Aviva Zacks of Safety Detective had the opportunity to ask Ionic’s CISO Steve Pugh about his background in security and his company’s focus. As a forward-thinking chief information security officer for Ionic Security, Steve Pugh has taken the lead in deploying a data-centric security model across Ionic. His passion for technology and creating a secure, trusted environment inspired him to join the company in 2015. Steve’s pursuit of Zero Trust architectures mirrors Ionic’s mission and results in consistent controls, visibility, and protection. Prior to joining Ionic Security as its first CISO, Steve spent 12 years in the Air Force as a Cyber Warfare Officer and held multiple positions to include Detachment Commander and DOD developer/operator. Steve served as the former CISO for the White House Military Office and is a published author and noted speaker on the topics of cybersecurity and technology.
Safety Detective: How did you get into cybersecurity?
Steve Pugh: I first got into cybersecurity during my junior year of undergraduate school. Up until that point, I’d mainly been focused on Computer Science, programming, and a little electrical engineering. But the summer of my junior year, I was selected to participate in a Syracuse University program called the “Advanced Course in Engineering – Cyber Security.” It was a ten-week, masters-level, intensive cybersecurity program. The university partnered with the Air Force Research Labs in Rome, NY, to provide internships on top of the academics that were involved. It was a great program; I specialized in Wired Network Defense during my time and learned so much about the world of cybersecurity. This was in the early 2000s when cybersecurity wasn’t really a topic of popular conversation. I remember finishing my degree and writing my thesis on Steganography and my professors had no idea what I was talking about but thought it was really cool.
Fast forward a bit, I commissioned in the US Air Force and continued my cybersecurity path, continuing to learn and hone my craft. I’ve been doing cybersecurity for a long time and absolutely love the challenge, fast-paced environment, and dynamic aspects of the domain. Throughout the early days, pursuing cybersecurity was challenging because there was not a lot of institutional support. I mainly pursued this in my off time and spent my own money to get better. I had several mentors suggest my career would be over if I pursued cybersecurity in earnest.
Things have changed dramatically, in a good way. Since my time at Syracuse University, I have been fortunate enough to have spent some time at the National Security Agency, US Cyber Command, and the White House Military Office: all fascinating jobs. I am currently the CISO at Ionic Security and love the people and mission of this organization.
SD: What are some industries that use Ionic’s technology and why?
SP: Ionic began by working with some of the largest and most highly-regulated organizations to solve the problem of data protection at scale. We’ve seen an incredible adoption rate in financial services and healthcare. Defense and national security organizations have been very successful, due to their focus on Zero Trust security strategies. We’ve also experienced an uptick from companies grappling with data protection regulations like GDPR or CCPA.
Although we are a security company, ultimately, our customers use MachinaTM to accelerate innovation within their firms. Machina systematically enables scalable, sustainable, and consistent data protection, wherever they are in their journey to the cloud. When an organization can simplify and automate very complex data handling rules, they gain an efficiency of scale that gives them a leading edge.
More precisely, Machina is a policy decision engine capable of enforcing granular attribute-based access controls across a diverse environment of applications, resources, identities, and workloads. Our customers transform hundreds of pages of written policy into code so that the application of those policies on data objects is automatic. Because we’ve packaged up these powerful capabilities into a set of easy-to-use tools, developers can drop in the Machina SDK or connect to one of our APIs instead of hard-coding security features like access controls or encryption. This abstracts out the business logic into another layer, shifting solid, consistent security early into the SDLC.
When a new threat, a new risk, or a new regulation comes out, our customers make one policy change through Machina that programmatically affects data handling across their enterprise; they don’t have to recode their entire portfolio. Machina is the easy button for dealing with complicated, ever-changing data handling policies and obligations. Ultimately, if an entity has data they want to protect, there is no better choice than Ionic.
SD: How can Ionic protect consumers from threats using Machina?
SP: With a data protection policy decision engine that grants access in real-time, organizations can worry less about the infrastructure hosting their data. Machina has decoupled infrastructure protection from data protection, mitigating a threat that our regulated customers face by providing a third-party guarantee into their risk framework. It’s a different model, a different way of approaching security, but once you understand it, is hugely powerful.
The best analogy I can think of is the rapid growth of identity and access management technology. It used to be that every application and resource had its own authentication method. Then identity vendors abstracted out the authentication logic into another more consistent and secure layer, which reduced risks and introduced efficiencies of scale. Essentially, we’re doing the same thing for policy governing access to data.
Security and privacy differentiate companies in today’s marketplace. When companies take the security and privacy of consumer data seriously, those consumers benefit. Consumers are also more likely to reward companies with repeat or ongoing business if those organizations can demonstrate they are good stewards of the data that has been entrusted to them.
SD: What is the number one threat in cybersecurity today?
SP: The number one threat in cybersecurity today is data theft.
If you look across all the major breaches in just the last five years, they mostly involve data being stolen…the so-called mass data breaches. It could be intellectual property theft like product designs or TV shows and movies or identity theft of personal data.
This threat has been exacerbated by organizations moving to the cloud. They either aren’t properly securing their cloud or haven’t recognized the seams between environments. Inconsistencies between and across environments introduce additional security considerations.
SD: How will the cyberthreat landscape change in the next 5 years?
SP: I think the biggest shift in the cyberthreat landscape will be more overt, aggressive actions taken by nation-states working to further their own agendas globally. Data theft and manipulation will continue to be the primary motivation because of the value of the content, but the threat goes beyond identity theft and financial gain. It’s critical to realize that the value doesn’t have to be monetary. One example is how interference in elections undermines the public’s confidence in fair elections.
The public awareness of these campaigns has increased in recent years, thanks to the exceptional reporting by commercial threat intelligence companies. I think the increased activity will continue to trend both due to the low cost and the potential to stay below the threshold of an act of war.