Transcript
Opening
Welcome everybody to What's the Problem, the show that explores problems that buyers, practitioners, leaders, other folks in the world of cybersecurity face today.
Today we are fortunate to have Bob Zinga or BZ, as his friends call him. Julie. Join us.
Conversation
Mike Krass: Bob, would you digitally wave hello to all of our listeners?
Bob Zinga: Yes.
Mike Krass: Awesome. Let's get right into it. Why are you qualified to talk about security?
Bob Zinga: I have more than 20 years in IT and security. I started my security career full-time when I was at the University of Alabama back in 2005. It was 17 years ago. Since then, I've done security for higher education and the US government, most strictly the US Navy and the US Army, and then since 2014 for Silicon Valley.
I've been a security engineer, security director of security manager for a publicly-traded company group for almost a year, a director, and an executive in cyber security in Silicon Valley. It's been a long time. I've seen a lot, and this industry is changing quite a bit. I think that qualifies me to talk about pretty much anything security-related.
I believe experience probably is the most important thing, and also education. I have an IT certificate from Harvard University and an IT certification. As I said in my career, the certification doesn't mean much anymore because I think I have more than 20 in security and IT. At the beginning of my career, more than 20 years ago, they did mean a lot, and at this stage in my career, only the CISSP, which is the gold standard for security practitioners, because I would never take the CISSP exam ever again. So I'm going to keep that one current. But everything else can pretty much not be renewed. I would be just fine.
Mike Krass: Awesome. Well, Bob, thank you so much for sharing those decades of experience, and also, thank you for your years of service. Talking about a problem, Bob. Name a problem in the world of cybersecurity that's got your attention right now.
Bob Zinga: The one problem that keeps me awake at night is quantum computing. It is already coming, and what concerns me is that when we talk about security, we talk about confidentiality, integrity, and availability.
With confidentiality, what we have right now pretty much is encryption. At first, most people use AES 256, and that’s the best standard. In transit, we use HTTPS, and there is some work with quantum computing. It would normally take you to break that encryption with a regular computer, maybe 2 billion years. Why? Because quantum computing is only going to take 20 seconds. So, confidentiality will be completely transparent, and it will go away. That's a real problem for my industry. We don't know the solution yet, but I know people are much smarter than I think about it and are working on this issue. It will take some type of partnership between the government and the industry to develop a feasible solution. You can often make the encryption much harder, like, using a much longer key. The problem with that is it's going to be unusable because you need to be able to decrypt what is encrypted long enough for people to access the data they need to know. If you have a need to know and you can't even decrypt your encryption, then it's completely useless. There's a lot of work to be done in this area, and some people are smarter than I am looking at it right now. I'm very hopeful we can find a solution.
Mike Krass: It's interesting that you brought up this problem, the need for a public-private partnership. Do you have any examples of public-private partnerships that you've seen work in the world security or in the past with your two or three decades of experience?
Bob Zinga: Yeah, I think the National Security Agency (NSA) is a great example of security. We care a lot about some of the US government's top-secret and confidential in the US government. It's critical for the government because sometimes you may have IP or Intellectual Property, secret sauce, or whatever for the industry. If anybody knows your formula or whatever, the worst thing that happens to you is your reputation, and you may lose money. For the US government, people will die, so it's extremely important. I feel like Accenture, NSA, and the people are right in time. They gave us this and traders, but unfortunately, all of those have been broken in time, and it is an AES-256 is going to be broken too and all encryption away, we know it today. I am sure the NSA has some people working on it day and night.
I also know the way things are now in America with the public sector and freedom. For example, we have Facebook, Google, and all the big five tech companies. I am sure many of them are looking into this problem too, and I feel a partnership between government and private enterprises will get us fairness.
When you think about it, a lot of the technology we enjoy today was designed by the military or at least for the US government, including GPS and the internet algorithm. Unfortunately, it didn't invent the Internet. It was already done for the US government, but eventually, it was made available to the general public. We pretty much depend on what step of technologies. Today, I can’t imagine a day in my life without Internet access. , especially my kids, Generation Z. They were born with the iPhone in their hands, so it's almost impossible to imagine life without this technology. What I'm trying to say is it does cost something. It is so ingrained with our way of life that we will figure out how to keep it going forward if that makes sense.
Mike Krass: One follow-up question there. You mentioned the National Security Agency with the NSA here in the United States of America. We do have listeners from across the globe. Are there other public agencies from countries besides America that you think are well-positioned to be the public side of that public-private partnership to find the next level of protection?
Bob Zinga: It is possible. I am focused on the US here, but I'm sure there are organizations like the NSA in other countries, which will be a crucial problem for them. Because if encryption becomes obsolete, then there is no more national secret. We just cannot let that happen. Even those people, I guess, I won't call them enemies of the US, but competitors like China, Russia, and all of those countries are extremely urgent for them to maintain confidentiality. I think this is a global problem, one of those issues. Even if you are a competitor, it's in your best interest to work together to find a solution that works for everybody involved. Otherwise, everybody's secret will become public knowledge, which is not something we can allow.
Mike Krass: I was thinking about that. The NSA clamps down on American citizens here in America and comes up with a solution. It is a global economy, and I know the world is reopening here in spring 2022 when we're recording this. What happens when you cross the border and connect to the Marriott WiFi network in St. Petersburg, Russia, Taipei or Shanghai, or Beijing? It's not like the NSA can just clamp down on American data and secure that and then say, “ Great, everyone else is on their own.” Because it's not going to work like that, is it?
Bob Zinga: The government is most concefafrned about government information. But then, it just makes sense to share with the industry because it benefits all of us. I believe, a very critical component of our economy. When I used to work for San Diego, the Admiral there used to say, because we provide the technology to the Navy Space Warfare Command and talking about fighting jets. I used to say a fighting jet is nothing, but it's a supercomputer with wings, and I think he's right.
Even today, when you think about all-electric vehicles, it's all sensors and computer processing with tires. We are so dependent on technology today that I think it would be too dangerous. The last time we talked, I referred to this idea of being too big to what happened to the economy back in 2008. It's going to be one of those things if encryption becomes obsolete. I am 99.99% sure there will be a solution to it.
I don't have a Ph.D., but I was a Ph.D. student, and I am what you would call the APG. I've met all of the dissertation requirements for the Ph.D. program except for the final dissertation. My effective primary mentor used to tell me that when you are facing a problem many times, just ask the right questions, and we give you 50% of the solution. But also, looking at it, it seems that if there is a problem, there is a solution just by definition. It's just up to us to find out what that solution is. It's discovering what doesn't work until we find what does work. In the next five years, we will have to find a solution for that. Some of the mastermind groups via the Technology Council, which I've been a member of for two years now, since 2020, there's technology leaders across America and worldwide. Many of them are from Fortune 1000 companies. We have meetings and talk about what technology will be like. And that's one area where I can get many ideas from my peers, and some are much smarter than I am, which is a problem that many people have eyes on.
Mike Krass: Before we go to our final question, I just wanted to reflect into the listeners' ears. Asking the right question is 50% of the way there; that reminds me of what's known as the IDS framework of India Delta Sierra or Issue, Discuss, and Solve. You've spent 80% of your time on the discussion as a group or as a team, which makes the issue critical because if you pick the wrong issue, you will spend countless cycles discussing it. You'll even come up with a solution, and then somebody will rate his hand and go. I don't think that this was like it's related. We're not off track here, and we have the right issue here. You have to go into the IDS framework to go back. We learned that this isn't the issue, and it took us a long time; that's why it's critical to be critical of the issue. Is this the right problem to solve? Is this the right question that's getting us started on our discussion? I just wanted to reflect that into the group and have that shared with the listeners.
Bob Zinga: I like what you talked about the framework of the ideas. I think on a personal basis; it is quite relevant. You often work on tasks that probably don't even need to be completed when you're a leader. For some of them, you need to do many of the tasks you have on your plate and need to delegate. And then quite a few of those are completely abandoned because they will not get you anywhere you want to be.
I am a great believer, both at work, professionally, and personally. The 80-20% role of the Pareto principle, which is 20% of your activities, will get you 80% of the way toward achieving your goal. And for most people, unfortunately, they are extremely busy from sun up to sundown. They do a lot of activities, but what they do only get is 20% of what they believe is the highest priority. I always have to ask myself over and over again, “What is the best use of my time right now?” You do have to abandon some of your activities because they do not align with what you believe is your highest goal. It's very important to be discussing the right issue.
Mike Krass: I love the Pareto principle. Warren Buffett does that every week. I'm not sure if you've heard of that. Every Sunday evening, he writes down roughly 20 to 25 things that he needs to get done, and then he looks at it up and down a few times and circles. It's no more than three or four. And everything else is things he's no longer allowed to work on for the next week. And if it comes up, he says, “I have to give this to my deputy, Mike.” Or “You need to talk to my head of trading out of Asia or Africa and talk to this lady.” But he says, “There are no longer things I could work on this week because I have to focus on these other ones.” And while we are not Warren Buffett. We can still think in that way sometimes.
Bob Zinga: Absolutely. It makes a big difference when you focus on the right issues. Because the older I get, the more I realize my most precious resource is my time because once my time is done, I can't get it back. If I lose money, I can always make more money later, but it is gone forever. The way I spend my time is extremely important to me. I want to make sure I'm spending it in the right way, which will give me a return on investment.
Mike Krass: Return on time. I love it! Bob, let's wrap this thing up. The third question is where we get a little bit vulnerable and a little bit funny. Tell our listeners about the terrible haircut that you have had.
Bob Zinga: I joined the US Navy back in October 2004. May of the following year, they sent me to boot camp. I went to RTC Great Great Lakes, Chicago, Illinois. They picked me up the first day I got there at the Chicago International O'Hare Airport. We drove about an hour or two. Once we got to RTC, the first thing they did was share everybody and everyone they competed with. Oh, my precious hair, all gone. Everybody else looked exactly like me, and also they gave us brand new uniforms. Everybody was wearing the same thing, and it didn't matter. If you wear white, black, brown or whatever, it doesn't matter. Everybody was exactly equal. So I think that was probably the most terrible I could have ever had. Since then, my hair has been pretty short. But yeah, I used to have long hair back in the days, but I got accustomed to it after a while.
Mike Krass: A haircut that was forced on, although you probably didn't know that was coming.
Bob Zinga: But I didn't realize it until it happened. Then it was surreal, and that's exactly one of the prices you have to pay for raising your hand and volunteering.
Some of my Navy buddies told me maybe stand for never again volunteer yourself. But I think that's completely wrong because it is important to volunteer and do something not just for yourself but for your community and country. It's always a great idea to give back when you get the opportunity.
Mike Krass: Absolutely. Before I say our exit phrase, BZ, would you say hello, and goodbye to our listeners one last time?
Bob Zinga: Goodbye, everyone. It was a great honor to be with you today. Hopefully, this has been pretty instructive or useful to you. Thank you, Mike. I appreciate it.
Mike Krass: And to the listeners, thank you for listening to What's the Problem, the show that explores problems that buyers, practitioners, leaders, operators, and anyone involved in the world of cybersecurity faces today.
We'll catch you next time.
Bob Zinga
With an outstanding record of successfully establishing globally recognized technology risk management and cybersecurity programs, Bob “BZ” Zinga has been setting the vision, driving the strategy and governance framework, establishing effective policies and standards, and managing the cybersecurity risk and compliance functions within Higher Education, State and Federal Governments, the Department of Defense and Technology Industries.