a real paradigm shift in the industry. Our government customers are embracing zero trust architectures today. They’re honing the basics like identity and MFA. In terms of identity, it’s really hard to protect the business from you until we understand you, who you are, where you log on from, what you have access to and what you’re doing on the network. We’ve got to understand that.when embraced, the zero trust mindset shift really helps us get there.
The White House has given government agencies until 2024 to establish and implement a zero trust plan. What are some of the key barriers that agencies will be dealing with as they come up with these plans, and what’s your take on the path forward?
We’ve got a lot of legacy systems, especially if you look at the government, that you can’t just turn off and they’re definitely challenging to work with and protect in some ways. If you look at organizations, depending on the organization, they have some level of capability but there are finite resources, time, funding, humans, staff, talent, you name it. They can only do so much. You have to keep the lights on while you’re modernizing to make things better in the future. The question is, how do you modernize while keeping the existing systems operational considering already stretched resources?
Technology modernization is a big component of the zero trust journey that you’re going on. And then you get into the architectures, you get into the different pillars around users (identity), data, applications, devices, and networks. You’ve got to understand the entirety of what the organization needs, what people are doing. At Palo Alto Networks, we’ve done a lot of work in this area.
The first thing that the government is doing a really nice job of is saying, ‘what do we have and, and what does the architecture look like?’ Next, we need to move away from specifying products or capabilities and get them to look at it from the business perspective. We’re starting to see some barriers come down, but we have a long way to go. I think that’s important. In the past you would see very siloed approaches to securing the enterprise. You would talk to the endpoint security team, you would talk to the network security team. We would have vendors come in, or organizations who wanted to sell capabilities that were very specific in what they did. And you didn’t have that holistic picture of how we are trying to protect this organization’s users and data from bad activity. The state and local agencies along with our education customers are making progress here.
Zero trust architecture is starting to drive a better understanding of where the value is in an organization, what matters to an organization and how we orient to protect that. My hope is that we see a focus more on outcomes in the future as opposed to technologies. I suspect that will drive consolidation in the industry as we look to the large players that can actually address the outcome or the business need that the customer has as opposed to responding to a request for proposal or selling a technology.
What is your strategy for attracting and retaining top-level talent in the midst of ongoing talent shortages in today’s highly competitive market?
At Palo Alto, we definitely work to attract the best of the best in the industry. We do a lot around training and enablement. A lot of our work is in communities. A few examples are our partnership with Girl Scouts of the USA, wherein they have given out over 300,000 badges to Girl Scouts on cybersecurity. We put programs like that together to create higher awareness in our communities.
We’ve done a lot in the K-12 space, launching cyber security educational programs. We have new graduate programs here focused on early career employees and getting them into the workforce more quickly. We’ve got a cyber academy where we bring individuals right out of school who don’t have a lot of experience and we put them through a very intensive program to ready them for the workforce. Recruiting is critical. There is a big social component to it, where we’re out talking to people and educating them on the opportunities that exist across the country.
We start at the kindergarten level and we go to post-college. So as far as STEM and working with the workforce, we do a tremendous amount there, both from an investment and and caring perspective. Diversity inclusion is very important to us, it makes us better.
We are also enabling people as we bring them in. You don’t have to have 15 years of cybersecurity experience to work with us. We have programs set up so that we can bring you in and give you robust learning capabilities to bring you up to a base level and then continue with on-the-job training and workforce shadowing and things like that to get you up to speed.
I think on the product side, we design our products for our customers to solve their really hard cybersecurity problems. We are leveraging capabilities like machine learning and artificial intelligence to drive automation. And we believe that automation is a key to helping to solve the workforce shortage. We will never be able to completely close that 4.7 million professional cybersecurity workforce shortage, but through automation, we can reduce the number of professionals needed by essentially handing out lower level work to machines so we can upscale and raise up the type of work that the actual humans are doing.
That’s a product and a strategy component that I think is really important to us and the industry. Our size and scale allows us to tie components like the endpoint, the network and the security operations center together. To give you a perspective, there are few, if any, organizations out there other than us that can do that, especially at our scale. It’s important to look at the problem differently than just, ‘how do we make 4 or 5 million cybersecurity professionals in the world?’ As a society, we’re just not going to do it. We have to leverage technology to solve this problem. It’s a foundational underpinning of what Palo Alto Networks does.
