Cyber Resilience through Public-Private Collaboration with Erin Joe

Alberto Yepéz [AY]

My name is Alberto Yepéz and I’m your host today. I am very excited to have Erin Joe as our guest. Erin is a national security and cybersecurity expert. She has served our nation as a former FBI leader and has experience working with both government entities and the private sector on cybersecurity challenges. She moved to the private sector as part of Mandiant’s leadership team, and with Google’s acquisition of Mandiant she’s now part of the office of the CISO. In that role, she has an opportunity to provide guidance and advice to many boards, groups, and entities. She’s very engaged in helping groups try to focus on cybersecurity. She’s on many advisory boards including Shared Assessments, CyberSat, INSA, and the Forgepoint Advisory Council. Erin, welcome and thank you for your service to our nation.

For the benefit of our audience, who is Erin Joe? What were your beginnings? It’d be great to get to know you a little bit and then we can get into your career afterwards.

Erin Joe [EJ]

Sure, thanks, Alberto. I really appreciate it as always. You’re so gracious. I think you and I really connected on some of our background. I came from humble beginnings. I grew up in a small town. It started with a calling on my heart where I wanted to be an attorney, an FBI agent and president; two out of three- I’m satisfied. I share that because I want people from all kinds of backgrounds and all walks of life to share their dream with other people. If I hadn’t done that, I wouldn’t have gotten support from people who ended up helping me get through college, law school, and eventually into the position where I am today. So many things that we do in life are with somebody else. Somebody giving us a hand, advice, guidance- those types of things really matter. Share your vision and your dreams with other people and let them help you.

I’ve worked in male dominated environments most of my career, whether it was as an attorney or in law enforcement or now in technology. I wasn’t always immediately welcomed into those environments until I brought my unique skills and abilities- or at least my strengths- into that environment with problem-solving, communication, building trust, and collaborating effectively. Working with people, understanding what’s important to them, and helping them achieve their goals while you’re getting their help to achieve yours. Using my legal background to overcome obstacles, get favorable decisions, and get things over the finish line to do things we’ve never done before. That’s when you start to see the value of diversity (I know that you’re a huge diversity champion). I wanted to incorporate that because when you look at my background, it doesn’t scream cybersecurity expert until you walk through my career. Then you see it unfold.

It took time to learn about investigations and threats. I remain committed to continuing my education so that I can get more technical expertise. I think that the success that I’ve experienced over all those years really came from being part of diverse teams, where some people were deeper in technical skills and abilities but I brought other skills to the table.

I think that you see the different commitments that organizations have for continuing education. Google Cloud has partnered with SANS, Coursera, Cyversity, Women in Cybersecurity- all these great organizations to help increase cyber knowledge across diverse groups of people. I share that because if it weren’t for those kinds of things, I wouldn’t even be here today talking with you.

AY

You’re in an amazing platform and we’re familiar with some of the people and teams you work with. We applaud the fact that a lot of companies talk about D&I and ESG, but it’s important how you lead by example. I’m very, very excited that you have that platform and also the ability to share your own journey, because it’s very inspiring.

You started as an administrative law judge. What attracted you to the FBI?

EJ

I’m still a licensed attorney in Texas. I’ve always been very motivated by fairness, justice, and security. I really care about enabling a more secure way of life. Of course, early in my career, that was physical security because those were the biggest threats we had then. Then, it was to protect us from terrorism in a post 9 /11 environment. I saw the changes and evolutions that happened with respect to our priorities and how we had to shift and change.

I changed with those priorities, I followed where the world was going and served in a variety of different parts of the organization as well as different geographic areas.

That’s not where people typically think of as a place of innovation, but it is. I was a change agent and had the opportunity to implement large organizational changes numerous times. I changed the way we handled our investigations; I changed the way we handled our confidential human sources; I changed the way we collaborated with the private sector; and I even implemented new technologies and brought them into government. That really gave us the opportunity to shift from being reactive into being far more proactive in addressing every aspect of that ecosystem that we needed to change and modernize so that we could make that shift into being much more proactive.

I was in a position to live through and see the way that companies and governments around the world handled some of the worst breaches and attacks that we’ve ever seen. I was able to take those best practices and lessons learned and continually improve upon them and implement them time and time again. You don’t always get a chance to do that. You don’t always get a chance to see how you can adapt. We used to practice for any number of things, especially when I was in Los Angeles. We used to say that we could practice for an earthquake very similar to the way we would practice for a terrorist attack or prepare for cyber attacks. We recognized you can’t prepare for everything, but you can prepare for almost anything. There are certain people and processes in place that you can exercise and develop and continually improve so that you know the way you’re going to mobilize your resources for each, or almost any, situation.

80% or more of our critical infrastructure is in the hands of the private sector. How are we going to bring down the walls that separate us so that we can get better information to them and from them. Really looking at: How do we improve that process? How do we speed it up? How do we speed up our response? How do we work together in advance of threats and problems? I dedicated myself to improving all of those processes and focusing on resilience because I know attacks are going to happen. Adversaries will always be there. They’re persistent for a reason They have their own agendas. So, we must be resilient. We have to be proactive. We have to better defend and we must be resilient on the back end of whatever attack we face. I think this really boils down to two things.

One: How well do you understand the threats? Public-private partnership and information sharing is critical to having a full threat picture. Two: How strong is your security posture? We’re changing all the time with new technologies and capabilities so that we can improve our defensive posture and security posture, but about more than just technology. It’s the expertise that goes behind it. It’s the experience and it’s the collaboration with people who come at it from different perspectives who can say, “Here’s a new way to implement some of these security practices that’ll make you more resilient.” Three: How well practiced are you? If you don’t practice, you’re not going to be ready. Four: Do you have the right team and communication plan in place to be resilient and get through these situations and manage a crisis when it happens?

All of that informs how confident you are that you can to respond when something happens. Those are the things that really drove me into the work that I do.

AY

It’s amazing what 9 /11 taught all of us. Before, there was expertise among different groups that had excellent capabilities, but we were not working together. We were not communicating. We were not collaborating. 9/11 was a wake-up call: never again. That’s really what got people moving. It wasn’t just amongst federal agencies and the state- it became a private-public partnership. A lot of people say “FBI agents are just investigators” but the fact that you got engaged with boards of directors to provide counsel, advice, and prevention is beyond that. You taught us that cybersecurity is a team sport.

One of the challenges we face as a community is that, especially when we’re trying to inspire others to follow, they think that you must be an engineer to come into cybersecurity, that you have to write code. That’s not true. There is a lot more to be done and a lot of other skills that need to be part of the overall team to be effective. Can you reflect a little bit on that? You come from a non-traditional background and now you’re sitting in one of the biggest platforms in the world trying to inspire others to be effective against imminent threats. How can we inspire the next generation to come into our sector and make sure they know you don’t have to be a coder?

EJ

I think that’s a relevant point. I’m not a coder and many people who are helping in the cyber security world are not coders. We need coders and I want to encourage people out there to get those technical skills, but I also want to encourage you that wherever your strengths may lie, there’s a place for you in cyber security, whether it’s in the communication side, the legal side, marketing, or in partnerships.

When I was in government, I often worked with private sector companies trying to break down walls and increase collaboration, getting them to understand how to work with law enforcement and the FBI as an intelligence organization with wide authorities and capabilities. That brought them into a larger ecosystem with the US government, allies around the world, and with other private sector companies. You start to see the power of different strengths when you have that collaboration. People bring a wide range of skills to have impact against threats, with leadership of all kinds. You might be leading the security apparatus of an organization, or you might be a leader who has to decide whether certain information gets shared, or whether you’re going to collaborate with another organization. Cross-organization collaboration is just as important as it is with government.

We need leaders who understand the inner workings of relationships to build collaboration the same way they’re able to build technology to solve problems. We have to build networks and build collaboration and communities. You’re always building a community, Alberto. I think that that’s such a valuable thing that you focus on. It’s something that resonated with me when we first met. That takes interpersonal skills and the ability to know how to legally work together, how to practically work together.

There’s a lot of different skills and backgrounds that come into play if we’re going to make the world safer. That’s what we’re all trying to do, whether you’re trying to bring a new technology into the world or trying to defend yourself. If you’re defending yourself, understand that you can benefit if other people are sharing the same way that you want others to benefit if you share. You become part of a larger ecosystem.

AY

It’s interesting that you bring up the topic of leadership. Leadership is something that you have to believe in to provide guidance to a broader group. I think in our industry, the top impact we have in leadership and companies is at the board level. You find yourself working with many boards, trying to educate them about existential threats, issues around breaches, how to prevent them, and how to invest in cybersecurity. At the same time, cybersecurity professionals can join boards- you’re a prime candidate to be a board member.

Any guidance from your own journey to not only engage and also work with boards? How do you make sure you become recognized as a true leader, whether as a great board member or by working with boards. Any reflections about how to get more cybersecurity professionals on boards and your own journey?

EJ

I think that’s really interesting because I see it from a variety of perspectives. One, how do we increase the knowledge, experience, and expertise on boards as well as with the security professionals with whom they interact to bridge communication gaps. Sometimes communication is a factor and sometimes the knowledge gap is a factor. We need to work on both. Which things belong in security professionals’ hands and which things do I need to care about as a board member from a leadership perspective, since I’m responsible for the larger organization, the direction of that organization, and the security and success of that organization?

Security professionals need to be looking at risk in a way that’s going to make sense for that organization. As a board member, my questions need to be at that higher level and I should be talking to those security professionals not just at board meetings but outside of them as well. but Those communications are critical to gain understanding and build effective trust with that security team as well as with the board and leadership across the organization. Everyone should be marching in the same direction- you need a lot of mutual understanding before you can march in the same direction. I think that’s really critical and requires collaboration and interpersonal skills as well as basic knowledge and expertise.

Everyone, whether you’re a board member, a security professional, or are in a non-security board position, can improve their education in technical areas. It’s about thinking “What do I need to care about from an organizational perspective? I need to care about how we are looking at risk; how we are educating ourselves on the threats that matter most to the organization; how I am increasing my awareness globally; how I am thinking about my organization locally and where we fit into the global landscape.

We’re a global society. Something happening in another part of the world could still impact your organization. Think in terms of: how can I get enough awareness about the broader threat landscape, understanding its impact to us as an organization, and how I can ensure that information flow will happen seamlessly and at speed in the organization? What is our defensive posture? How proactive are we?

What are we doing proactively to take intelligence and operationalize quickly in two important ways? One, with technology and two, with our people. We have to augment our people. We have to augment our security programs with technology. We have to make the most of those limited resources that everybody has. We’re never going to solve this problem with just sheer numbers of people- that’s where technology is really critical. We have to leverage technologies and stay current with technologies. Old practices won’t help us in the current threat environment, particularly with the way threats are changing today with so many nation-state threat actors as well as criminal threat actors getting more aggressive and more capable than ever before. We need to think about how we are keeping pace and changing our approach to security to stay protected.

That leads to that last question: how would we respond? What is the community we would bring in to support us? It takes a team of experts both internally and externally to be well prepared for an event. You want the benefit of people who’ve done this thousands of times before. You want to bring in that expertise when you need it so that you can get through with resilience.

AY

A lot of people don’t know the Office of the CISO at Google. It’s an interesting investment that Thomas Kurian pursued, bringing in people like Phil Venables that had been in the CISO role multiple times. Phil evolved to become a board member as part of Goldman’s attempt to get into the consumer market, but creating that office of the CISO brought in a lot of different global skillsets from people like you, former CISOs. It’s not just the Bay Area or in New York, I have met many of members of your team in London and Paris and Spain and other places. You’re making huge investments. I think a lot of it is trying to help with practical advice because you’ve been there and done that.

As it relates to AI, for instance, can you talk about how the market is changing? I know you’re doing a lot of work to educate and create an education framework around AI. Can you speak a little bit about what the Office of CISO at Google is doing to help people can get ahead of threats?

EJ

We publish blogs and thought leadership, and we also do public speaking. I’d visit our website and see the types of things that we’re sharing. We provide board perspectives that support boards with thought leadership and ideas on engagement. We also provide information around securing AI. We have a framework on securing AI framework- SAIF.

We also look at what it will take to bring speed and scale to the threat landscape in today’s world. That was a large driver, I think, behind Google’s Mandiant acquisition. I’m sure there were many different drivers behind it, but one was being more proactive as well as increasing threat response. This takes threat intelligence. Mandiant has rich threat intelligence they’ve gathered over years from a wide variety of sources and incident response capabilities. Couple that with Google and what they’re seeing on a day-to-day basis protecting billions of users with Gmail, other Google Cloud offerings, and the suite of Google products and services. Look at that plus VirusTotal, another Google acquisition. That’s a lot of great security information and intelligence that Google has at their fingertips every day, seeing current threats as they unfold. Then, Google applied their engineering expertise to training large language models in security.

Google’s been involved in AI for 18 plus years, since the very beginning. AI is not new, it’s just a matter of how it’s developed and evolved. They’re very careful to only deploy AI securely. It’s an absolute priority in everything we do. The basic principles are secure by design, default, and deployment in everything we do – that includes AI.

You’ll see that we have great capabilities and we’re bringing those out into the world in ways that we feel confident in security as well. We have large language models that we’ve trained in security. We’re applying that AI capability to security so now we can use that training and the scale of Google to bring in other feeds of customer information into the environment. We use automation to escalate threats to security professionals as quickly as possible, in natural language. We bring it to them, explain what they’re seeing in their environment, and make recommendations about which next steps to take. We also provide an executive summary of what’s occurring. Now you can get to solutions so much faster. You can get to prevention or response so much faster. You have greater confidence that you’ve seen the environment, not only from what you’ve included from your intelligence feeds, but that of the experts who are on the ground every day. That is the complete picture they’re bringing in- applying AI to it responsibly, and then putting that in the hands of defenders who can then make better decisions, educating and responding faster.

AY

What are the areas you’re concerned about with AI? We just had an event yesterday for our Forgepoint community here in San Francisco on different applications of generative AI and security. As you see areas of concern, both in the attacker landscape as well as in the responsible use of AI, is there anything that you are reflecting on and trying to help influence around overall adoption of this technology?

EJ

We’re looking at how do to take all of our learnings, knowledge, and expertise and apply them. That’s why we’re committed to publishing the security framework that I referenced before, because we do want to encourage the responsible use of AI.

I think we look at it from two different perspectives. How do you secure the use of it and then how do you use it in security? I talked about how we use it in security and that’s where I’m most passionate and have expertise. I want to see us apply those technologies responsibly for the defender’s advantage to make us more resilient and more responsive. I also think about how we help secure what’s out there for others to use- paying attention to the models, the data, how AI is trained, and how you’re using it. It’s going to take a framework of sorts, whether it’s ours or another that’s out there. We have to be proactive, looking at different considerations before you actually use AI. We are concerned about things like bias in training or the data. We are concerned about hallucinations. We are concerned about things that may be unintended.

How do you detect problems and issues that were unintended as you’re using the technology? By building capabilities with detections and guardrails around use. It’s absolutely critical. That’s going to take a lot of review from the user side on how users are technically able to do things, as well as responding and being compliant with legal requirements. How do I stop something? What’s my ability to stop something if I see that is not going the way that I intended or isn’t being used responsibly?

You must think about who has an interest in the technology and who you need to protect while using AI. This means protecting their information and being able to notify them if there’s a concern with their information. Also, minimize or reduce the impact on someone else.