Federal Tech Podcast: for innovators, entrepreneurs, and CEOs who want to increase reach and improve brand awareness

Artificial intelligence in software development has been top-of-mind for federal technology leaders once ChatGPT was popularized. This concern is documented in the recent "Request for Information on Open-Source Software Security: Areas of Long-term Focus and Prioritization" which was issued in August of 2023. Their concerns include the Secure Open-Source Software Foundation, incentives to secure open-source software, as well as research and development. If you are interested in commenting on this RFI, you may want to review a recent survey by GitLab. They recently published its 2023 Global DevSecOps Report: The State of AI in Software Development. They surveyed 1,000 software professionals and asked about concerns ranging from data security to training. Today, we will sit for an interview with Bob Stevens, the Vice President of Public Sector from GitLab to focus on this study and where results may be able to be applied to federal agencies. One curious finding of the study was the fact that software developers spend 75% of their time on concerns that do not include writing code. Because software development is changing so fast, 81% of respondents indicated that they needed more training. Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

If you have ever raised teenagers, you know the phrase, "unintended consequences." In today's world of federal technology, this concept can be applied to data storage. What are the consequences if you do not thoroughly erase data? It could be an open door for data leakage. For example, what happens when your agency moves data from one cloud to another? Is it erased? How do you know? Let's talk about the 500-pound elephant in the room – a cybersecurity event. Today's malicious actors have been known to place trojan horses in other areas of a system. The concept of data sanitization is a concern for many federal leaders. Ok. We know we have standards for data erasure. Civilian agencies have heard of NIST 800-88 and the folks at the Pentagon know DoD 5220-22 M/M ECE. That is all well and good if applied properly. Many breaches occur because of human error; the same humans are tasked with applying these procedures for data sanitization. Maurice Uenuma from Blancco gives a great overview of some of the problems with effectively administering data erasure. He brings up some issues that you may not have considered: In a world of feds at the edge, what happens to data stored on remote devices? How to automate erasure to make it compliant and secure End-of-life cycle issues apply to software development and hardware as well. Scalable storage is great – what happens to the dynamic elements of data storage? Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

It is always nice to occasionally get out of the trenches to look at the larger issues. Today, we sat down with Michael Mestrovich from Rubrik. He has decades of experience in three letter agencies and has a perspective that is hard to match when it comes to getting a handle on current trends in cybersecurity. Michael gives a quick review of current trends in cybersecurity legislation. He notes that many have overlooked something as simple as the Internet of Things. IoT is projected to have as many as 30.9 billion endpoints by 2025. Much of this technology is quickly placed without proper understanding of vulnerabilities. He suggests that much of it is in a deploy-and-forget type of implementation. This casual approach can drastically increase the attack surface for a federal agency. Michael moves on to some of the current threats that are facing federal technology leaders. In order to get a grasp on what is prevalent, it is possible that people in the intelligence community may struggle with sharing information on threats. When it comes to Artificial Intelligence, Michael thinks that it can have a positive impact on security when used in areas like automation. Resilience is a term that is popular among leaders at the DoD; but it has application on civilian agencies as well. Rubrik has proved itself over the years in knowing how to gain visibility into a network and then having the ability to create immutable backups that are a good strategy at preventing malicious actors from planting code in backup copies. Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

This is John Gilroy It is hard to believe that I have done over 1,000 podcast interviews. Some guests get four hundred impressions on LinkedIn, and some get 4,000. How do you explain the difference? -- keep listening . . .. Hit the music, Manny . . . = = = Ever since Covid, I have been doing lots of in-person interviews – at BBQ places, Fish Shacks, breweries; we have had fantastic success; most guests ask how they can leverage their appearance to increase reach and improve brand awareness for their company. Let me share with you four ways to take advantage of your podcast appearance. · Tell the story visually. · Be specific. · Make it easy to reach you. · Ask = = = = Number ONE Tell the story visually – I realize this is counter-intuitive, but our small human brains react to images much better than audio or text. Studies have shown that your optic nerve is 40x faster than your audio nerve. So . . . >Make sure you have a great publicity photo. I have changed the publicity photo on LinkedIn for clients and have seen their followers double. > Even better, get a photo doing the podcast face-to-face; it's not that difficult. You can ask the podcast producer if they can record at a conference. The "where" is not important. LOGO When you do your promotion, people will see the image first. An image of a guest in a Zoom and an image of a guest in front of a microphone with a logo is like night and day. >You need three elements for a successful on-site interview: a microphone with a logo, a professional photographer, and an audio engineer. MICROPHONE – A "flag" is the logo that appears on a microphone – make sure you have one. PHOTOGRAPHER: The professional photographer will get you fantastic images for promotion, but also for your LinkedIn profile, and your website. You can use it when you ask to get on other podcasts. AUDIO An audio engineer using a directional microphone can bring life to the interview. The listener hears noises in the background, it makes the interview authentic. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Number TWO In order to be terrific, you gotta be specific. Before the interview, rehearse a short "origin" story and a "customer benefit" story, include details and colorful language. Example: Yeah, we have been in business for a while now. Example: We were founded in 2016 by two Google engineers who had a better idea of how to manage networks. = = = From there, develop statistics about the problem you solve. Listeners will remember the story, but the numbers will make it emotionally comfortable to justify listening to the podcast. = = = Covid has really had an impact on system administrators managing cloud applications; how has Covid impacted your log volumes? Example: Many companies have increased the numbers they manage Example: · Before Covid we were managing 200GB per day in log data · After Covid, we now manage 100TB a day in log data. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Number THREE Make it easy to reach you. >This is equally true if you have a big company or a small company. Example: just look me up on Google, my name is Dennis Szymanski. That's hard. I have interviewed companies like Kenetica, Savyint, Ardalyst How to make it easy: register an easy to remember website and redirect it to your company. Example: I got a tough last name, Szymanski. The best way to contact me is with my website, federal tech podcast dot com. My name is hard to spell, but the fundraiser is easy: bike for your beer dot com. You can expand this to your call to action at the end of the interview. Once you have an easy to remember website, then have a call to action that will benefit the listener. Example: Go to FederalTechPodcast.com and download the scorecard on How to Leverage your Podcast Appearance. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Number FOUR Ask. >Ryan Leveque once wrote a book with a one-word title -- "Ask," let us apply "ask" to your podcast appearance. >> Ask the host to mention the call to action verbally and on the show notes page with a link. >> Ask the listeners to download the valuable PDF from the URL you mentioned. >> Ask your company to include your appearance on the company website – you can slip it into a blog, a press release, or an event. >> Ask your social media team to prepare for the release of the interview and then hit hard, especially during the first 72 hours. Personally, for each guest I do 25 Tweets, audiogram, LinkedIn, transcript, show notes with image logo, and link to company: email, paid advertising, and much more. If that is what I do, your team should double my efforts. >> Ask your followers on LinkedIn to comment, not like. A twelve-word comment is worth a hundred "likes." You can prime the pump by asking questions – "What do you think of a software bill of materials?" >> Ask to get on other podcasts based on your appearance – now you have a website with a show notes page to reference when you approach other podcasters. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Conclusion: how to leverage your podcast appearance. ONE Tell the story visually, not verbally. TWO Be specific. THREE Make it easy to reach you. FOUR Ask I'd like to thank our guest, John Gilroy, moderator of the Federal Tech Podcast. . ..

Traditionally, a cyberattack would be identified, and the remediation process would begin. The effectiveness of this is questionable because not all attacks are discovered. Secondly, even if they were discovered, the malicious actor may have left files in areas for future exploits. Because of this logic, we see a new emphasis on threat detection. In fact, in July of 2023, the Department of Homeland Security issued a report to Congress with a report called "Threat Hunting." This nineteen-page report covers areas that include the number of services to review, the time required, and the number of personnel to deliver this service. This initiative is one reason to listen to today's interview with David Monnier, the CIO from Team Cymru. David is a seasoned threat hunter as well with decades of experience including a stint in the U.S. Marine Corps. During the interview, David talks about challenges in threat hunting federal leaders contend with that range from lack of tools to undocumented baseline activity to the lack of executive-level support. He begins with the simple identification of an IP address that a federal leader may have uncovered in a threat analysis. Many questions must be asked: Is it just you or is someone spraying the entire Internet? When was this discovered? What do other organizations have to say about this IP address? David expands on what is called "pure signal." This is a concept that gives you an understanding of the source of these events and what infrastructure this malicious code can be found in. Real threat intelligence gives you the tools to put attacks into perspective. One final concept is although federal-based threat hunters have a great capability, not even sophisticated federal threat-hunting systems have the kind of experience in the commercial world to be able to understand the nuances of today's sophisticated attacks.

Arthur C. Clark once wrote, "Any sufficiently advanced technology is indistinguishable from magic." This observation certainly applies to Artificial Intelligence. Unfortunately, there are federal agencies that aren't quite enthralled with "magic", and they do require some information on how AI derives its conclusions. Kind of like your high school math teacher asking you to show your work on that last answer. Today, we have an accomplished practitioner of AI giving listeners an idea of what understanding AI is. The interview is based on a recent article Patrick Elder wrote called, "Explainable AI." The challenge is obvious – AI is based on bringing in massive amounts of data, it could be in the form of words, code, or images. This is all well and good if you are a high school student and want some help with writing a paper on, for example, Arthur C. Clarke. The federal government is challenged with storing sensitive information and not all of it is permitted for collection to render AI effective. Patrick Elder details three approaches: white, black, and glass box. The black box approach gives results and humans don't know how they derive conclusions. The white box is transparent about how it gets conclusions. These are both contrasted with a model called the glass box. During the interview, Patrick provided examples of explainable AI. If you would like to dig deeper, you can read his article, "Explainable AI: How XAI Puts the End User Back in the Driver's Seat." Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

Sometimes, you need to pull back and try to separate reality from the shenanigans. During today's interview, world-famous David Linthicum pulls back the curtain on many of the misconceptions of federal cloud technology and puts a focus on reality. In some academic circles, David would be classified as an "iconoclast." This is quite an impressive word that means a person who attacks or criticizes beliefs. The perfect summary for David's latest book, An Insider's Guide to Cloud Computing. Let us just take a few of the opinions that go against common beliefs. Page 33 "What if the best cloud storage is not always in the cloud?" Well, finally. It takes someone with David's decades of experience to stand up to the "common wisdom" that the cloud is the magical elixir for all problems. Page 87 "Edge computing will increase development and cloud computing cost threefold" David is stating the obvious. We know that sensors are everywhere from mountains to oceans, to satellites. In a never-ending attempt to compute at the "edge," we can sometimes neglect to closely examine cost. Page 106 "Cost is overlooked when considering best development and architectural approaches" Covid has caused many organizations to spend like a drunken sailor. Covid is over. Just because it is possible does not mean it is the correct approach for a federal agency with a budget. Page 69 "When is Artificial Intelligence overkill?" Whether we like it or not, humans do tend to get obsessed with the most current shiny object. Unfortunately, they also apply it to every situation imaginable. In the early days of Excel, I once met a person who loved the flexibility of the spreadsheet so much that she used it for a newsletter. Right tool; wrong application. During the interview, David expands upon where marketing people may have over-emphasized the strength of many cloud technologies. Read the book to gain a better grasp on terms like "cloud native" and "cloud washing." Sometimes, the best advice is a splash of chilly water in the face. Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

When the history of Covid and federal information technology is written, historians will talk about the amazing ability to transition to remote workers. As in all history, when time separates incidents, one gets a more nuanced perspective. It is true that massive amounts of effort were expended. That kind of pressure resulted in over provisioning of systems. From today's perspective, it is obvious that this transition was not as optimized for cost as it could have been. It makes sense, the major cloud service providers vary in ways they handle data and invoice for usage. It is difficult enough to understand the subtleties of one cloud service provider, nonetheless three. The good news, years ago (prior to the cloud), federal leaders dealt with multiple vendors. In this cloud era, handling several vendors can act as a check on over provisioning, and distribute services so there is no need to worry about down time. During the interview, Melissa Palmer reviews the sudden change that took place three years ago. She suggests that technology like Hashicorp's Terraform can provide users visibility into the system and the ability to provision, secure, and connect in an effective manner. In fact, Terraform is used widely in federal systems, but is pretty much unheralded. In an effort to remedy this situation, Melisssa outlines the formation of a federal Terraform User's group that would provide support and inspiration for federal users. Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

When you use the term "data scientist" you normally think of an inarticulate introvert who is dazzled by numbers and has week social skills. Well, this interview with Aaron Pujanandez from Excella may change the preconception. We start off with referencing an article from the Harvard Business Journal from 2012. This was probably a conceit eleven years ago, but in the last decade we have seen cheap storage, available compute, and ubiquitous fast Internet. Perhaps the title is getting closer to the truth. We begin the interview with having Aaron differentiate "data analyst" from "data scientist." Many common themes including Python and being part of a team. From Aaron's view, a data analyst may be charged with providing a visual depiction of data elements where a data scientist may delve into mor advanced topics like subtleties of Extract, Transform, Load, Machine Language, and code review. One of the challenges faced by federal information professionals is the volume of data to ingest. During the interview, Aaron talked about many of the aspects of selecting data and making sure it is safe in transit. Aaron provides the listener with his thoughts on selecting the right data, data quality, handling large volumes of data, data access and, finally, the all-important concept of being able to communicate findings to non-technical stakeholders. There are no silver bullets here – just an opportunity to approach large data sets and artificial intelligence from a perspective that will give actionable results. Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com

Akamai has been a well know partner in many federal technology projects for many years. Some of their activities are obvious – some not as easy to see as it may appear. Rob San Martin is a twenty-year veteran of Akamai and sits down to give a broad overview of some of the ways Akamai is improving federal cybersecurity that may not be obvious to the common observer. One: Akamai sees one-third of the world's Internet traffic every day. Being in the "catbird" seat allows it to see threats that are not apparent to smaller organizations. Of course, Akamai provides this information as a paid service to commercial companies, but they also share this with federal organizations in a timely fashion. Further, Akamai is developed a method to "anonymize" threat activity to share it with the larger cybersecurity community. Two: "Privilege creep," is an attempt to describe what happens over a period in many large organizations. A person may start off with one set of permissions and they grow and grow. After a few years, the person may have changed jobs and retained rights to see documents that no longer apply. Akamai can and assist with micro segmentation that can limit the extent of overprivileged. Three: Many in the industry say cybersecurity must work despite users. This means that there is automation in place that can manage threats without humans. For example, a federal agency had a serious misconfiguration. Normally, the process was to go to a generic database of common vulnerabilities, discover what it can do. Then, set up some kind or test bed for remediation. Finally, the solution is distributed over the system. It is possible for Akamai to determine a weakness and assign a patch before the standard vulnerability lists even include it. Akamai works in the background of many federal agencies to agencies to accomplish tasks like adding automation, setting up networks, and improving user experience. Follow John Gilroy on Twitter @RayGilray Follow John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast www.federaltechpodcast.com