Cyber threats and corresponding defenses are always evolving. Eric Trexler from Palo Alto Networks says cybersecurity isn’t about products. “It's about...
The threat posed by ransomware and other modern cyber attacks has cast a spotlight on the need for good cybersecurity hygiene across all sorts of organizations.
Recent reports estimate ransomware attacks cost more than $30 billion annually. And ransomware groups aren’t just targeting big corporations, military or industrial organizations. They’re also going after schools, hospitals and other targets that are an essential part of everyday life, points out Eric Trexler, the senior vice president for U.S. public sector at Palo Alto Networks.
“It’s impacting hometown America,” Trexler said on Federal News Network “It’s expensive. And they’re not equipped, both in personnel and funding, to deal with it effectively today.”
Government agencies and other organizations are having to defend against ransomware and other cyber threats amid a cybersecurity workforce shortage, while also shifting to new tactics like zero trust security. Artificial intelligence and other emerging technologies create further opportunities and challenges for organizations.
Trexler pointed to the Cybersecurity and Infrastructure Security Agency’s “Stop Ransomware” website as a useful resource for any organization wondering how it can stop threat groups from locking up and ransoming their data.
“It’s an amazing page to really help individuals and also organizations better protect themselves and better understand the problem,” Trexler said. “It’s a great benefit from our government.”
Rather than rushing to buy a cybersecurity product or service, Trexler said organizations should start their cybersecurity journey by understanding the risks to their organization and their “high value assets.” War gaming and other exercises can help them understand how exactly an adversary might target them and what they’ll need to do in the event of a cyber incident.
“Too often, we’re in conversations where we’re working with the cybersecurity teams and they can’t articulate why they’re trying to do something or why they want to buy a product,” Trexler said. “It’s not about products. It’s about protecting the organization, the agency, town hall, the hospital, whatever it may be.”
Federal agencies and big corporations are increasingly setting up their cybersecurity strategies around implementing a zero trust architecture. Zero trust is based on the principal that organizations should never trust, but always verify when someone or something is seeking to access its networks or data.
Trexler said organizations still need to go through the basics of baselining their cybersecurity risks and then defining what they need to do with a zero trust architecture to address those risks.
“It’s not a product problem,” he said. “It’s what do you want to accomplish? What are the business outcomes you’re looking for? Understanding those and then applying technology and capability. And you need to do it in the construct of modernization and consolidation.”
Trexler said zero trust is a “journey,” not an end state that can be reached by ticking off the boxes on a checklist or buying any one product or service.
“Too often, I see people who ask us to ‘zero trust’ a part of their business,” he said. “I don’t even know where to start with that. So we have to do a lot of discovery to understand, what do you mean? What are you trying to protect? How are you trying to protect it? Why are you trying to protect it? And then we can bring technology to bear.”
Even as they attempt to defend against quickly evolving cyber threats and implement new paradigms like zero trust, organizations of all shapes and sizes face a massive cybersecurity workforce challenge.
CyberSeek, a research project funded through the National Institute of Standards and Technology, estimates there are more than 570,000 cybersecurity job openings nationwide.
“There aren’t enough people in the industry, so we’re still learning as we bring new people into the industry,” Trexler said. “It’s getting back to business. It’s not a technology problem, per se. Cybersecurity exists to protect the business from adversarial activity.”
Beyond traditional IT skillsets, Trexler said there’s an opportunity for creative individuals to break into the cyber industry.
“The creativity that I’ve seen brought into the industry, from people who don’t have an IT or a computer science degree, is incredible,” he said. “So many times, their minds are more open to the art of the possible. That’s where innovation comes from. So there’s an endless amount of opportunity.”
Meanwhile, agencies and companies across the world are considering how they can apply artificial intelligence and machine learning to their operations. In the cybersecurity arena, AI technologies pose the potential to be “friend or foe,” Trexler said.
“Adversarial activity with AI is speeding up. It’s getting creative. Think about deep fakes. Think about someone who doesn’t speak English very well, who can use an AI tool to write a phishing email that you and I might actually click on it,” Trexler said. “So the adversary is using it very heavily to attack us and creating a faster time to penetrate the targets.”
However, cyber defenders are also finding utility in AI and automation to help address security challenges, especially amid the shortage of cyber talent.
“We’re using it in our technology, our tools with our customers, to lower meantime to detection, and meantime to remediation,” Trexler said. “How do we how do we respond and then fix that? We don’t have enough humans. Humans can’t get to all the alerts that are out there. So we have to look at machine based ways to get the really hard problems to the humans, but just machines handle everything else, because the adversarial activity is speeding up significantly.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Senior Vice President, U.S.
Reporter, Federal News Network
Senior Vice President, U.S.
Eric joined Palo Alto Networks in September of 2022 and oversees the US Public Sector business. Most recently, Eric Trexler was the Vice President of Sales, Global Governments and Critical Infrastructure at Forcepoint. Eric was responsible for Global Go To Market operations to include all components of sales, sales enablement, and field and product marketing. While at Forcepoint, Eric’s team doubled the size of the business over a five year period to nearly $400M in annual sales and strategically moved a large part of the business to the Public Cloud.
Eric has nearly 30 years of experience in technology across the public and private sectors, including Department of Defense, Civilian, and Intelligence communities, along with International governments. Eric has combined his sales savvy and technical skills with practical knowledge of leadership fundamentals to solve global cybersecurity issues for his customers and the business.
Prior to Forcepoint, Eric was the executive director for Civilian and National Security Programs at McAfee (formerly Intel Security). Earlier in his career, Eric worked at Salesforce.com, EMC, and Sybase. He spent four years as an Airborne Ranger with the U.S. Army specializing in communications. Eric holds a Master's Degree in Business Administration and a Bachelor’s of Science in Marketing from the University of Maryland at College Park. He was the co-host of the award winning “To The Point Cybersecurity” podcast with over 200 weekly episodes covering various cybersecurity topics, and he regularly writes bylines for cybersecurity and national periodicals.
Reporter, Federal News Network
Justin Doubleday is a defense and cybersecurity reporter for Federal News Network. He previously covered the Pentagon for Inside Defense, where he reported on emerging technologies, cyber and supply chain security. Justin is a 2013 graduate of the University of New Hampshire, where he received his B.A. in English/Journalism.