Working as a CIO and the challenges of endpoint security

Chris Sienko: 0:00

All right. Today on Cyber Work, our deep dive into manufacturing and OT cybersecurity brings us to the problem of endpoint security. My guest, tom Molden, the CIO of Global Executive Engagement at Tanium, has been grappling with these problems for a while. We talk about his early formative tech experiences pre-Windows operating system, his transformational position, moving from fiscal strategy and implementation into his first time as Chief Information Officer, and we talk about the interlocking problems that come from connected manufacturing devices and the specific benefits and challenges to be found in strategizing around the endpoints All of the endpoints, not just the computer terminals. All that and some very good career advice for teams and for personal growth.

Chris Sienko: 0:40

Today on CyberWork Hello and welcome to this week's episode of the CyberWork with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, tom Molden, is the CIO of Global Executive Engagement at Tanium. Is that Tanium or Tanium? Sorry, tanium, tanium. He has over 30 years of leadership experience in technology, mainly in manufacturing and high-tech industries. Tom has a deep knowledge of how large enterprises and manufacturing organizations operate. So we've been talking a lot about the manufacturing sector, the last couple episodes here and the security involved with it. Tom had some specific insights in our pre-conversations around endpoint security and we'll cover some of that as well, but we're also just going to get a little bit of Tom's whole cybersecurity journey. So, tom, thank you for joining me today and welcome to CyberWork.

Tom Molden: 1:42

Thank you, appreciate it, love to be here.

Chris Sienko: 1:44

So, tom, to get our listeners on board with what you, your interests and connection to the field, can you tell us about your early interest in computers and tech and security? Was there an initial spark? Was there a teacher, or did you just get kind of get excited on your own and learn it in that way?

Tom Molden: 2:02

Yeah, happy to share. So I got involved with computers in the late 80s. I did not have an education, a formal education. There really wasn't much in the way of that. I think I had a basic programming course in college at one point, but I joined the car rental industry when I came out of college.

Tom Molden: 2:22

I was living in Europe and at the time PCs were just starting to kind of come out and the whole concept of moving off of a mainframe and doing things you know somewhat more cheaper and efficiently was kind of fresh. And I happened to be in the right place at the right time and the company I was working for was making the move to try and start designing car rental software for PCs. And we experimented with a small business unit that I was involved with working in, and it was really kind of a fluke, more than anything else, that I happened to be the guy that they said hey, can you go figure out how to deploy all these PCs into these car rental stations? And I did it and it was a lot of fun. I learned a lot about computers and I learned a little bit about software and things like this, operating systems and such. This is pre-Windows, you have to remember, and the one thing that really was the spark to your question was when I started to figure out the power of having data right.

Tom Molden: 3:25

So, if you can imagine the car rental industry how important it is to have data at your fingertips about vehicles, about customers and such. I was sitting in my office, you know, downloading data from PCs that was being sent to me on disks in the mail onto a computer and putting them in a database management system and figuring out how to write queries and I realized very quickly that there's a ton of power here and there's a lot of questions I can answer and a lot of insights I can derive from this and I kind of made a little bit of a career for myself in doing so and that was sort of the spark that started my interest in technology. That was really the power of data Interesting.

Chris Sienko: 4:06

Yeah, you kind of alluded to it with regards to getting you know floppy sent to you and making your own system. But like what was? What was data? You know how? What was was? How was data used at that point? Like what were, how does it differ from now? Obviously, now we have you know all kinds of fine grain, ways of analyzing and stuff.

Tom Molden: 4:29

But what were people looking for in the data and how was it being used?

Tom Molden: 4:31

If you think back to the mainframe days right, where you had data being entered into sort of dumb terminal or data being created in dumb terminals, you know people doing sort of data entry into sort of headquarters systems, mainframes, and you know waiting for some period of time to walk over to the printer and get this big pile of green and white striped sheets that were coming off there that had some sort of data on them, and then you had to figure out you know whether it was useful, how to use it right.

Tom Molden: 4:59

You really had little to no insight into the business. The main driver was to calculate commissions you know commissions for rail stations, for example and that was a process that would take weeks and weeks and weeks at the end of every month and then it was never accurate. There was a ton of inefficiencies, and so when we were able to start looking at actual data that represented actual facts in the business, kind of day of it changed everything. It made a huge difference just from the perspective of being able to pay commissions to agents working car rental stations, for example, and then, beyond that, understanding like fleet utilization and understanding the performance and all the types of things that you would love to be able to do, which you couldn't do at the time, became possible, and that was a kind of an overnight change.

Chris Sienko: 5:51

Wow, yeah, so so.

Chris Sienko: 5:54

So, from going to data to sort of the security of data, I mean, you know, open, secret one of my ways to sort of get to know my guests before they come on, as I go through their LinkedIn profile and especially their the experiences section, their job history, you know, and it's very helpful in getting sort of a narrative, and especially with yours, with you know your positions at a past company, amd, because reading between the lines, I felt like I saw like a major transition point in your career and you can tell me if I'm overthinking this or whatever transition point in your career, and you can tell me if I'm overthinking this or whatever.

Chris Sienko: 6:26

But in 1998, you were hired by AMD in the role of senior manager, financial planning and analysis, with roles like capital building projects, mergers and finding operating efficiencies by consolidating financial controlling modules into a single service. But, you know, by mid 2000s, you started working in overall strategy of the company, creating sales and marketing roadmaps and overseeing post merger integration of AMD's then recent acquisition, a ATI, which has more tech but is largely for other purposes. And then so we cut to 2008, though, and you're now AMD's Director of Information Technology and Strategy. So this feels based on my limited view and maybe different from what you told me there like a transformational moment where you moved toward your work now as a Chief Information Officer. So you noted in, you know, the written section of your experiences that you were promoted into this position by the previous CIO. So can you tell me about this transformational moment? Am I making too much of it here?

Tom Molden: 7:16

No, I think you're actually, you're accurate, I mean. So I started my career, like I mentioned to you, somewhat by fluke in technology, always have been around technology, I've always had kind of a you know, kind of a love affair with technology in some way shape or form, and the power that you know, that you can, that you can bring to business outcomes, right, right. And then I ended up I was working in Germany for many years and I moved back to the States and I went and got a business degree, a graduate degree, because I felt like I wanted more formal business training. And that's how I ended up in the semiconductor industry and I very specifically wanted to go work in the finance space to understand more about how the business runs. And and I guess I just found myself always working on the technology end of the business and always in this intersection between the business and the technology groups, right and and. So I sort of naturally gravitated towards, you know, helping run these big strategic initiatives, because they always have some kind of technology component to them.

Tom Molden: 8:25

When you buy a company, when you carve out a company, when you, you know, do any kind of a transformational change, there's a technology component to it, right More and more. And so, you know, the point came at which I was very much kind of on the on I'll call it the, the, the tip of the business spear with respect to kind of driving the priorities for technology investments Right, okay, and then what? What caused the change for me was there was a shift really in the strategy around, uh, leveraging technology in the company and a new CIO hired that was given a much broader mandate and much bigger, I'll say, set of goals around driving business value with technology. So, like in many companies, there was sort of IT as an order taker, cost center type department doing really sort of basic infrastructure work and then maybe running an ERP system sort of scenario. And then the goal was, ok, let's get much more ambitious in terms of how we're going to leverage technology in the business.

Tom Molden: 9:34

And then so I was, I would maybe say, plucked out of my role and asked to go. Sometimes when they offer you a promotion, it helps, you know, go run strategy on the IT side. So I basically switched back over into the technology world, really still sitting at the intersection between the business and technology, just on the other side of the fence, right, and you know, and I sort of I wandered down this sort of you know in-between path for quite a while until at some point I had to make a decision in my career my you know my IT guy or or finance and strategy guy, and you know I've ended up being in IT. You know the rest of the story you know as well too. I went on to General Motors to help drive the transformation of IT there and such, so I've been pretty firmly entrenched now for a number of years as an IT and a security executive.

Chris Sienko: 10:29

Yeah. So I want to sidestep a little bit into that because, as I say, your career path gets a little more linear. At that point you have the CISO role at General Motors and leading to your current role as CIO of Global Executive Engagement. Now for clarification. A lot of our listeners have told us that they're aspiring eventually to be CISOs Chief Information Security Officers and they may be less familiar with the roles and responsibility of a CIO. And I mean I understand that those are kind of different from position to position. Can you talk about how a chief information officer differs from a chief information security officer and whether the two sort of interact, or is it one is one is, you know, used in this company and the other is used if there's other sort of?

Tom Molden: 11:13

requirements. Yeah, sure, I mean, you know it differs from company to company and industry to industry, and I think it's also it's constantly evolving, right. I mean, uh, you know, several, not too many years ago really, you know, the cso role wasn't even a given and a lot of companies I'm I remember not having a cso no one even mentioning that. You know the the the term cso? Right, we had a security person that worked somewhere in a department, somewhere, and you know, and and monitor traffic and something like that. And obviously, as information security has become more and more important over the past, let's say, a couple of decades, the role has matured and is still maturing, I would say. And then, so you'll see, in a lot of enterprises where a CISO reports to a CIO, it's part of the IT function. Other enterprises where, well, no, it's actually not, it's got aspects to it that are not just IT or information security related. There's product security, there's cyber, physical security, there's all these different types of security and things like this. So I think it varies, but primarily, I would break it down this way If I just sort of focus on information security, right, the CISO, your main charge is to protect yes, protect the enterprise, protect our IP, protect our customers, protect things right, yeah, protect our customers, protect you know things right.

Tom Molden: 12:45

And if you think about the role of a CISO and the mandate of, excuse me, of a CIO, right, there are many more perspectives. Right, the CIO has to look in different directions, right? So the CIO has a technology state that they're entrusted with managing and protecting right, and that's a job in and of itself, right. Keep the lights on, keep the motor running, make sure everything's you know up and running when we need it to run, et cetera, et cetera. Right, and do that all with less money than you need, et cetera, et cetera. Right. And if you swivel the chair around, right, and you take the CIO role and you look at the other perspective towards, let's just say, the peers, the functional leadership peers in the enterprise, you have a mandate to enable them, to enable them to innovate, enable them to drive business outcomes, et cetera, et cetera.

Tom Molden: 13:37

And you might argue that's actually probably the highest pressure part of the CIO job, right?

Tom Molden: 13:42

So you have this tension that exists naturally between, like this pressure to drive business outcomes, drive innovation, right, versus well, hold on, I got to go manage and protect all this stuff as well too.

Tom Molden: 13:54

So, you know, traditionally, when I spent my stint working in the, you know, in the information security space, you know I was always trying to figure out ways to change the perception of security from like the boat anchor, you know, I was always trying to figure out ways to change the perception of security from like the boat anchor, you know, or the sand in the gears right, you're holding us back from innovating.

Tom Molden: 14:12

Right, and I think you know the world has progressed past that, right, and you know, a lot of times when you talk about security today you're talking about securities and enabler and things like this, right, and DevOps and SecDevOps and all these things have evolved to, you know, to kind of make it part of the mainstream. But really, at the end of the day, this tension still does exist, right, between like having to like have your foot on the brakes and be ready to pump the brakes and make smart decisions, versus foot on the gas, drive innovation, drive business outcomes, right, and so the primary difference I would say, you know, between the roles is that the CIO is kind of being pulled in both directions.

Chris Sienko: 14:57

Yeah, beautifully put and it goes nicely towards my next question here, because I wanted to talk about your current role as a CIO Global Executive Engagement for Tanium and, to quote you, you describe your responsibilities like this in this role, I have the opportunity to leverage my experience as an IT and strategy executive to work with clients, industry experts and the partner ecosystem on solving some of the most complex problems facing manufacturing and industrial companies. So you know, a lot of times, like you know, a phrase like that can feel boilerplate, but that there was something so very specific and interesting about that to me in yours so I wanted to ask if you could walk me through a bare bones version of the types of complex problems that you're helping manufacturing companies solve with this role.

Tom Molden: 15:45

Yeah, sure. So you know, I made a pretty significant shift in my career from being an executive and a practitioner to, you know, being on the vendor side of the table and in the software space, right. And so the problems that I experienced working in the manufacturing world had a lot to do with what I call the convergence of technology domains, right, I think there's sort of underlying theme.

Tom Molden: 16:21

Let's just stay with manufacturing. You know, in a manufacturing world if I use it very broadly, which you know, let's just say the industrial world you know where you've got technology domains that have historically been very, very independent, that have grown up independently, managed independently, very autonomous. You know I'm speaking about IT, I'm speaking about industrial controls, or OT as we refer to it, and then there's also product technology, the amount of embedded technology and products Automotive is the example, of course, that most people would relate to right away. These are technology domains that are so historically independent and separate. Right the skill sets that are in engineering, like between IT, software engineering, manufacturing, engineering, product engineering. Right the technologies. Right the basic differences between standard operating systems and real-time operating systems. Right Proprietary protocols in, let's say, industrial environments versus more standard, open protocols in IT environments. And you know who knows in the product space and then sort of you know all of the advent of IoT and sort of.

Tom Molden: 17:38

You know this has created, you know, a real challenge, I think, for manufacturing.

Tom Molden: 17:47

That cause there are no, there are no solutions in the market this is going to be my opinion here, of course but uh, with which you can sort of manage and protect across all of these domains, right, people are trying to figure out how to do it and uh, and they're trying different things right. But out how to do it, and they're trying different things, right. But you know, the fact is I always saw this challenge and I always saw the the lack of the lack of sort of response or solution in the market for managing across these technology domains. Right, and so you know, when I, when I came to tanium and I had new tanium before I came to tanium I saw, I saw technology, a platform that you know, that has potential to build a foundation for where we're going to be heading, I think all collectively, with respect to managing and protecting across these technology domains. I don't know if that makes sense, but that's sort of the fundamental challenge that I see in manufacturing. Of course, there's tons of other ones.

Chris Sienko: 18:45

Yeah, that's interesting. So, in the fact that you're working with vendors and your clients and so forth, you're having to kind of get up to speed with the individual issues in a lot of different industries. I imagine, then, right, so each new sort of case you take on, there's a lot of new contingencies. There's a different sort of approach to, as you said, I imagine, dealing with connected cars versus other things that require IoT versus other manufacturing areas. So is that part of the thing that you especially enjoy about this?

Tom Molden: 19:20

business. Yeah, I mean, yes, this is one of the things I really love about this role that I'm in is I do, you know, I mean, number one. I get to interact with, you know, with really smart people and high levels of leadership in really interesting industries and companies, and that in and of itself is fun, yeah, and intellectually, you know, motivating and meaningful. But at the same time, you know, I also get to sort of look across industries and it's almost like having been a practitioner for so long but now, getting the view across all these different industries, I get to sort of compare and contrast how things are being. You know, what the challenges are then, how they're being managed, and you know it's actually pretty interesting how much similarity there is between the challenges that different industries have.

Tom Molden: 20:12

And I'll come back to what I said about this convergence of technology domains. Right, whether you're in the medical field, you know, trying to figure out how to bring the cost of health care down, how to deal with, like you know, a massive consolidation in the industry, the industry and uh. Or whether you're an automotive, trying to figure out how to meet regulatory requirements across all these connected vehicles, or whether you're in pharma, or whether you're in, you know some kind of or say, an energy, right, yeah, right. The challenge is, if you bring them down to this, this sort of point around, converged technology domains are kind of similar. Okay, right, like, how do you get end-to-end visibility and control across these technology domains? There isn't a platform that does it today, right, right.

Chris Sienko: 21:09

Right, but it also is that actually the sort of goal is to create the sort of Uber platform to dealber platform to deal with that, or or is? Is it just the realization that each case is going to happen.

Tom Molden: 21:22

Well, I, I think that's where we're headed. That's why you think about thought leadership for a second. And, like you know where, where's the world headed? Right, I, I feel like that's where the world's headed. You know, having a platform, you know that will give you complete visibility and control over all of your IT assets. That in and of itself, is great. Not everyone has that, right, people would love to have that right Now.

Tom Molden: 21:49

If you extend that across other classes of assets, right, I think you know the bar has been raised in terms of what people expect and want now. Right, I think you know the, the, the, the bar has been raised in terms of what people expect and want now. Right, it's like no, I want to see all my IT assets and my industrial assets. And you know what I want to see all my product, embedded product assets. I want to see them all in the same place. I want to cause. They're interdependent, right, my, my, my connected vehicle can't operate with all of the you know IT infrastructure that surrounds it, right, neither can my factory, and so on and so forth. Right, so I think you know where we're headed as an industry. And again, if you think about regulatory requirements, go look at some of the latest regulatory requirements come out. You know they require you. The latest regulatory requirements come out. You know they require you to be able to build controls across these technology domains. Yes, the technology to manage and protect these things is still catching up.

Chris Sienko: 22:47

Right.

Tom Molden: 22:48

That's how I look at it, yeah.

Chris Sienko: 22:51

So that's that's. That's exactly what I was I was hoping to hear, thank you. So I you know I said I've had a bunch of great recent guests talking about industrial control systems and manufacturing security challenges and infrastructure and that's focused of our talk today as well manufacturing security. So to go from the interconnectedness and the sort of like asset detection of it all, like what are some of the big challenges from a security perspective right now, Are there certain commonalities in terms of where the attacks are coming from, where the cracks are in the defense and what type of consequences we're seeing?

Tom Molden: 23:27

Yeah, I'll share my viewpoint on this, I think you know. Let me just start by saying you're going to find people with different viewpoints here, you know, and there's a lot of people with deep expertise in the industrial control space and, as these two worlds of industrial controls and IT are converging on one another, there's people with differing opinions and different levels of expertise in there. I would call myself more of a generalist in the middle here. Yeah, um, but you know what I'll tell you is, you know, the the biggest problem is that factories are now connected to the internet I mean that's you know, I still have conversations with people that say, well, why do I worry about my you know controls within my factory environment?

Tom Molden: 24:13

you know, it's, it's, it's, it's, it's, it's completely air gapped and gapped. And I don't, and I don't, you know, I don't have a connection anywhere, I'm not really worried about it. I was like, well, that's actually not true. I mean, more and more, you know, your factories are connected to the rest of the world. Right, and regardless of how much you invest in, in, in, in sort of retaining your moat and drawbridge approach to protecting them, the pressure is in the other direction. Right, and so you know, and if you want evidence of like, why it matters, all you have to do is just go look at ransomware stories, right, I mean, you know, shut a factory down and you're done. Right, that's the end of the road for you for some period of time. And so you know, it matters, the impact is huge, right, and so, and you have to address it.

Tom Molden: 25:07

And I think there's been sort of a journey of bringing people along to realize, no, I have to address this, and I think some companies, from my observation, are further ahead than others on it. Some companies have been looking at trying to figure out how to bridge this IT and OT for 10 years now. Others are still in the process of trying to figure out what it means, and then there's all pieces in between. And so, for sure, if someone has ransomware at your factory, you care about it and you're investing in it, right, you know, if they haven't and you don't really feel like there's much of a threat, maybe you're still investigating, right? I think it's the. At the end of the day, the regulatory requirements are going to bring everyone, everyone kind of to the table, so we're going to bring everyone, everyone kind of to the table onto the same page there.

Chris Sienko: 26:00

Yeah, yeah, yeah. So I mean, yeah, I think that sort of that bouquet of issues that you brought up is is kind of what I wanted to talk about, because you know, like I said, we've had recent guests talk about things like increasingly connected devices, like video product inspection or smarthousing, or the added dangers that come with edge computing practices with regards to collecting data in those places, and those are the sorts of things I think you said where it's like, well, this isn't air-gapped anymore, like now, even the most sort of dumb technology is pouring data into something central that can be breached. So, you know, one of the things I like to say is that the fun and innovation of cybersecurity is that there's no problem has a single solution and, no, you know, one type of specialty is going to solve all the problems. So, you know, I've heard related but different solutions to problems in this space. You know whether it's, like you said, building the moat and drawbridge, or whether it's, you know, working right in with the sort of like the timing of the systems, or sort of seeing, like OT systems and sort of more monitoring whether they're making changes, like with the water filtration, and whether there's suddenly you know new, you know things coming into it or whatever.

Chris Sienko: 27:17

But we haven't specifically talked to endpoints and that was kind of the focus I wanted to have with you here. So when we talk about endpoints obviously you've said it already a little bit, but we're not just talking about user workstations here, we're talking about all of the assets. So and you said that that's something that we're having a hard time coming to grips with but can you give me a better sense of the scope of endpoint issues that you work with?

Tom Molden: 27:42

Yeah, sure, look, I think first of all the way I think about manufacturing and security is in terms of these domains, the IT and the OT domain. And if you start with sort of you know your classic corporate IT domain, I think everyone pretty much understands how that's structured and how it works right. And if you go over to the manufacturing side of the house, you know you have, if you think about operational technology as industrial controls, if I just focus there for a minute right.

Tom Molden: 28:13

You've got industrial control systems that are running in factories that have been around forever. Right. It is in many cases older than IT. Right, and very mature processes for managing these. Right, but with, you know you might say nary a concern for security, historically right. And so these systems weren't designed with security in mind. They weren't, you know, built to be, let's say, managed from a protection perspective, right. And so you've got these industrial control systems right, and they are also proprietary. Right, there are different protocols depending on which types of technology you're using in there.

Tom Molden: 28:54

Right, there's a number of different vendors that build and service, manage these industrial control systems, whether they're in an oil refinery or a factory or, you know, a logistics environment or whatever. You know these are not IT systems. For the most part they're OT or industrial control systems. They run on different operating systems with different protocols and such right. And so you know it's hard to imagine, or it's hard to manage, across all those you may have, you know, five or six different major types of technology in your industrial controls environment and how do you manage across all of them? Each vendor is going to give you access to managing theirs, right. So that's sort of a fundamental challenge. But I think really the more important challenge to recognize in the manufacturing space is that all of those industrial control systems have some sort of a control layer to them.

Tom Molden: 29:41

Okay, people talk about Purdue model a lot in manufacturing, where you start looking at sort of the layers of assets and device types and such right, that begin at the very bottom, with level zero, which are your field bus level, you know, actuator sensors, things doing repetitive work in an environment, all the way up to the very top, which is sort of your control layers and your corporate systems, right, which could be an MES system, right, manufacturing execution system, or I could be an ERP system that you're communicating with.

Tom Molden: 30:09

It could be just a basic control system that's managing these industrial controls, managing these industrial controls. At some point as you go up the stack you have IT equipment running industrial controls equipment or governing it, managing it, taking outputs from it and sending it somewhere, et cetera, right? So I think the most important thing to recognize is that you have a bunch of IT in your OT, right, and that IT is, you know, it's endpoints, right, it's endpoints running Windows, linux, whatever it might be Right, and so you know, and historically that class of assets has been, I would argue, very much undermanaged.

Chris Sienko: 30:51

Oh yeah, that seems to be the consensus of people I've talked to so far. Yeah, Right.

Tom Molden: 30:55

So you know your sort of traditional manufacturing engineering teams that are focused on these industrial controls kind of, you know, acknowledge that they need the IT group to maybe provide them with network access and some email and maybe some storage to put their stuff in, but really, other than that, they manage their own Right. Yes, sure, and a lot of these types of assets and endpoints that you're seeing in a manufacturing environment actually vendor managed Right, and so so. So there's a complexity there, right, yeah, and so for me, that is really in today's world where I would be putting my focus Right Is on how do I better, more effectively manage those and protect them Right, and that starts with things like just visibility what are they? And protect them right? And that starts with things like just visibility what are they Right? And then you know basic things like hygiene patching. You know you wouldn't be surprised to go into a manufacturing plant somewhere and find a Windows box that hasn't been patched in years, right?

Tom Molden: 31:49

Yeah, yeah, things that have been set up 20 years ago that couldn't possibly be patched at this point, yeah, and at some point somebody said I don't ever care about patching this thing, no one's ever going to access it. Right, well, you know how are you? Because you've also got security cameras and this and that and all these other things that are running in your factory, that are connected to a Windows box somewhere, that are sending data in and out of your network.

Tom Molden: 32:14

And so how do you how?

Tom Molden: 32:16

And so to me, that really needs to be the focal point is to look at how effectively am I able to manage and protect that IT portion of my OT environment? And that really begins with visibility, but also with collaboration between manufacturing, engineering teams and IT teams, which have historically not always worked together oh for sure. So you have to build that collaborative bridge. You have to have a common understanding of what we're trying to achieve and the fact that, yes, we do need to bring IT methods into your OT environment and we need to figure out how to do it, because you can't copy paste them in there. It's not going to work. You have to figure out how to do it collaboratively. That, to me, is the single most important thing to focus on. If you think about where breaches are happening and you think about where people are getting in to sit inside your environment and look for an opportunity to shut your factory down, wherever it might be, it's through those windows boxes, if you want to put it that way, right, generally speaking, that they're going to come in.

Chris Sienko: 33:27

Well, to that end, I mean, you know you've sort of laid out a couple of different historical and modern approaches from a security standpoint of what you know how to solve the problem of 20, security standpoint of of what you know how to solve the problem of 20 year old, you know, operating technology systems or or things that don't necessarily chain up well with it. So when you're putting, how does the response, I guess, to manufacturing security issues differ when the focus is on endpoint security, like how do the signs of a breach show themselves differently when you're focusing on endpoints? And if something does get through, how does the triaging of the situation differ from the endpoint side of things versus the sort of Moten and Jarvis approach?

Tom Molden: 34:10

I'll start by saying this In today's world you cannot rely on endpoint alone in the manufacturing space, right? This goes back to my very starting comments about there's no end-to-end solutions. Right, you can't. You can't manage devices in the industrial controls environments like you manage a pc, right, you can't put an agent on there and interrogate that endpoint and you know and command that endpoint. The same way that's happening through protocols. You know that are built and managed and they're very proprietary. You know that are created by the vendors of those devices. Right, they've been the makers of those devices and so you have a challenge.

Tom Molden: 34:51

Right, and the way that that's being addressed today in the market is people are. You know they're listening to network traffic, right, so they're identifying. You know information about devices in this environment by tapping into network traffic and listening to what these devices are saying to each other and how they're identifying themselves and stuff like this. Right, so it's a non-invasive approach. We call passive scanning, right in in some environments, and so that's what's available in the market today. You know my, my case would be you. You have to have that. Plus, you know the endpoint approach where you can't, can't actually get a hold of, manage and and and control and protect the endpoint, right, um, because obviously, if you're listening to traffic on a network, you can't do anything. You can only listen, listen, right.

Tom Molden: 35:38

And so my first, I guess, guidance is you know you have to look at both of these in concert, no-transcript, so it's almost like an aggregation of data you're going to get from your endpoints versus what you can pull off the network traffic, your port spans or whatever you want to call it.

Tom Molden: 36:13

And so where we're headed, I think, in manufacturing, is going to be more of a heterogeneous management of the assets. We're headed into a place, I think, where you're going to find platforms that are going to be able to see everything and it's not easy because you're dealing with completely different technologies, right, but someone's going to figure out and I know that people are working on figuring it out you know how to make these different types of protocols communicate with each other and how to get like let's call it, you know uniform view over all of these assets. And then, I think there'll be a new class of new class of solutions that are going to emerge. You know either, from the one side you know the folks that are doing OT security solutions today with passive scanning, and from the other side, the IT guys that have got the endpoints and such right. Somewhere in the middle there'll be a solution that evolves. That's kind of my viewpoint.

Chris Sienko: 37:12

I think you're right. I think that seems quite logical. So I want to move to from the tech that's coming in the future to the workers that are coming in the future. As I mentioned always at the top of the show, a goal of CyberWorks to help students and new cybersecurity professionals sharpen the skills needed to enter the cybersecurity industry or maybe people later in life changing careers, say engineers or or people in you know the sort of more mechanical side of manufacturing. So for those who are wishing to make their mark doing this type of manufacturing security work, tom, do you have any advice about the most important sort of technical skills or experiences or training paths or certifications, or just even just interpersonal and creative skills that they need to sort of get up to speed very quickly in sort of manufacturing spaces like this?

Tom Molden: 38:03

Yeah, I mean this is a tricky one, right? Because you talk to a guy my age and like things are evolving so fast.

Chris Sienko: 38:13

Yeah, yeah, right.

Tom Molden: 38:13

It's very hard to keep up, right, I think, just fundamentally to recognize the difference between sort of manufacturing engineering or industrial engineering and information technology or computer science, right, Uh, you know, and, and, and, and find opportunities to kind of be part of building the bridge between these. That that's where the future is. Um, you know, the same applies for for embedded product technology, right, If you just stay with the automotive, you know world that I. For embedded product technology, right, If you just stay with the automotive, you know world that I'm quite familiar with. Right, If you think about vehicle architectures and what they call software-defined vehicle architecture. Right, I mean, you know more and more and more. You know it's software, it's computer science, right, yeah, yeah, right.

Tom Molden: 39:04

And, as opposed to you, know product engineering right in a vehicle, and so to me you know, finding opportunities to be on that intersection you know where these things are overlapping, is probably the most exciting place to be, and it's probably also the place where, if you can develop skills there you know the most, the most opportunities will will be.

Chris Sienko: 39:29

Well, on the other side of that coin, are there particular skills gaps that you're seeing among people who are trying to get into these types of positions and careers? Are there certain things that you consistently, consistently see lacking in job candidates that you might be looking at to hire in this, in this space, that you'd like to see more emphasized in the future?

Tom Molden: 39:55

I'll be maybe a bit more general here, but one of the things that I've seen consistently throughout my career is is, you know when, when you have, like, people tend to love people with technical skills, right, I want people to get grouped in organizational planning between technical and non-technical roles.

Tom Molden: 40:21

You want a technical person but to be in a technical role and to be an engineer of some sort, right and and to it's to become effective in a business.

Tom Molden: 40:34

If you think about, at the end of the day, why we're, why we're all here in business, which is to really make a profit, right, right, you need to develop some business acumen, right, and so so how do you develop business acumen in a technical career path? Right, that's sort of the you know the thing that I see some people doing effectively but others not, right, and or maybe it holds people back a little bit, right. And then, if you flip it around and look at it conversely or inversely, you know people that are in, let's say, non-technical roles, governance roles right, in the security space, right, you've got all sorts of different GRC-related roles that are critical, they're important, they're right. But to develop a little bit of technical acumen, you know, in terms of understanding what you're governing, yeah, and some of the challenges there, from a technology perspective I think, is you know, sort of in the same fashion you know important and useful to being more effective and more you know more, say useful to the outcomes of the company.

Chris Sienko: 41:39

Yeah, I think in general, good advice is don't just learn how to do your job, but why the job is being done, because once you learn why, you're in a better spot to say well, why are we doing it just like this?

Tom Molden: 41:51

Yeah, I think that's where I would summarize it. I would agree with you, yeah.

Chris Sienko: 41:54

Yeah, yeah, yeah, because that's when you can sort of make the big changes, is when you see the why. Then you can say, well, what if we tried this and real start, you know, starting their career? Maybe they're still students or whatever, but they would want to move towards this type of work in manufacturing security as their emphasis. Uh, where should they be looking to get experience or network or get themselves on the map? Do you have any, any thoughts on on that sort of like that first step?

Tom Molden: 42:23

Yeah, look I, I think. I think the world of industrial controls is something of a mystery to a lot of people. Most of us who have kind of I'll say kind of grown up in business some sort of IT or technical background, have been exposed to IT in some way, shape or form. Right, the world of industrial controls has been, you know, kind of somewhere over here, managed by some people over there for many, many years. Right, so, to find opportunities to educate yourself on how industrial controls work yes, right, because that's what everyone cares about right now.

Tom Molden: 43:03

Right, the bad guys are coming after it. They're going to shut off water supplies and electricity and grids and to really get an understanding of how those industrial control systems work. Right, and you can Google it and get free classes on it and stuff like this. Right, I think there's really an important kind of foundation to getting into this space, because you know for sure you cannot take it methods and just copy paste them over into the industrial controls world. Right, you have to understand that world yeah, completely, uh, yeah, all right.

Chris Sienko: 43:41

So, tom, as we wrap up today, uh, I like to ask this of all all our guests here what's the best piece of career advice you ever received, whether from a mentor or a teacher or a colleague, or just on the job?

Tom Molden: 43:56

Oh, I think I'll give you two things, you know. The first is advice that I have sort of given myself over time, or thing. You know, what I've come to realize over time is, um, not to underestimate people, uh, right. Uh, you know we hear a lot about the importance of diversity and the importance of building teams with different perspectives and backgrounds and all this stuff, right. And so you know, if you're, if you're moving on with your career and you're kind of a hard charger and trying to get somewhere in life, right, you're going to come up against people inevitably in any scenario where you're at that aren't in your wheelhouse or aren't in your same page or wavelength, whatever. It is Right.

Tom Molden: 44:41

And I think one of the things that I've learned over time is not to be so much in a rush that you're dismissive of people that don't really fit with what you're trying to do. You know there's a lot of like pause and think about how somebody can be useful before you brush past them. You know, and is really to To get to the, you know where you want to go. You're not going to get there alone for the most part, and so that you know that's sort of a career advice thing, um, in terms of sort of advice I've received, um, it's not so much sort of career advice, but more sort of tactical advice for how to be successful. This is something I receive, you know, sort of words of wisdom that I remember from earlier on in my career with our boss. He told me.

Tom Molden: 45:27

So you know, one good skill set to have is to constantly be anticipating right. I mean his words were you know what's? I'm always thinking what's next, what's coming next, what's happening next, right, so as you, as you, you know you wake up and you start your day, or as you're coming off a meeting or you're going from lunch, whatever it might be, in your everyday work, it's like what's coming next, and anticipating, being prepared for it right, is going to make you, first of all, much more effective at what you're doing. Just being mentally prepared for something before you do it, and then, secondly, you know you're going to, it's going to help you prioritize what you're doing, because you know the thing that you were thinking about doing next might actually not be the thing you should do next. Right, if you step back and think about what's coming next, right, and that may be a bit, you know, mushy and philosophical, but, to be honest, it's something that served me well throughout my career. You know, and I'm doing it constantly- yeah, yeah, that seems to be.

Chris Sienko: 46:26

you're literally at the sort of like the peak of the mountain of what's next or whatever. So I imagine that's something you've really needed to sort of focus on. So, tom, as we wrap up today we've talked a little bit about Tanium, but tell us more about Tanium and the work you do to protect manufacturing, industrial control and critical infrastructure through endpoint protection.

Tom Molden: 46:49

Yeah, I mean Tanium is a platform you know it's modern technology to help companies streamline their technology stacks right. I mean it starts with visibility and control over your endpoints at scale right, with high fidelity, and then you know from there it's how do you streamline the management and protection of your estate and how do you get rid of complexity Right. I think that you know the one thing in technology that stands in the way of most organizations goals, you know growth, profits, compliance is complexity, right. Complexity is the roadblock to all of this in technology and Tanium is a platform that helps you remove that complexity and streamline the way you manage and protect your estate right. So, everything, from you know fundamental asset management all the way up through you know the more complex part, parts of managing, of protecting your state Right From. From you know security and compliance Nice, ok.

Chris Sienko: 47:58

Love it. So yeah, one last question, and then we can say goodbye here. If our listeners want to learn more about you, Tom Molden, or learn more about Tanium, where should they look at mine?

Tom Molden: 48:09

Well, obviously, you know, taniumcom would be a good place to go. I think we have a pretty informative and useful website. I myself don't have too much of an online presence, but certainly I am in LinkedIn and I use LinkedIn, and so if anybody wants to reach out and chat to me, I'm happy to connect, and I rarely turn down an interesting conversation.

Chris Sienko: 48:34

Fabulous. Well, I know our listeners are good at providing those, so I hope you all will connect up real soon. But in the meantime, tom, thanks so much for joining me today. I really enjoyed your take on this fascinating security challenge. I appreciate it.

Tom Molden: 48:48

Yeah, it was a pleasure to be here.

Chris Sienko: 48:50

And thank you, as always, to everyone who watches, listens and writes to CyberWork with their feedback. If you have any topics you'd like us to cover or guests that you'd like to see on the show, drop them in the comments below. We will do our best to get them. So before we go, I always want to ask that you don't forget infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for CyberWorks listeners. That includes our new security awareness scripted training series Work Bites. It's hilarious. It's a set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through the age-old struggles of yore whether it's not clicking on the treasure map someone just emailed you making sure your nocturnal vampiric accounting work at the hotel is VPN secured and realizing that even if you have a face as recognizable as the office's terrifying IT guy Boneslicer, you still can't buzz you in without your key card. So go to the site, check out the trailer. I love it.

Chris Sienko: 49:43

Infosecinstitutecom slash free is still the place to go for your free cybersecurity talent development ebook. These are really useful. We've had a lot of good feedback on it. You can find in-depth training plans for 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ics professional and more. Once again, infosecinstitutecom. Slash free and, as always, the link is in the description below. One last time, thank you to Tom Molden and Tanium, and thank you for watching and listening, and until next time. This is Chris Senko signing off, saying happy learning.