Phil Quade spent 34 years at the National Security Agency, rising to the role of Director, Cyber Task Force, and Special Assistant to the NSA Director for Cyber. In that role, he dealt with some of the worst actors in the cyber crime world. Upon retiring from the agency, he moved to the private sector as the Chief Information Security Officer of Fortinet. This was a coup for the company, as Quade brings remarkable depth of experience to his role. Now he works for a company where his customers are often his peers. When he speaks with them, he does so not only as a fellow CISO, but also as someone who speaks with authority on the approaches needed to develop solid offensive and defensive approaches to cybersecurity.
In this interview, Quade provides an overview of his career, his thoughts on the best approaches to securing the enterprise, the role that artificial intelligence and machine learning play in augmenting cyber security approaches, and more.
(To listen to an unabridged podcast version of this interview, please click this link. To read future articles like this one, please follow me on Twitter @PeterAHigh.)
Peter High: You are the Chief Information Security Officer of Fortinet, a security company based in Silicon Valley. Could you describe Fortinet’s business for those who are unfamiliar with the organization?
Phil Quade: Cybersecurity is an enabler of business. While many businesses built in the past have been structured around producing widgets, today’s economy is about data, and there is no data economy without cybersecurity behind it. If you are in the business of using data to run your company or government organization, data moves at cyber speed. Because of this, nearly 20 years ago, our founders established a company that was built around a foundation of cybersecurity done at speed and scale.
High: Where does your cybersecurity offering begin and end?
Quade: Our foundation is based on segmentation, which involves creating strong and agile fortifications around your assets to make sure that only the right people get access to them. Fortinet started off as a humble firewall company. The firewall has been around since the early days of cyberspace, and it intelligently controls access to a valuable asset. We built out a portfolio that now includes many variations of those firewalls. These variations range from those that work at extraordinary speed and reliability to those that work on your desktop on a smaller scale to those that work in the cloud.
Since establishing our foundation, we realized that in order to be successful, you need to have layers of defense. This may entail having defense within the core of your network or way out on the edge where users are sitting at their desktop or riding around in their automobile. Further, security is increasingly needed as people move up to the cloud, which is the place where you can quickly marshal resources owned by somebody else. Fortinet is built on a range of solutions, so we cover things that work at the end point, the core, and upwards in the cloud. In each of those areas, the integration of those solutions is immensely important for those who are buying them. When I was in the intelligence and defense community, I often saw adversaries coming at us with multi-faceted approaches. Fortinet provides the ability to take its solutions and integrate them together so you can do team-oriented defense. This allows you to protect at the time and place of your choosing.
High: As we think about physical security, there are norms and aspects that are quite literally tangible. However, one of the challenges with cybersecurity is that you cannot touch the cyber realm. Can you talk about your approach to cybersecurity risk?
Quade: Traditional cyber domains are rapidly integrating with physical domains. For example, factories and critical infrastructure use a class of technology called operational technology [OT], which ensures the safety and reliability of physical operations. That said, while the convergence of their systems with traditional IT is creating new opportunities for efficiencies, it is doing the same for adversaries. Not only does this allow adversaries to come in and do data breaches, but they can cause physical compromises to occur. These compromises have the ability to negatively impact the safety of a human being or the reliability of the entire plant.
Regarding risk, folks who have spent most of their lives in the IT world can learn quite a bit from those who have spent years running critical infrastructures or industrial automation systems in the operational technology world. Risk is a combination of a vulnerability, a threat, and a bad consequence that results from that. The folks in the OT world identify the bad consequences they want to avoid up front, and from there, they work to engineer them out of their system so they can never happen, even if there is a vulnerability or a threat. This methodology is appropriate, not only to the OT world but to the IT space as well. In fact, we use this in our C-suite at Fortinet. Taking this approach leaves the folks who run the company’s security operations to mainly focus on finding and fixing vulnerabilities and addressing threats. If you can mitigate consequences, it significantly reduces the amount of risk that you have to manage.
Speaking of operational technology, there is an emerging domain that I am calling CyPhy, which is the integration of cyber and physical. The emergence of millions, if not billions of devices on the Internet of Things [IoT] is going to cause a fundamental shift in opportunity for those who can leverage them. Many of us wear fitness trackers on our wrists, which represents commercial IoT. Moreover, many businesses are embracing sensors inside the shopping environment, which represents commercial IoT. On top of this, there is industrial IoT. As you converge the physical oriented domains with the cyber domains, you have the opportunity to combine data from the physical domain that provides insights such as temperature, color, proximity, speed, and heat. All of a sudden, you have the opportunity to go in new directions that were not previously possible.
Self-driving cars, for example, have a combination of sensors of the physical environment combined with some high-end processing in the IT domain. I believe that is a good comparison for what is going to happen in the CyPhy domain as there will be many IoT appliances. We are going to see the emergence of smart buildings and 5G wireless, the latter of which represents a massive increase in speed out at the edge for wireless communications. Those dynamics are going to create a new domain that will allow us to achieve some new efficiencies and conveniences that we have not yet imagined. Simultaneously, it will create some challenges for the cybersecurity folks, and Fortinet is actively moving out to help secure this CyPhy domain.
High: I know that you are also interested in the science behind cyber? Can you talk a bit about that?
Quade: As I previously mentioned, Fortinet was built on speed. When the internet was first invented in the ‘60s, it was built on two fundamentals.
- Speed. We wanted to greatly increase our ability to send information back and forth;
- Connectivity. We wanted to immensely enrich people’s ability to communicate with each other.
When Fortinet looks at these fundamental elements, we say, “if you are going to develop a cybersecurity solution, you better create one that is built on speed and connectivity.” This goes back to our strategy of making sure that we have the fastest possible cybersecurity solutions out there and the ability to connect them together. Doing so allows us to do cybersecurity as a team through integration and connectivity, similar to how the rest of the internet communicates by connecting people and systems together.
We are looking to treat cybersecurity as a science. Hundreds of years ago, when physicists invented physics and chemist invented chemistry, those scientists realized that there were fundamental facts they needed to discover, and they knew that they needed to figure out how those facts interacted. Cybersecurity needs to act in a similar way because we need to comprehend cybersecurity’s fundamental elements. We need to understand the core strategies that we need to implement and the complex elements that we can layer on top of them. Treating cybersecurity as a science starts with building on a foundation of speed and integration.
High: While the laws of physics do not change, the cybersecurity threat landscape is forever evolving. Adversaries tend to be quite bright and well-funded. As you think about applying science to this, how much of that evolves over time, and how much do you see as something that is timeless?
Quade: You need to be agile in your strategy and its implementation. Five or ten years ago, cybersecurity was mostly about identifying viruses and controlling their outbreaks. Today, the threat vector involves email attachments with the intention of achieving a ransomware situation, so the landscape has dramatically changed. The techniques have evolved, and the motivations have changed. One intention may be to cause disruption, and another may be designed to commoditize. Adversaries are seeking to cause digital and physical damage. We need to determine how we can prevent adversaries from using cyber effects to cause physical effects on the critical infrastructures that could jeopardize the safety and reliability of crucial elements of our economy. Some vectors will target us from a denial of service perspective, and we will have some that target us from a data hostage perspective. Breaches are an enduring problem, but the future is about protecting the physical assets that are connected to cyberspace.
High: Many organizations separate physical versus cybersecurity because they consider them as two different disciplines. You are arguing they need to converge. Do you believe they should be part of the same department? Should they have a single person overseeing the two to make sure that the team responsible for one is sharing information and is cognizant of what is happening in the other?
Quade: At a minimum, the planning and strategy around how you implement cybersecurity, operational security, and physical security need to be integrated. Management wise, you can have one person in charge, or you can have three people in charge. I would personally prefer to have one person orchestrating the integration across all three. When I was in the intelligence and defense community, gaps between those initiatives were taken advantage of. While adversaries may not be able to get into a system through a cyber vulnerability, they could use another vulnerability in the physical domain. Within this vulnerability, they can use a physical insertion point to put in a cyber tool. We had to detect and fend off those blended attacks.
High: You are the Chief Information Security Officer of a company that serves Chief Information Security Officers. What opportunities does that provide you, and what do you believe you provide to them as a peer?
Quade: I have three major credentials that help me.
- I work for Fortinet. Fortinet has a stellar reputation as it is broad, integrated, and automated. That reputation itself gets me into meaningful conversations with customers and potential customers about what they need to do to help secure their systems;
- I am a CISO. Being the CISO, rather than just an executive, gives me more of a connection with the people that I am talking with. CISOs know that the position is about protecting the company and making it successful, which is an extremely complex job. Because of this, many of us believe that CISOs have to support each other across organizational lines;
- Prior to joining Fortinet, I spent 34 years in the U.S. intelligence and defense community. Over the years, I looked at intelligence and offensive operations to protect our government’s classified information systems. Many people believe that background adds perspective and credibility to what I am doing in the commercial sector. When you have only worked in the private sector, it is impossible to have a complete perspective on cybersecurity. For example, you will never be told to conduct foreign intelligence on a nation-state adversary.
High: You do have that unusual background. As you just mentioned, you spent 34 years at the National Security Agency prior to joining Fortinet. Your final position at the NSA was as the director of a Cyber Task Force and a Special Assistant to the NSA director for cyber. Could you further elaborate on the advantages of having that government experience and the broad purview that it has brought to Fortinet?
Quade: Serving those agencies and departments in the public sector gave me first-hand insight as to how to work at high speed with scale. Further, I got a good feel as to what the foreign adversaries were seeking to do to friendly governments across the world. The private sector is mainly focused on delivering strong customer experiences, making profits for the stakeholders, and providing a good environment for their workforce. As I previously mentioned, a commercial organization is not tooled to dive into foreign adversaries. I believe that having experience in both sectors is the best of both worlds. At Fortinet, I am quickly learning what it takes to build a profitable, forward-leaning company, and I appreciate the opportunity to help do that. On top of that, I bring a deeper perspective that you simply cannot get in the private sector. I believe there are benefits to each. Having a rich dialogue between government folks and private sector folks around what each is seeing in the cyberspace domain is extremely helpful because each of them has a unique perspective.
High: As I previously mentioned, you are the peer of many of the company’s customers, and you are a big user of them as well. Can you talk about how you use Fortinet’s own offering? Further, could you provide guidance on the product as a peer to those whom the organization serves?
Quade: I would not be all that credible as Fortinet’s CISO if I could not say that I use Fortinet’s products inside the company. I am user number one of Fortinet’s products and services. Doing so gives me a great deal of insight into our products’ strengths and weaknesses, and it gives me the opportunity to talk credibly about how Fortinet’s products can be complemented by our many partners. Fortinet is an ecosystem type company. While we have many products and services that we build ourselves, we work quite heavily with a number of commercial partners to integrate their capabilities across something we call the Fortinet Security Fabric. We have many fabric ready partners, which creates an ecosystem of Fortinet products and non-Fortinet products. Together, these products can provide an exceptional customer experience to the user. Leveraging our products and non-Fortinet products gives me more to talk about when I am advising customers.
High: What are some trends that are beginning to excite you?
Quade: We need to get to a place where machines are better serving people, rather than people serving machines. As big data has emerged over the past 15 years, that data has overwhelmed people and the machines that run it, so we spend too much of our employees’ time managing machines. We need to get away from that, which is where the potential of machine learning [ML], artificial intelligence [AI], and intent-based security comes in.
In addition to Fortinet’s wide range of connected products, we have a large back-end organization that does full-time threat research. This organization pushes insights through the Fortinet Security Fabric across all those areas, such as the cloud, the core, or the end point. This used to be a relatively manual process. People would conduct research on a threat, turn them into indicators or signatures, and then push them out to the security fabric. For the past five years, we have used machine learning to do that on a massive scale that could never be done by people. We are looking at billions of pieces of malware using ML. From there, they are characterized into signatures or indicators of compromise, and they are automatically pushed out. ML allows us to highly leverage machines to do the work that is better suited for machines, rather than sucking away precious hours from our cybersecurity specialists.
At Fortinet, we are putting in the pieces that will lead to AI. These pieces are based on a foundation built on speed and a large back-end processing capability, as well as the ability to do something out at the edge where you could tailor it to the last mile. For example, Amazon and Google appliances are not that smart, but they are relying on a large and smart back-end that pushes some pre-computed wisdom out to the edge. I believe Fortinet is well prepared to implement that AI-based architecture with the back-end, speedy communication architecture, and additional speed at the edge. AI is no longer simply the wish list of the computer scientists from 1985, it is right around the corner.
Intent-based security is here today. Intent-based security goes back to having machines serve people, rather than the opposite. For example, intent-based security allows you to say, “I want to make sure, for example, that dishwashers never talked to TV sets.” You can create rules that people understand, and your computer can take those high-level expressed rules and implement the human’s intent. After you describe your intent, the technology can simply implement that intent. This is great because it reduces the complexity of managing those systems while increasing the precision.
Lastly, I am excited about AI augmented decision making. Today’s executives make decisions based on some combination of data, experience, and instinct. It can take 15 seconds to make a decision, or it could take much longer. AI augmented decision making recognizes that you typically look for that information on data point A, point B, or point C, so it automatically pushes that out in front of you to make sure you are considering your regular data points. It may even suggest a solution for your consideration. AI today is mostly thought of as machines interacting with data, but AI’s future will increasingly be interacting with people to enhance our decision making.