Episode Transcript
[00:00:10] Speaker A: Welcome to KB on the Go. I'm coming to you from my new place of residence, Orlando, Florida. And today I'm being hosted at the Sim Space Summit. Cybersecurity is hitting a breaking point. Compliance checklists, tabletop exercises, and confidence claims aren't enough anymore, especially as AI accelerates both attack and defense.
This summit is about something different. Proving readiness under real pressure, real tools, real teams, real world chaos.
Today I'm speaking with leaders and former U.S. government officials pushing cyber training, testing and validation out of theory and into reality. Because when the next incident hits, what matters isn't what looks good on paper, it's what actually holds up. Stay with me. We're diving into the conversations that matter. This is KB on the go from SimSpace Summit 2026. Let's get into it.
Joining me now in person is Peter Lee, CEO of SimSpace. And today we're discussing are we cyber ready or are we just saying it? So, Peter, thanks for joining and welcome.
[00:01:20] Speaker B: What a pleasure to be here, kb.
[00:01:22] Speaker A: Okay, so I really want to start with your view around readiness. So you say readiness isn't something you claim, it's something you prove.
So what do you mean by this?
[00:01:35] Speaker B: Well, in cybersecurity, confidence without evidence is just hope. And so readiness really only matters if it holds up under significant adversarial pressure. You have to test and validate in a realistic replica of your production environment under real world scenarios.
Otherwise you're talking about certification versus true preparedness.
[00:02:05] Speaker A: One thing that's interesting to me, Peter, would be across a lot of my podcast interviews, everyone's talking about preparedness and resiliency and all these sort of things.
What would you say, say, given your experience, preparedness looks like? Because I think that people have different versions and definitions of what that means.
[00:02:21] Speaker B: Yeah, that's a great question. I think preparedness is ultimately something that's earned and that's proven.
I think that's really the single most important message. Preparedness isn't a series of courses or certifications or a self judgment. It's got to be proven. That's really the high bar.
[00:02:45] Speaker A: One thing that I've noticed and observed, and maybe you agree with this, is companies are saying like, yeah, we're ready, we're ready. But then either they get breached, something happens, there's some outage.
So what I'm curious is why people claiming it? And I know it's not super binary where it's like, okay, yes, we are, no we're not. I know there's a lot of gray and these things are kind of hard to prove. But are you seeing that happen a lot with people in the market?
[00:03:12] Speaker B: You know, I really think that's a great question. I think it really depends, kb, on what level of the organization that you're engaging in. It's obviously very difficult for the lower levels of an organization to admit that they have vulnerabilities or they may not be as prepared as needed. I think when you get to the senior levels of the organization, certainly at the CISO level, no CISO believes that they're extremely well prepared, that their team is absolutely on their marks, that they have the right tools to succeed. I think anyone in the senior levels of the organization are very open to messages of transformation and really true preparedness that's really, you know, true resilience. So I think that really depends on where you're addressing the organization.
[00:04:06] Speaker A: So just staying with preparedness for a moment. It depends on who you ask. Some people like, no, I don't believe in, you know, getting at the IAP plan once a year. Some people like, we got to do the drill. We got to do things in a different way. I mean, I've spoken to so many people on so many different opinions. I'm keen to hear yours because again, the way things with AI and everything that's going on in the world, things are a lot more different to how it used to be. Things are changing so quickly. So perhaps what was a good solution last year for being prepared fundamentally changes this year and so on. So how do you stay always prepared then?
[00:04:37] Speaker B: Yeah, it's a great question. I'll answer in two. I think you had two parts. So first of all, from our perspective, I'll just share with the audience that our founders came out of U.S. cyber Command and MIT Lincoln Laboratory, a federally funded research lab that was very focused on top secret capabilities for national defense. And so we come from a culture where the bar is mission rehearsal. You really prepare. The bar is can you accomplish your mission or not? It's a binary bar. And I think that's really important to put that stake in the ground. I think the second part of your question about really I'm going to call, you know, change of pace or how things are really changing from an adaptability perspective. And I think we would say that training without testing leaves blind spots, that testing without training creates snapshots like a doctor's visit doesn't mean you're healthy now. So I think resilience and validation, you know, kind of go hand in hand. You have to validate with realism. Otherwise you have a sense of false confidence. And certainly today in the age of AI, you are seeing an astonishing pace of really autonomous attack execution, reconnaissance, vulnerability assessment, penetration, full kill chain exploitation, and then it learns and improves. The current pace of human certification training is really a very poor mismatch to this. And so I think that's really where, you know, from our perspective, where we see the clients and where the market moving is a cyber range really gives you an opportunity to rebalance the asymmetry between attackers and defenders. It gives you a chance to continuously conduct mission rehearsal and really actually secure your borders, secure your frontiers.
[00:06:39] Speaker A: So going back to your comment before around mission rehearsal, so if you come from a military background, it's sort of engendered into you doing this type of work. But if you're working in a company as a, let's call it, white collar worker, it's not the same like when you go out and you do like, you know, military training and that. Like it's not the same when you're working in companies. So would you say that's a big disconnect at the moment?
[00:07:02] Speaker B: Well, I think obviously there's significant cultural differences between military organizations and commercial organizations. I think you're right to point that out.
I think again, when you look to the large commercial organizations, they realize that they're under siege in this AI fueled threat landscape. And I think you realize that they're investing in a multi layered defense architecture and a multi layered defense preparation for their teams to actually be able to repulse the significant threats that they face.
So I do think that mission rehearsal, it may not be as. And I think you have a good point there, mission rehearsal has this kind of contained notion, doesn't it KB it's like a particular mission. The mission never ends, really from a commercial perspective, it's a continuous threat landscape. And so it's less a series of discrete missions as much as a continuous culture and a cultural change. Isn't it really a cultural adaptation that they have to have?
[00:08:07] Speaker A: So then speaking of continuous threat landscape, do you think this is where companies at the moment are getting caught out? Because things are changing so quickly. So it's not like it's anyone's fault or they were lazy or they were complacent. It could purely just come down to things are changing day by day. It's really hard to keep up because people got to keep the lights on. Like just doing preparedness isn't all people do each day, right?
[00:08:28] Speaker B: Yeah, that's absolutely right. I think that there is like any organization There's a certain amount of prevention and there's a certain amount of cure. And really, you know, our argument is that the more you put in prevention, the better prepared you are, the less you're going to have to invent to invest, excuse me, in curing. I think that organizations are really, it caught in a bind, right? There's significant capabilities which have to be detected to which have to be directed, excuse me, towards detection, engineering, threat hunting, resolution, adversarial dwell time is plummeting. And this means that there needs to be even more resources directed at ensuring prevention of lateral movement, prevention of full kill, joint kill, chain exploitation.
But I think at the same time, what we're seeing in the age of AI is that if you don't get in front of this, it's going to overwhelm your defenses.
[00:09:30] Speaker A: Okay, so if you zoom out and get a bird's eye view, given your background and experience and the level that you're operating at, where do you believe the biggest gap is when it comes to preparedness that you're seeing?
[00:09:42] Speaker B: I think the biggest gap is that we've got to see humans plus AI.
It's not an issue of subtraction or substitution.
It's really addition. It's humans and AI capabilities working side by side.
We believe that the confidence that really comes from seeing performance under pressure is really going to be built from joint training and having humans and AI being held to the same standard.
I think that's really what we see as kind of the next evolution, if you will, or the next advent of where security investment is being directed.
[00:10:23] Speaker A: So when you say performance under pressure, people that I've interviewed over the years saying that, yes, being prepared, but then sometimes when there's something going on in that moment, all the preparedness seems to go out the window.
So how do you get to a point where even if something intense is happening, you can still handle it with control and make decisions with precision?
[00:10:47] Speaker B: Well, the reality is that we have to go into a culture and a regime where we have a very significant amount invested in rehearsal, in practice, in preparedness. Because to your point, teams are going to fail, tools are going to be ineffective. We, we're going to have to learn the frontiers and be comfortable where risk really lies. And at what point do we need to really invest to turn the tide? Where do we need to direct our resources to actually win? So I think that it's just absolutely critical to do this in advance, to have a culture of resilience and a culture of preparation, because you don't Want to learn that in production. You don't want to learn that in the real world. You want to be able to fail well in advance and be able to take the corrective course actions.
We have a whole, you know, philosophy around letting AI and holding AI to the same standard that human operators are. I think right now it's in the very early stages of adoption. So we're seeing that AI is really good at maybe all, let's call it automating, the signal from the noise. But the most consequential decisioning is still taken from humans in the loop. I think over time we're going to see a lot more of that decisioning taken over by AI. And you're only going to gain that confidence by actually deploying it in something like a cyber range where you can really test and train in the same environment in a realistic replica of your production environment under real world adversarial conditions.
[00:12:28] Speaker A: When you said before, like, you know, people could start failing a lot more in tools, et cetera, do you think things are failing more today than even opposed to like 10 years ago?
[00:12:39] Speaker B: Well, I think that by definition, I think the threat landscape compared to 10 years ago has vastly changed. So, you know, I guess it, I think the tools, the sophistication, the, the. Absolutely. I think that's a fair question. I think that the reality is that the threat landscape has been exponentially increased. And by the way, the attack surface has significantly expanded compared to 10 years ago. It just puts pressure on defenders, you know, attackers and defenders. It's always been asymmetrical. Kb Right. It's, you know, if you're a fan of the hit movie Everything Everywhere, all at once.
That's what defenders have to do. Attackers choose the time and place and how they're going to attack. Defenders have to defend everywhere, continuously. It's a fairly daunting challenge.
[00:13:35] Speaker A: So Peter, you said before holding AI to the same standard.
So can you define what that standard is?
[00:13:42] Speaker B: Well, I think first of all, you have to have trust.
I think how do I know that the AI is actually going to behave in a way that is in accordance with our governance and our rules and our objectives? I think that's a really important and unanswered question. That has to be proven out. That can't just be represented. That has to be proven out. I think secondarily, I think it's important for us to understand that introducing AI with its awesome capabilities also requires that we understand its vulnerabilities. AI itself is another attack surface. And so we've Got to, you know, the same types of like insider threat precautions and policies that have proven helpful with employees is still going to apply to AI. And I think thirdly, when we think about autonomy, the same type of governance principles that we have with our own people are going to equally apply to AI. Autonomy means that you've got significant risk, you've got a significant impact in the event of failure or collateral damage. And I think that has to pass the same type of governance and the same type of management framework that we have with our current security operators.
[00:15:05] Speaker A: So following the trust talk track for a moment, many leaders sort of struggle with you mentioned before, the tools, teams, those sort of things now AI systems. So it would be your view to install confidence back and the trust. And I know sometimes trust can come across as a bit of a fluffy word, but I do think it's important.
[00:15:25] Speaker B: I think first and foremost we have to make sure that we are creating the right incentives. We can't reward activity over outcomes. We have to understand that completing training and deploying tools and passing audits are not going to be a substitute for proving effectiveness.
So I think that really the only way forward is to continuously test and train organizations, people, tooling and AI perspective together in production grade conditions without risking actual production environments. That's really, I think, where you're going to build confidence, where you're going to see this market move. There is absolutely no way that you can be sure, but you can come as close to that as possible. And I think that's really where this market's moving.
[00:16:21] Speaker A: And when you say create the right incentives, what would those incentives be?
[00:16:26] Speaker B: Well, I think there's an emphasis in the cyber market, or let me not use the word emphasis, but there's efforts where individual training are held up as being helpful and I would call individual training, you know, or really not helpful, but sufficient. They're not sufficient. They're really training skills in isolation.
Being individually trained in a particular skill has absolutely no bearing to how you'll perform under pressure in an actual team environment.
Similarly, certifications, audits, I mean, I think there's a lot of cyber activity that goes on that on paper looks like it's going to be helpful, but it really has very little bearing KB on the actual performance of an organization under real world conditions. And I think that's really what we're evangelizing. What we're trying to do is we're trying to really help our clients actually outsmart cyber threats before they take hold, you know, outsmart cyber threats, any cyber threat in any terrain. And that really means preparedness in real world conditions.
[00:17:45] Speaker A: So just a quick question on the certifications. I've heard some part of the industry say, yes, we need them because there's a standard of what we need. But then also when there's that base level, it's hard enough to get people in this industry as it is. So therefore maybe they are disqualifying people because they don't have the base level, but then other people are saying, no, it's a good thing. So therefore we've got a governance layer and we know that people aren't saying the wrong thing or they're not pushing a certain agenda. Where would your sort of thoughts sit on the whole certification sort of thing?
[00:18:12] Speaker B: Yeah, well, I think, look, it's obviously beneficial to have cybersecurity skills and to be certified with minimum level of competencies, but we would really direct a substantial amount of the effort and focus in organizations towards team training and away from individual skills training. I think, in short, and the definition of team for us is now humans plus AI. It's not just humans. I think that's really the key message. You know, certifications, skills in isolation, compliance level, checkbox capabilities, they're helpful. It's a minimum bar of competency. But it's a far cry from what actually needs to happen to really secure an organization.
[00:19:01] Speaker A: And so Peter, what would you like to leave our audience with today? Maybe one key takeaway.
[00:19:06] Speaker B: Well, I think the really the key takeaway is that while we're early in the adoption of AI, the future is today.
I mean the future is absolutely today. We're seeing that humans plus AI has to be the rallying cry. And that means organizations need to invest in the team training, in the tooling, in the testing, in a real world production grade environment like a cyber range in order to best prepare.
[00:19:39] Speaker A: Joining me now in person is Ernie Ferrareso, Senior director at Cyber Florida. And today we're discussing why Florida treats cyber like a mission. So Ernie, thanks for joining and welcome.
[00:19:48] Speaker C: Hey great, thanks for having me.
[00:19:50] Speaker A: So Ernie, I'm new to Florida, I'm a new resident here, last five months. I'm from Australia and I'm curious to understand what's Florida doing differently in terms of how they approach cybersecurity.
[00:20:03] Speaker C: So it's actually interesting. You probably figured out Florida's a big state, we're the third largest state in the United States and I want to say we're something like the 15th largest economy in the world.
So it's a big place and everything and things range from some of the largest cities and school districts in the nation to some of the smallest. So there's no, I'll call it one size fits all. So it's how do you deal with a decentralized multi capability type entity? And that's what I believe is unique is what it is that we do at Cyber Florida because we're a state funded organization that's housed at a university, so we're not a state agency, but we do work, quote in service of the state. So it's basically providing services and resources to communities by the way of providing experiential learning opportunities for students. So that, that's a big mouthful for saying that we have students that do work for these communities, providing them the services that they need. But then we can also take that information that we learn and then let the state know how they're doing as far as levels of cyber resilience across the state.
[00:21:12] Speaker A: So to put it in perspective, so Florida in terms of population is like upwards of 23 million.
[00:21:18] Speaker C: It's a big place. Yeah.
[00:21:19] Speaker A: And there's a contrast that Australia is like 26 million and which is a quite a big country spread all around.
But just to provide a little bit more context, to see the scale of it. So then one thing I've also observed being a expatriate here is there's a lot more companies moving here to Florida. I don't know whether it's better weather or the no income tax situation. However, this is a big boom in like technology and cybersecurity. So what is that driven by what you're saying here, Ernie, or.
[00:21:50] Speaker C: I think so. I think there's some of that, I think a lot of it has to do with, in the companies that we talk to, it's access to, to tech talent is one of the big driving factors.
[00:22:00] Speaker A: So they live here.
[00:22:01] Speaker B: Yeah.
[00:22:02] Speaker C: Being housed at a university. We work through a lot of the universities and the educational system. And so that's where I think Florida's made some very significant investments certainly in its public university system. It's got one of the top rated public university systems in the nation. The costs are very low and the quality of the education is very high. And a lot of those graduates, they want to stay in Florida. So that's where I think companies see that, they see that there's quality of people, then there's also the, you know, I'll call it the quality of life here in Florida. It's generally speaking it's nice. I mean current temperatures aside, it's Normally pretty pleasant, but I think that's tied to it. So it's, I think it's access to the talent. But the other part is there's also a different type of, I'll call it tech community here. It's this thing that we're in this together and we all are going to, you know, we want everybody, we want people to succeed here. You know, these tech companies, they want each other to succeed. It's a true ecosystem. And that almost like, hey, if this company grows, we can also expect that's going to provide positive growth for us as well. So it's very, I'll call it symbiotic in that sense. And I think that's unique. It's not very, it's not cutthroat. It's not like I have to, you know, stab somebody else to move ahead, certainly in the tech space down here, which is unique and interesting.
[00:23:18] Speaker A: So I've got a couple of questions then on that. As you were speaking, there's been, you know, Silicon Valley is still the original and then there's been talk around, oh, it's going to be Austin, it's going to be Atlanta. Do you think it's a fair assumption, given what you're saying, it will be Florida? That could overpower, if not overpower, Silicon Valley?
[00:23:36] Speaker C: I believe so, because we're talking from the state, the state level. There's so many different areas in the state that are each moving. So you have just here in the Orlando area, the greater Tampa Bay area, down in, you know, the South Florida, Miami area. All three of these are just, they are just booming with tech, entrepreneurial energy and, you know, startup communities and such. So, you know, it's not just it, it's not just a quote, a valley, it's a whole state. It's not just, you know, Austin, it's Florida. It's taken us a bit to get rolling, but now you're starting to see that it's a state that's rolling. It's not just these indi. These small little isolated communities, it's the whole state. So that's going to be this like the secret power there is that we're big and the giant is awakening. That sounds kind of hokey, but that, that, that type of sense, that's what I believe.
[00:24:26] Speaker A: Do you think historically people assume now Orlando is the most visited US city in the world? Over 70 million people visit here probably for Disney World and Universal, but historically people have this view and opinion that Florida is the, well, it's the Sunshine State, but It's also where people go to holiday or vacation to use American vernacular. So is that perception going to change now? Because when people think of California, yes, LA and Hollywood, but then they think San Fran, they think Silicon Valley.
[00:24:59] Speaker C: So that's something that I've struggled with. And also I think the state has as well because yeah, we're known for, you know, alligators and oranges. Right. That's been it for a long time. We're getting a lot better at telling the story of the tech community. We're getting way better at telling that story. I mean, if you look at, across the state, like up in places, up in the panhandle area, I mean we have some of the leading robotics research in the nation going on there. You know, you talk about here in Orlando, it's some of the leading research and development in the modeling and simulation community is had. And this is all, you know, tech based, you know, the Tampa Bay region with the University of South Florida for cybersecurity and artificial intelligence. These are all these areas that are leading the nation. But again, it's tough because of the heck, you go on tv, just Google Florida man and Florida man doesn't come up. And it turns out it's somebody who's just invented the next semiconductor or artificial intelligence. So we're getting there. But that said, the other regions, they shouldn't sleep on us. The way I believe it, it's that the work will demonstrate the capability. Meaning one day people are just going to wake up and it'll be, wow, Florida is actually this really impressive technology, technology, very innovative state because they weren't paying attention. And it's just, we're there now and it's going to, that's what I think is going to happen.
[00:26:16] Speaker A: So given what you just made before, how do we as an industry, as a state country change Florida man into the perception of like new Silicon Valley dude here?
[00:26:27] Speaker C: The way we do that is it's the grind. It's a generational type of thing. You just keep showing that this is where good technology stuff happens and you just keep doing it and eventually it's going to, people are going to pick up on it. I mean, you can do all the best. You know, the best marketing in the world is word of mouth. People say, yeah, they're actually doing good stuff down there. And so that's what I think we've got to do. Because if we start, if we start, you know, promoting and marketing and saying all these things, oftentimes people it'll be like, yeah, that's Fake, that's just the window dressing. But we actually are actually doing it. And I think that the work will end up speaking for itself and I think you'll start to see more and more of that over time. It's again, it's a generational thing because the other part is like Silicon Valley didn't become Silicon Valley, you know, overnight. It took years to build it and we're really rolling now and I think it's going to be far more durable than a lot of other places because of the overtime. It's not going to be something that is just a flash in the pan and we're done.
[00:27:20] Speaker A: So when you say durable, what do you mean specifically?
[00:27:22] Speaker C: I mean that it's, this is going to be something that is here to stay.
It's not going to be a. Oh yeah, well we were once these tech folks, we shifted on. This is like no, this is, we're building the solid foundations and when I talk about that it's you know, those infrastructure developments, it's a strong higher education system, it's a strong technical college system. It's all those underpinnings that cement the foundations in the community that then grow into the, they're not, it's not like we had a, you know, oh, there was a big tech company that moved here and then they went bust and then the town died, you know, you know, like the steel industry, you know that, that type of thing, it's becoming self sustaining and growing that you're seeing now, you're seeing companies not just moving here but they're starting up and they're saying here like a connectwise, like a know before these are companies that started in this area that are now, you know, billion dollar companies that started here. So you're, it's not just moving in, it's growing our own. And that's when I talk about durability is that you have this ability to grow and sustain a culture unicorn company status.
[00:28:24] Speaker A: So given that, given what you sent, do you assume that Florida will become more powerful in terms of like GDP as opposed to states like California in the future?
[00:28:37] Speaker C: That's a good question. I'd like to say. Yeah, I'd like to think so. For a variety of reasons it's still trying to figure out what, you know, what your quote manufacturing base is and how that's going to build. But I do believe that in the not too distant future we're going to, it's, Florida's going to move ahead of that because of the types of things that you're going to start to see, to come out of here. That's, I do believe that one interesting
[00:29:00] Speaker A: thought is when I moved here and I live in Orlando, people were like, why would you move to Florida? Now? I said there is a growing tech hub, but now you're saying in a little bit more fidelity, which just gives that assurance because I think naturally there is that stereotype of oh, Silicon Valley and all these other places.
So I think it's just more that it's changing that narrative and you've reinforced that.
[00:29:22] Speaker C: Yeah, it's. And I tell you that's, you know, I joke when I say the alligators and oranges and they're not the meth addicted alligators, those are the ones in Mississippi. I just want that, you know, clear. But it's exactly, it's how do we change that? And it's because first, the other part I'll add is Florida as a, a very popular state, that's a fairly recent thing, right? So if you think about it, Florida doesn't get to be popular until Post World War II and air conditioning becomes a thing. So if you think about it, we're a very large and geographically, but also economically. But that's been in a very short time, if you look at it in the span of time over, over the long haul. So we've made tremendous progress in that period of time. So I like, I can't expect us to shed the, you know, oh, the alligators and oranges in the tourist destination overnight. But that said, we're moving very rapidly in a thing to say we can be a tourist destination and a technology destination and a bunch of other things as well. And we can do it pretty well and it can be a really great place to be.
[00:30:28] Speaker A: So they can coexist. They can coexist because when people, I remember speaking to someone I first moved to, they're like, oh, Orlando. They're like, I've been there. Last time I went there it was just full of swamps. It's still swamps. However, it's a little bit more built up. So that's why I'm very curious to understand as someone who's an expatriate coming into this country and living here in Orlando, it's really good to hear your sentiments on this.
So I'm aware that Florida is often cited one of the most cyber forward states in the country. So you've given all the reasons. But what I'm curious to know, like what are other states doing or not doing?
[00:31:04] Speaker C: A lot of it depends on the state. A lot of States, they'll have high aspirations. You'll see, you know, statewide strategies and things. But the challenge that I see with other states is it's in the implementation of those strategies. What I think puts us in a unique position is that again, we're, that we're in that space where we're an entity of the state, but we're not an agency of the state. And so that allows us to engage with a lot of folks. And one of the things that we really pride ourselves at doing is identifying the resources that are out there, but more importantly is getting them in the hands of people and organizations that need it in a way that they can actually use it. So I think you'll see a lot of states that'll begin to allocate, they set aside resources, but oftentimes the folks that need them can't access them for variety of reasons. That what we've seen around here in Florida is, you know, different grants, whether at the state or federal level for, I'll call it school districts, in order to get that, they have to apply for either a state or federal grant. School districts, certainly small. The folks that actually need that, they don't have the resources to actually apply for and manage a federal or state grant. So again, that, that's, so that's where we would come in and say, okay, let me help you. How do you build out a state, a grant program? What are the types of things that you can do? Or we'll even go to the state and say, hey, have us manage the grant program and then we'll figure out how to get it to the people that they need. It's that last mile, right? That's always the problem is how do you get what it is you need into the hands that need it? And I. Other states are trying to get to that. It's often difficult because if you're a direct arm of the state government, oftentimes people aren't going to, they're not going to let you in because, hi, I'm here from the government, I'm here to help. And most people are like, I don't, I don't believe that that's where we can do things a little differently. Because, yeah, I'm here from Cyber Florida at the university. Can we help you? And oh, that sounds like a good idea.
[00:32:50] Speaker A: So do you think a lot of it's also attributed to talent shortage, perhaps not living in less desirable states as well? Maybe it's colder, maybe it's desert, maybe it's hotter, maybe there's no beaches There, I mean, whatever the reason, strokes are different folks. But do you think that is attributed to some of the gap in where some of these states are performing in terms of cyber readiness?
[00:33:10] Speaker C: Yeah, there's probably some of that. But that said, you know, states like North Dakota, they're actually doing pretty well. The university, I believe it's University of North Dakota has one of the better cyber programs. The states are pretty. Now that said, they're a lot smaller as far as population and complexity. They have big cities, but a different manageable problem. The other part, as I'll say, is they're getting it right because their state leadership decided to get it right and made it a priority. And I think that's some of the other thing that is, that's what's going to make an entity or a state successful is that their state leadership makes the decision that this is going to be a priority and then even more importantly is then follows through on that and ensures that it's actually happening. Because oftentimes you'll say, oh yeah, this is a priority. And what does that mean? It just means, well it's a priority and so that's the right thing. And here in Florida, the governor and the state has made a significant effort to say this is something that's important. We're going to put resources behind it, both at the state agency level for the communities and organizations like cyber Florida. We're going to make sure that they have the resources that they need to do the job. And I think that's, that's the key part is that states that make it a priority and actually don't just talk the talk, but walk the walk with it. That's what makes them successful.
[00:34:23] Speaker A: So speaking of walking the walk, I'm aware that as you mentioned before, Florida's a mid state. It's supporting a lot of state agencies, local governments, critical infrastructure, academic institutions.
And Florida is ranked quite highly with how many there are, as you would know. Obviously that's a lot to secure. So maybe talk through how cyber ranges change the way agency like prepare and then respond then as a unit.
[00:34:48] Speaker C: When we first started with our cyber range and this goes to, and we were providing training and exercises to, you know, state and local government entities.
We started it with just as like a training type activity where it was okay, hey, you go in, your team goes in. Can they do X, Y and z check? Congratulations. And that in itself was a new thing for these places. So that, that in itself, so that's just doing that was of tremendous value to them. The next Part that we've been moving to is now being able to let them know about different levels of how they're able to do things. Okay, so you can do this at this particular level or you are able to do it to this certain degree, which is okay, but you can be better here and here. And so now you're talking about building this culture of improvement through, through exercise and training, that exercises and training opportunities are not a thing for nights and weekends, that they become more built into the organizational culture like hey, this is an extra, this is part of your job. And that's kind of where we are now. Where we're going is. And this is where.
If somebody had asked me where this was going to be when we started with the range, it's now, it's also now let's use this thing to test out different ideas, test out different tools, test out different things so that you can then better prepare for incidents as they happen. Hey listen, we want to see what would happen if Cyber attack Variant X happened to our network and then how would we deal with it? So that's moving from just the training side of it to a no kidding simulation that has a simulated response. And that's what I also believe that the cybersecurity folks need to be able to get to is you want to be able to identify, I'll call it emerging problems early on so that you can see that when a sophisticated attacker is coming in. Oh it the first thing you're going to see is this. And that's what it actually looks like on my tools. Oh I know that. And also that I can know that this is may what happen if I don't do X, Y and Z. And that's where we're getting to get to where it's more being people to actually able to test and simulate actual emergencies based on actual threats on their actual systems so they know what it is. And then also okay, if I change my system to do this, how does that impact that as well? So that's kind of the, it's more of that using it as an evaluation and testing ability to fine tune their defenses.
[00:37:12] Speaker A: And would you envision, Ernie as well, that if Florida's the North Star for how things should be done, will the other states follow?
[00:37:19] Speaker C: I hope they do. I hope they do because I think that's where, that's the approach that we've been taking with a lot of the things that we do.
Even though the services that we provide are free, it often surprises me how hard it is to get people to Even engage with a free product. You've heard the you can lead the horse to water, but you can't make them drink. So we spend a fair bit of time running the horses around, making sure they're very thirsty and so that then when they get to the water they want to drink. And that's the, you know, engaging, starting small, building up, letting people know that hey, this is actually worthwhile, that they actually participate in it. And so by taking that approach, I think we're out in front of. And if it helps pave the way for others to, to skip a couple of steps to get to where we are, then I think that's actually a big win because at the end of the day, you know, this isn't, it's not Florida in isolation. It's got to be, you know, it's the United States and arguably, you know, the rest of the world too, because it's not just a, it's not just a Florida problem, it's everybody's problem.
[00:38:18] Speaker A: And that leads me to my next point because when you were talking, I'm thinking there's 50 states that make up this country, which is a lot big place.
So in terms of population as well.
So I'm then curious if one of the states isn't perhaps at the same level in terms of maturation as Florida that overall impacts the whole United States and the capability moving forward. What are some of your thoughts to how to bring that together and operate more as one union? But then obviously I understand that there's going to be strengths and weaknesses across Florida and other states, et cetera. But ultimately the US is still one huge country. So how does that sort of look in your eyes?
[00:38:58] Speaker C: So it's an interesting challenge, that's for sure. When we talk about what are the things to go forward, the first thing that needs to be really continued is this information sharing regarding breaches, reporting and such. And the Ms. ISAC still is a very powerful organization in that sense because we need to be able to, for entities to share information about what has happened, what are the, and push that, push that information out. I think as we see with changes in the federal government, the responsibility of securing infrastructure in systems and services is being pushed down to more to the states. And then, you know, so it's down to the, even down to the agency or city and county level. So that's, I think what you, what we're seeing. That said, so there's the responsibility of providing the security, but the way that it's got to work is that we're all sharing information so that when something happens here in Florida that the folks in Oregon can know about it very soon because odds are they're going to see something similar coming to them. And so how do they then, you know, tune and update, dial in their defenses as well? The more we decentralize the actual operations, the more we're going to have to rely on information sharing between the entities to pull that off. I do believe that as AI and automation takes on more, you're going to see a shift in the different types of talent. So not that the talent gap is going to get smaller, the types that you're going to need are going to change, but that day to day type things are going to become easier to manage. So that'll, I think that'll lift some of the burden off some of the, I'll call them resource constrained entities because they won't have to hire a team of, you know, 10 folks. It'll be one of the right person, which may or may not be but a child. But it's still not, it's not 10 folks, it's still, it's less than that.
[00:40:52] Speaker A: So, so with CI ISAC International, for example, sharing intelligence and knowledge from an Australian perspective, people have tried to do this, but then they don't want to do it now. Why do you think that's the case? Because it's not necessarily a zero sum game like if someone else wins doesn't mean you lose.
Maybe it's different here, but it's definitely happening in Australia where there's a lot of pushback with the overall mission is if I share something with you, Ernie, maybe that helps better you. Why do you still think there's a bit of contention going on with the knowledge sharing?
[00:41:25] Speaker C: I think it has to do with, I'll call it legacy mindset for a lot of things. And it's just the shifting nature of cyber threat and cyber landscape. The reluctance to share information is a lot tied to, I'll call it compliance and regulatory risk. That worried about, people are worried about even today when most entities have a cyber incident instead of the first call is to their lawyer, you know, so. And the law enforcement folks have a terrible time with it because in that sense of, you know, it's a significant cyber crime. But they're, the organizational attorney said don't let law enforcement in here because we got to make sure that, you know, protecting the entity from, from litigation is their principal job, not so much getting the information out to, you know, to the larger community. So I think that's what's going to have to have to shift is that who you share information to has to be an entity that is not going to get you into trouble for sharing that information, if that makes sense. Because I think you look at it how the current regulatory environment is in the United States, you're required to report certain things.
If you don't report certain things, you get in trouble. If you report certain things to certain folks, that's going to get you into trouble. But they all end up going to different places. It's very confusing. And an example would be. So CISA is not a regulatory agency. When you report something to them, you're reporting it so that they can get the firefighters to do what they need to do. They're doing it so that doesn't spread to others.
So arguably that's the important one for the reporting. But if you look at how the regulatory environment is framed, that should be the first one that you send it to, but they're the last because they're not the ones that if you don't do it, you don't get in trouble. So now it's the incentives are wrong to how to share information. So that's what I think is the challenge. It's that the incentives are on the regulatory side, not on the information sharing side for the sake of improving it. Because if you look at, if you look at what is actually needed from a threat intelligence standpoint, they don't need to know how many customers are affected. Heck, they don't even need to know the name of the company. They just need to know that, you know, okay, it's this. We saw this ttp. It was on this technology and it came in through this vulnerability. Maybe it's important that they say what sector I'm in. And it was, I was in the healthcare sector, because then it could help tailor the alerting. But at the end of the day, if it's Jacksonville Health System, nobody, it's like, who?
[00:43:55] Speaker B: I don't care.
[00:43:55] Speaker C: It's not important to me. But the current reporting regime says you got to do all that. And that all of a sudden pins a liability on Jacksonville Health System of something, all those types of things. So they're not incentivized to share.
[00:44:05] Speaker A: So how does the country correct that then? Because no one wants to buy it from the hand they feed from effectively.
[00:44:09] Speaker C: That's right. So the challenge that is, and you've probably heard about it, there was a term, they've changed it. It used to be regulatory harmonization, now it's regulatory optimization. And there's several things are moving to try to get that through. There was, you may have heard about the CISA act of 2015 that had to get reinstated and some of that included liability protections for organizations that participate in information sharing. So it's doing those types of things, keeping those, those legal frameworks in place. But then the other part is also ensuring that entities know that they have those types of protections, do that, you have the frameworks, but it's also getting the word out that hey, yeah, you can do this, you don't need or take advantage of it. I also think that's a, just a generalized awareness of how to live in the 21st century. You know, a lot of places, a lot of companies don't. I mean if you were to ask their CEO or their president or their founder, okay, so tell me what's your critical function? And they would say, oh, it's, and, okay, how is, and where is that information? How is that system, you know, cyber enabled? And then where is it? Most of them wouldn't know. They'd say, I use Microsoft. Okay, great. But that's not, that doesn't answer the question because at the end of the day, if your point of sale goes down and you're an online store, you stop being an online store. But they don't. But they're not, but they just say they don't. It's understanding that that has real consequences for your organization. And that's all cyber. It's based on a cyber enabled system. And that's just a changing mindset of folks to get there. It's most people will tell you, oh yeah, if I'm a trucking company, it's the trucks. Well, actually your truck now is your point of sale system. It's your scheduling system. I mean, ask any hospital that's had their patient management system taken offline, you know, you stop being a hospital then.
[00:45:50] Speaker A: So another question that I have, and probably my last question for you today would be, I may be wrong, but do you think there's a little bit of state by state rivalry on like who has the best cyber security?
And does that really not matter? Because for example, I mean, when you go to the Olympics, you're the usa, you're not, hi, I'm Ernie from Nevada or Ernie from Florida, like no one cares. You're just the United States of America. So how do you get to that point where it's like, yeah, okay, I get it, there's competition, I mean, it's a big play, it's a lot of people how do you move it to that point where you present as the usa?
[00:46:23] Speaker C: I think the challenge that you've got with it is, first off, I'm not sure that you'll ever get there from a cybersecurity standpoint. I don't think you're ever going to have a consortium that is made up of all 50 states that speak as one voice. I don't think you'll ever get that. I do think if you're talking about facing externally to the outside, that's where entities like the Office of National Cyber Director, you know, the head of CISA, you know, DHS and those types of entities, U.S. cyber Command, they can speak to that aspect of it. I do think that as cyber grows, changes and matures, I think you're going to see it just becomes part of the normal lexicon that we all talk about.
Meaning I don't think you're going to see us say, hey, we're better than you in this. It's part of, it's just going to be. You have to be as good as you need to be, I think is the right way to put it. Because some, some states are going to need to put more energy against it, more resource against it than others. And that's just a function of their state, is different and has different things that they do that they're reliant on. And so I think you're never going to have a unified posture or structure. But I also think that's good because through that it's just like the electrical grid. Part of the reason why we haven't had a nationwide blackout is for good or for bad is electrical grids are all managed at the local level and each one of them different. And so it's not like there's a, okay, if we leverage this attack, it's going to take down everything because everything is different. So it's, there's strength in the, the diversity. It can be a feature and a bug. It can exist in what is a quantum state of yes and no at the same time.
[00:47:55] Speaker A: And so what would you like to leave our audience with today earning?
[00:47:58] Speaker C: 2 things. First is I'm very excited about where we are in the state of, I'll call it cyber. We are at a really unique point in history, particularly with artificial intelligence and the increasing in computing power and such. We are very much at the point if you can come up with an idea, you can turn it into action just like that. And it's not that you have to have a whole litany of certain skills to do it. So that's, that is very exciting. And I think that the more we embrace it, the more we get used to, I'll call it living in the 21st century. I think we're going to be, we're going to be very, very well off. I'm not concerned that we're near the end times of humanity by any stretch of the imagination. And I would also tell you that if you're ever worried about the future of the world, all you got to do is go visit some, go see a high school cyber competition, go talk to some kids in the summer camp, go see university students in their security operations center and you will walk out of there saying, yeah, we got no problem. The younger generation is so much smarter, so much more engaged, so much more willing to try and do new things than middle aged folks like myself. And we have such an opportunity to show them the way. So I'm pretty excited about that and I'm very excited that I get a chance to be a part of that here in Cybersport.
[00:49:17] Speaker A: And there you have it. This is KB on the go.
Stay tuned for more.
