The finalists for WashingtonExec’s Pinnacle Awards were announced Oct. 11, and we’ll be highlighting some of them until the event takes place live, in-person Nov. 30.
Next is Cybersecurity Industry Executive of the Year (Public Company) finalist Michael Epley, chief architect and security strategist for Red Hat. Here, he talks about zero trust, supply chain security, the cybersecurity strengths of open source and more.
What were your key achievements in 2021 and 2022?
My focus over the past 18 months has been zero trust. Zero trust is a key part of President Biden’s executive order on improving the nation’s cybersecurity, but the EO leaves a lot of wiggle room for interpretation.
My goal has centered around bringing concreteness to what a zero trust strategy should look like and how best to implement it. As such, I’ve focused on helping our customers and internal teams develop zero trust strategies that work best for their unique needs.
There are other aspects of the executive order we’ve been talking about internally and with customers. Those include the software supply chain and the importance of open source as a strategy to tackle cybersecurity concerns.
Red Hat has focused on vulnerability management for a long time, but last year we really began to push the tools and processes we offer to mitigate vulnerabilities so customers understand how they can use them for their zero trust strategies.
What factors have made you successful in your current role?
Within Red Hat, we built a special-interest group to bring together people who share similar goals of educating appropriate parties on zero trust. We’re working with our ecosystem partners, industry organizations like the Advanced Technology Academic Research Center, and others in the industry to bring zero trust concepts to government leaders.
Red Hat has been working to build an ecosystem to tackle specific cybersecurity challenges such as ransomware and remote work. We have discussions with customers on how they can work with ecosystem partners and existing technologies to build zero trust architectures.
In fact, a huge part of what has made Red Hat a successful partner on zero trust is the ability to collaborate with partners and leaders in both the public and private sectors. The power of working together toward a common goal, sharing lessons learned, and brainstorming on a path toward zero trust is what makes our efforts successful.
What will be your primary focus areas going forward, and how are they important to the nation’s future?
Right now, security still tends to be segregated between different technologies. We have to stop relying on point solutions and specific tactics to stop threats and attacks and become more proactive in building cybersecurity into the fabric of the complex systems we rely on today.
A holistic strategy is the only way to tackle increasingly sophisticated cybersecurity threats. Zero trust is a holistic strategy. It’s also a more proactive approach because the system itself is designed to be more resilient to attackers.
It’s a cliché that security is a cost center, not a profit center. But holistic strategies ⏤ like zero trust and building in security from the outset ⏤ can help organizations achieve not just security but also can help organizations achieve more secure business functionality. Things like privacy guarantees and data controls are important aspects of that.
How are you helping to shape the next generation of government and industry leaders?
When I talk to government and industry leaders, a lot of those conversations are around what their legacy environments look like and the associated security challenges. Government agencies are all in different stages regarding their readiness for adopting new strategies and capabilities. But regardless of what stage they’re in, all agencies can benefit from zero trust in some way.
That’s why it’s important for me to want to make sure zero trust doesn’t die as the latest buzzword. It’s important to make it real for cybersecurity practitioners and users.
We’ve been building a vision of what zero trust can do for organizations. Now we have to turn toward executing. We have to focus on what’s achievable right now. Zero trust must have a real impact on how we design and build systems and it has real value for protecting systems and data.