DMV Rising — Cybersecurity in the nation’s capital
DMV Rising Blog
On September 13th, I was fortunate enough to attend the inaugural “DMV Rising” meetup, which Virtru hosted at their beautiful new headquarters in Washington, DC. The event had 3 interesting panel discussions followed by a rooftop happy hour.
The overall theme of the event was a celebration of the DMV (DC, Maryland, Virginia) area as a hotbed for cybersecurity companies and talent; a natural fit that I had never really taken a step back to consider. Our region is home to the seat of government, the military, and the NSA — it’s only natural that these security-minded folks migrate back and forth between public service and the private sector, fueling innovation and entrepreneurial adventures. As John Funge from DataTribe put it when asked about the number of cybersecurity startups in the area: “If you want oil, dig where there’s oil”.
As the title would suggest, the opening panel was a conversation around minimizing cybersecurity risk across different aspects of the commercial space.
John Ackerly, CEO of Virtru, had insights into the need for companies to drive towards data-centric security, a topic that would also come up in the other two panel discussions. Perimeter-based security is outdated, and in order to truly secure your data assets you need to understand what they are, who should be able to access them, and when they should be able to access them. You really do need to have that defined before you can start to design the policies for a zero trust architecture.
Kate Ledesma from Dragos had some great points about the need for increased public/private sector cooperation vis-a-vis CISA, but for healthcare and critical infrastructure spaces to protect against ransomware and other eminent threats. Alex Berry from Sonatype reinforced the notion that given how open-source software is in about 90% of the software in use by companies today, a secure software supply chain complete with SBOMs (Software Bill of Materials) from vendors will be critical in the near future, even if it hadn’t been introduced as part of Executive Order 14028.
If you’re unfamiliar with SBOMs, a great overview of what they are and how to use them is available in Episode 116 of the Google Cloud Security Podcast where they’re compared to food safety labels; an analogy I just thoroughly enjoy.
The second panel was focused on the journey of adopting zero trust practices in the federal space. Dr. John Salin from GDIT opened the panel with an overview of what zero trust is and what it isn’t. Probably my favorite insight of the night: he asked they audience to raise their hand if they could explain zero trust in one sentence. I sheepishly raised mine, because I technically can — I would find out, however, that my traditional explanation is…rather boring compared to his.
John posited that you can explain zero trust to someone with a simple question:
“Can I borrow your car?”
I love this approach. It boils down to ideas of asset value, identity authentication, and authorization in such a simple fashion; and you can easily take it down a flow chart to show what a policy decision tree might look like.
The idea being that the type of algorithms that go into a zero trust style policy design are already in our heads. If you’re my best friend, and it’s 11am on a Saturday and you ask to borrow my truck to move some stuff into storage; I’ll likely say yes — I know you, I know you can drive, and the context makes sense. If you called me at 11pm on a Saturday asking if you can borrow my truck to get home from the bar…that’s a no. (but I’ll gladly call you a rideshare to get you home)
What if I don’t know you at all? Well, then the answer is immediately no — I have no idea who you area, and I highly value my vehicle. What if you asked me to borrow my pen? I’d let you borrow it, for sure — it’s a much lower value asset to me. This is the concept of data classification, and it is an inherent starting point for any zero trust journey. If you don’t understand how you value the assets you have or that you’ll create, you’ll never be able to design policies that are appropriate to allow contextual-based access decisions.
The final panel was on the state of capital markets in the cybersecurity space. Although the venture capital market is much different than it was back in 2021, there is still VC funding out there to be had if you have a differentiated product. There’s also a looming trend towards more mergers and acquisition-type exits vs IPOs. There was also an interesting conversation on how sharded the industry is as a whole with point solutions, and how MSSPs can potentially step in to be a unifying factor on toolsets — an idea that I definitely want to explore a bit more.
The event closed out with a happy hour and lite bites on the rooftop space at Virtru’s new HQ. Dr. Revi Sterling from CARE gave a talk during the happy hour about the work that CARE does, and her personal experiences and insights into how important data security is in humanitarian work, the gender digital divide in emerging countries, and how gender-based violence is in fact a cybersecurity issue in today’s technological age. Real eye-opening stuff, and I encourage you to learn more about CARE and attend one of Dr. Sterling’s talks if you get the opportunity.
A sincere thank you to the folks at Virtru and all of the other sponsors of the DMV Rising event. This is the start of a robust community, and I can’t wait for the next event.
