Fresh off his induction into the 2024 class of Cyber Defenders, we were delighted to sit down for a half hour with Gary Barlet – who is public sector chief technology officer at Illumio – for a wide ranging talk about government cybersecurity needs, the criticality of the current zero trust security transition, and the multiple facets of artificial intelligence (AI) technology in the hands of both adversaries and network defenders.
MeriTalk: Gary, congrats on the Cyber Defender award! Tell us a little bit about your job and the security work that you are doing at Illumio?
Barlet: I’m the public sector chief technology officer and I have a few different key things that I’m responsible for. First and foremost is outreach and helping people understand what Illumio does, how we fit into the public sector, and what kinds of problems we can solve. That’s the marketing aspect.
The second thing is that I’m the translator, so I help the company really understand what the public sector is talking about, and the language of public sector, budget impacts and things like that. I served in the Federal government for 30 years including 20 in the military so I understand how those processes work, the mindsets, and the politics. I translate those for the company so we can understand the public sector and help interpret their needs. I’m on that edge.
And the last piece is I meet with Federal executives, so if there is going to be a meeting with a CIO or a CISO I’ll get on that call because I can do two things. I can pick up the nuances of exactly what they are saying, and I can help translate back to them. Sometimes the discussion will get very technical and I can help to elevate that conversation and help them present things in a way that executives can more readily consume at the business level. My job is to identify pain points and translate what we can do to fix them – and not so much just the ones and zeroes.
MeriTalk: In the bigger picture on security, what are some recent policy and tech trends you are seeing that are helping to improve security and that we should be doing more of?
Barlet: The embrace of zero trust security is very hopeful to me. Zero trust does a couple of things, one is that it talks about the fact that there has to be interoperability with tools, because no vendor is a true zero trust provider. And number two, it goes beyond the traditional “Hey, we need to just know who you are,” and really gets into the contextual things of identity like where are you, and a lot of other things that context, and then conducts constant validation of that identity.
The last piece is – and this is kind of the new part compared to the traditional security model – and that is to assume breach. It’s the first security model that really embraces this concept of we’re not always going to be successful keeping the bad guys out. We have to assume they’re going to get in at some point and then ask the question, what can we do once the inevitable happens? Traditional security models had usually been focused on just throwing more defenses up to keep the bad guys out.
MeriTalk: Does anything else catch your eye on hopeful trends?
Barlet: So there is the double-edged sword of artificial intelligence. Adversaries will use it to get better at what they do. But there’s also the positive side of the good use of AI in trying to combat cyberattacks and cyber penetrations. I think it bears a lot of promise.
I think that we’ve had this conversation for years about AI and machine learning and how it’s going to solve all of our security problems. I think we’re really now getting into the practical applications of AI and whether it can elevate cyber defenses without relying on tons of people and knowledge. I think that we’re starting to get closer to that reality of AI actually benefiting IT security and living up to the hype.
MeriTalk: And on the flip side of that, does AI also look like a security challenge over the next year or two?
Barlet: So you can ask AI to draw you a picture and you might get a result back where a human hand has six fingers on it. How does that translate to IT security? If we’re relying on AI to provide us with no-touch security, what are the six-fingers aspects of AI security that we’re not going to see, unless we dig deep? So the thinking of trust but verify is still going to have to exist, because the technology is not yet at the maturity point where it can be set it and forget it.
MeriTalk: Great point on AI hallucinations…
Barlet: What if the AI thinks it’s doing something good and opens up your entire enterprise to the internet? That’s something with the potential to go unnoticed until something bad happens. Conversely, what if it says for some reason the best way to secure this is to just turn everything off? That’s my concern about AI is the fact that it’s going to autonomously make some decisions. And we’re only going to find out when something bad happens.
MeriTalk: Does anything else come to mind in the category of challenges?
Barlet: In the public sector but also in general, it’s the expertise, it’s the skill sets, it’s the resources that you need. That’s where they say AI is going to help alleviate that, but you still need smart people that understand it and that understand how these things are deployed. There’s this concern starting to grow that we’re turning so much stuff over to automation that nobody’s going to understand anything really works. Losing that kind of expertise is dangerous.
We don’t have access to enough resources. Look at the number of cyber jobs that go unfilled and translate that to the public sector, and not only do they have jobs that are going unfilled but they have to compete with the commercial sector on pay and other things. So there is competition for limited resources, and that pool of resources is getting smaller.
MeriTalk: How did you find your way to the tech security field, was it something that always seemed like a natural path or was the path more complicated?
Barlet: When I was a kid I got bitten by the technology bug but then as I started getting older I started thinking I was going to become an aerospace engineer. I knew I was never going to fly airplanes because of my vision, but I fell in love with this idea of designing the next fighter aircraft. So I got to school and two things happened. Number one, I realized that the math that I love I suddenly hated because it was very complicated and very hard. And number two I fell back in love with IT because the only classes I enjoyed and was doing well with were in IT, so I switched my focus there.
Then I joined the military and the way the military works they said what do you love to do, and I said IT, and then they said that’s exactly what we’re not going to have you do. I spent the first half of my military career really not much involved with IT, but at the halfway mark I got back on the IT track in the military and I was much happier. I’ve been following that track ever since.
Having said all of that, I’d also like to put in a plug for public service, both military and civilian. Public servants show up every day and do the jobs that are necessary to support the country, and a lot of times they don’t get enough thanks for it, but that thanks is well earned and deserved.
MeriTalk: Finally, what do you enjoy doing in “real life” that doesn’t have anything to do with technology and security?
Barlet: I enjoy reading, and watching historical documentaries, and murder mystery who-done-its, unsolved murders, political thrillers, stuff like that. I’m a Netflix junkie.