Forcepoint CEO Manny Rivelo joins the podcast this week to share his perspective on cybersecurity in 2022 and beyond. Did you know hacking is really a big business – money from attacks is equivalent to the world’s third-largest economy, behind the U.S. and China. As hackers are innovating faster, businesses are struggling to keep up. He shares insights on how the industry can help organizations get past the conga line of security tools and moving at digital speed. And he shares perspective on the criticality of putting security at the center of design thinking and making security equal to connectivity, along with thoughts on hot topics today including the metaverse and Web3.

[01:49] Complexity Is the Enemy of Cybersecurity in 2022

Rachael: I just want to jump into it today because we have a special guest who's never been on the podcast before surprisingly. I'm excited to welcome today, Forcepoint CEO, Manny Rivelo. 

This is our second podcast of the new year. Manny has been in the security trenches for quite a while, and I feel like we're at a really exciting time in the industry. You have this phrase that I love and it's, "Complexity is the enemy of security." Could you tell our listeners what that means and how that looks ahead when we consider the security industry pathway?

Manny: I do think it is the enemy of security and has been. Let me backup a little bit here because if you really think about it, what we need to do is to simplify security. We need to make it much more seamless for an organization, and integrate it in the way we communicate and access the network. It just needs to be there.

There's no question that there's a lot of change that's going on in the industry. The industry is accelerating with the change. If you think about the last two years, not only do we have more bandwidth now than ever before. There's more data floating around and that means it gets harder to see what's good versus bad. But we have new forms of connectivity. We have, obviously, more types of devices that are connected to the network.

Where Hackers Love To Live

Manny: We're all working from home or some derivative of that. There's no slowdown going on as it pertains to all of this. So you think about all of that. You think about the workload shifting to the cloud versus being in the data center. There is a ton of change. With that change, that's where hackers love to live. Hackers are basically trying to take the open protocols that we have on the internet. Basically, look for ways of manipulating that to get an edge and get into your network and obviously steal your network data.

It's quite fascinating, and this is a data point, Rachael, that you shared with me. I might as well give you kudos for this. Hackers are the third-largest economy in the world. Just think about that for a second. So you put the US, you put China, and you put hacking, that's how much money is being made here. This is an industry that, with all this change, with negative unemployment, it becomes impossible and really difficult for organizations to secure themselves. The data shows that.

We spent roughly $150 billion last year trying to secure our infrastructures. If you poll CISOs and CIOs, almost 70% of them will tell you that they can't keep up with that kind of spend. On top of all that, we had 10 times the number of exfiltrations that we've had in previous years. So there is a crisis here. There's a business crisis that we're falling behind. Part of that is with all this complexity, with everything that's changing, with the fact that the hackers are making tons of money, can we simplify security?

A More Seamless Cybersecurity in 2022

Manny: Can we make it much more seamless, much more ubiquitous for everybody to operate in that? That's something that we as an organization are definitely focused on. That is something that we're going to continue to champion in the industry.

Eric: If hackers are the third-largest economy in the world, that doesn't even include nation-state activity for espionage, sabotage, and non-monetary gain.

Manny: The data is not completely in there yet. There's some on top of that, and there's always the unknown. This is an approximation. It's difficult to calculate that, but it is a significant problem, and it's only growing. It will continue to grow in the outer years. Who knows? It might become the second and the first at some point in time the way it's going. The fact is, we all love to be connected. We all want to protect our data. But the reality is, it's getting harder for organizations to do that because the technology is fairly complex.

Eric: If complexity is the enemy of security, why do we keep making things more complex?

Manny: It's the history of the way the internet has evolved. It's the history of the way technology evolves and security comes after. So think about it. People want new forms of communication. They want new forms of connectivity. As they approach that, that creates an opportunity for data to be stolen, for hackers to attack your network.

A new protocol creates that, a new form of computing could create that. That change is what I'm referring to. So, to protect that, we got to take a fresh look at it. The industry has been putting what I refer to sometimes as the conga line of security technology.

A Secure Web

Manny: First, I got to connect to the internet, so I need a firewall, and so you put a firewall. All of a sudden it's, "Well, I got to connect to the internet because I want to browse the web". So then you go out and buy a secure web gateway. Then, "Oh, I want to access SaaS-based applications. So now I need a CASB."

Then, "Well, how do I protect users from advanced threats? Well, then I need some ATD technology, advanced threat detection technology or I may need an RBI." Every one of those things has shown up as sometimes an appliance or a software stack, and they've been independent. They haven't been seamlessly integrated together.

The reality of it is if you think about it, you could probably say, "Well, what is it that I want Eric to do? What is Eric allowed to do and what he's not allowed to do?" As an organization, we may decide, "Listen, we're not allowed to go to gaming sites." That's a pretty simple decision for all employees that we may want to make. Well, that could be a simple policy that gets constructed inside your system.

No matter where you try to connect, whether you're going out through a swig, through a CASB, or through some other connection, that policy is enforced. What we need to do is go from best of breed. Just continuing to put more technology in that conga line and begin to take that conga line. Make it into a platform that has not only unified policy, but also has context. That I know what you're doing across the various different channels of connectivity and are able to reinforce that.

Where the Industry Is Moving Particularly Cybersecurity in 2022

Manny: That's really where the industry's moving. So you're seeing more of this push toward platforms versus just best of breed technology. Look, it's not for everybody, but for the common person. If complexity is the enemy of most organizations, and it's the enemy because most people don't have a know-how on how to do this stuff, then purchasing a platform will not only give greater security, better efficacy. It will give you context around what you're doing across all those different data paths. You’ll be able to defend yourself much better than maybe try to do it yourself.

Eric: I've been on this platform journey probably more than a decade now, 12 plus years. It doesn't feel like the industry is making progress at the same pace as the adversaries. That third economy or third-ranked economy is growing very rapidly, and that's the concerning piece.

Manny: It is. It's sometimes not in the best interest of the industry to converge. The reality is, just like the hackers made a lot of money, so do venture capitalists, who fund these companies to solve a piece of the problem. Remember home automation 20 years ago, and how difficult that was to do? It was almost impossible to turn on your stereo, but today it's a lot easier. Today, there are technologies out there that you could just buy an appliance and put it at home. Subscribe to the web, download music, and play it in every room in your house without having to pull wires or anything like that. There's a lot of systems out there.

[11:03] The Beautiful Thing About Cybersecurity in 2022

Manny: The beautiful thing about that, whenever I would get a call from my wife, I would just say, "Go downstairs and power the rack down and bring it back up." Usually, that solves the problem. The challenge with that is it made it easier when it worked. But as soon as you had to introduce a new thing to that stack, let's say a new VHS or something at the time, you had to call them to come in and program everything for you.

This is a similar state with security. As soon as the new thing gets introduced, "Oh, God! We want to use Workday. Okay. We'll go into the cloud." Well, we got to protect that personal user data. Now, I got to buy a CASB, potentially, and put a CASB in my stack. That should be seamless and fairly simple.

That should be, "I got a new channel that I'm communicating on. I want to protect that channel. What's the policy you want to apply?" I don't want any PI information being downloaded or something as simple as that. Click a button and you should be able to now manage all your users. Whether in the office, whether in their home, whether they're accessing their corporate provider computer, whether they're bringing their personal device.

Policy should be implemented to protect that data. What's going on in the real world is we continue to find new ways of being more innovative. This concept of digital transformation we all talk about is really what's driving the industry. That means companies have to move with speed.

Wall Street Will Be All Over Us

Manny: The lines of businesses are going to the CIOs saying, "You can't let that security thing slow me down because you'll miss your number. Wall Street will be all over us." So it's pushing the industry forward and securities of Appathon because it's become hard to implement.

Eric: So follow up then. What has to happen in the industry to make that a reality? As opposed to this mess, this tangled web we have today where we are still instead of just logging onto a website and updating the television you bought or downloading the remote codes so it just works in your house? What has to happen in the industry in order for us to adapt to the velocity and the change that's required to simplify things, or else, we just keep getting more and more complex?

Manny: Most, not various vendors, ourselves included, are looking at the shift to much more of a platform. We'd have to have point technologies and customers get to choose whether they want a point technology or they want a platform. Don't get me wrong. There are people that can buy and integrate those point technologies because they have either the means to do that, meaning the talent. They're willing to pay for that talent that's at their organization.

If you want a better home automation system, that unit that you have in your house is a better unit. It just requires more expertise to configure and set up than to buy a simple thing off the web. However, at the end of the day, I'm not sure your music sounds any bit different. Led Zeppelin sounds the same on your system as Rachael's system that she got off the internet.

You’re Seeing the Industry Move

Manny: The reality is, you're seeing the industry move to the platforms. This concept of a platform could definitely have four key elements. First, it's got to be simple to deploy. There's no question about that. It's got to have a worldwide scale, it has to scale out no different than the web does today. It just scales out, high availability, and you can protect your services anywhere in the world.

Think about a ubiquitous platform that just scales out. It’s no different than a cloud provider scales out their infrastructure. The second thing is you're going to be accessing, you want unified policy and I'm talking about security policy. A simple example is you're not allowed to go to gaming sites. I don't want anybody in this company going to gaming sites or pornography sites or whatever it may be. There's going to be policies that you have as a business.

But guess what? You're going to communicate over lots of different channels. When you communicate, you're going to the web. Meaning, browse the web and do certain things on the web or you may go through the cloud because you're doing SaaS-based applications. You have to protect your email channels. There's a lot of different channels that we communicate with, every single day.

You have to be able to take all those channels and create a set of policies across all those channels, period. There should be one set of policies across all those channels of what you allow and don't allow people to do. For example, maybe we allow you to go to a gaming site, but we want to flag it. We want to basically let you know that this is not something that corporate sanctions.

Remote Browser Isolation

Manny: What we'll do is put a remote browser in front of you, a remote browser isolation so you cannot corrupt that endpoint potentially and put a virus on it. So the second thing you have to do is a way of distributing policy across all the data channels.

The third thing is what's your data protection policy. Remember, if there was nothing of value, there probably wouldn't be any hackers. They're trying to do something to steal your information or to block you from doing business because there's value in blocking you from doing business. Ransomware is a good example. So what is my data protection policy? What am I going to allow? Where am I going to allow my data to go or not go?

For example, I may allow a sensitive file to go to my personal USB drive, but I want that file to be encrypted. Only that file when it's back on that computer that was a corporate-provided computer can it come off that USB drive. If I take it home, I can't put it on a random computer, right? So what is my data protection policy? Where do I allow data to go or not go?

Then the fourth element is this concept of what we like to call risk adaptive protection. If I understand the context of what you're trying to do, what if I go to Workday and I download the personal information for all the employees, and then I open up a file on my computer and I call it Manny's greatest hits, and I put that file in there. Then I go to Salesforce and start downloading customer records and put them in there.

Restrict and Enforce

Manny: I name these files and call one Led Zeppelin, the other Aerosmith or whatever I want to name these files inside that. My device should understand that this is not normal behavior and begin to apply some level of context around that. What if I try to open up a connection to the box and try to drop that file inbox, what could happen? Should I be blocked or nothing? By understanding a user, having control over all those data paths and having data policy sit on top of that, I can begin to restrict and enforce what is permissible and what is not permissible.

This concept of risk adaptive, of having context around and providing distributed visibility is something that was all provided for you so that you didn't even know this was happening. That's what seamlessly has to happen. That is where you're seeing this concept. You’re taking all these technologies, all these three, four-letter acronyms and blending them together. Creating a simple user interface that you could deploy the technology to begin to create a more secure and a simplified environment for your users.

Eric: Most IT industries have a couple of leaders, one or two. In the database world, it's probably Oracle and Microsoft. On the computer, I should probably go with Dell and HP, maybe Lenovo as a third. Mobile OS, you've got Android and iOS. Do you think we'll ever get down to one or two leaders in the security space as we converge on that platform-type approach? Or is it just too decentralized and there's too much money? Right now, we've got over 4,000 or 5,000 cybersecurity companies out there trying to make a living.

[20:14] Best of Breed Cybersecurity in 2022

Manny: For every one of these technologies that we could refer to, there's probably a dozen companies and not more that are competing. There’s probably a couple of dozen that didn't make it because they just never captured any market share. Organizations are going from buying best of breed to buying best of platform, and maybe someday they'll get to a unified platform. What does that mean? That means that if I'm going to be protecting my cloud traffic, my web traffic or something, maybe I buy a platform that's really good at doing that versus buying technologies that are integrated.

So you're starting to see them consolidate. The reality is, look, most enterprises have 50 to 100 vendors in there doing some form of security for them. It's just a full-time mission to stay current with their roadmaps. What's going on and how to best apply security policy around that? It is a daunting task. It’s very difficult for most organizations. You think about it. If you're Google or Microsoft or you're one of those organizations, let's say GE or Walmart, can you afford to do that on your own? You probably can because you have the means, you have the staff.

Eric: Should you?

Manny: It's a cost. But if you're the average organization out there with a couple of thousand employees, can you sacrifice tens or dozens of employees to get around all this technology? That's when it becomes difficult. You need a much better integrated solution because all I want to do is listen to good music. I want a secure environment. And I don't need to become an expert on how to create home automation.

Good Fidelity Quality Music

Manny: I just want to be listening to good fidelity quality music most of the time and feel that my front door is not open. It's harder for organizations to come at you because a hacker doesn't want to work too hard. They're going to go where there's lease resistance, and that's the reality. That's why the industry continues to gravitate there. But it will take a while because these assets are deeply entrenched in our systems and the way we motor run. There's a risk associated with it when you've got to change them.

Eric: No, that's the issue. I've been working on this too long. I'm tired of waiting for the industry to fix itself and get to where I want it to go.

Manny: It's getting much better. I'm very impressed with some of the work we've been doing as a company ourselves. We're hearing it from our customers in the way we're trying to deliver these solutions. The other point that I didn't cover here is that things are getting faster.

Eric: Well, that's the problem.

Manny: Yes, but so are the answers. So if you get to these more cloud-enabled, software-driven platforms, the security solutions also come faster. I don't need to send you an appliance that you put in every one of your corporate offices. Or something that goes to every user in their home these days to protect your environment.

I could do that by simply providing a software patch, a software fix in a cloud environment and do it in a very agile-developed fashion. The answers are also coming faster. But it does require organizations to take a fresh look at what their security posture is going to be.

How Are We Going To Transform Our Cybersecurity in 2022

Manny: You have to understand all the changes that your business requires. At the top is, "All right. We are going to digitally transform our business and then, how are we going to digitally transform our business? That means I'm going to be using some technology." Some companies are like, "Cloud first". You hear, "We're a cloud first," or somebody is going to say, "We're never going to use another piece of software inside our environment. Everything's going to be SaaS-driven."

All those things are changed inside your organization. All those things bring vulnerabilities. How do you protect them and stop addressing them as a conga line of fixes? It's just a patchwork of fixes versus I get a platform that solves all of this for me and gets me ahead.

When the CEO or the CIO says, "Cloud first," then I'll have an answer for them. That's the transformation that most companies will be going through in the next decade. I'm so sad to say that this is probably going to be around for a while. But the reality of it is, there's some good answers today that you could start applying.

Eric: I know from an industry perspective, we are making progress. If I look back a decade or two, it's a very different situation.

Rachael: I'm a big fan of taking a step back and assess how we can work smarter and be better at security. As we all know, if you start at the beginning with that mindset, like when we talked to Noam last week, it makes a huge difference down the line versus trying to bolt it on later. Do you see that changing, Manny?

It’s Too Hard To Do Cybersecurity in 2022

Rachael: Is it just because it's too hard to do security at the beginning that they're not doing it? It seems like an obvious path forward of what could be very successful.
Manny: It's just hard because there's not enough budget out there and there's not enough time. So it's difficult for organizations. What they're trying to do is usually patch something or secure something. Decisions have already been made and users are using it and/or they got breached. The board is telling them to fix something out there. We, as an industry, need to help organizations think about how they re-architect their security infrastructure.

It starts out with making security equal to the network connectivity that you're going to be providing for your users, for your data, for your applications. If you're going to say, "Okay. My users are allowed to use all these things. Therefore, I'm going to need all this type of new connectivity and all these new protocols and the use of the cloud." Maybe it's a BYOD mentality.

Once you decide what that looks like, treat security as an equal around that. Look at a security architecture that dovetails itself with that networking architecture that you're going to need, and that has not been done. Usually, what ends up happening is a decision gets made. It's usually application-driven, then there's a connectivity decision that gets made to get those users to that application. Third, security comes in on that. It's got to really be thought about upfront or forever. That's part of why we sometimes talk to our customers about data first, and then we talk about data first SaaSy concept.

[27:15] The Hackers Are Coming

Manny: We're trying to tell people to remember what you are. The hackers are coming after your sensitive data. Not only can that create for you a lot of risk, but a lot of reputational damage when it gets out there. Think about how you're going to protect that from day one, not after you gave everybody connectivity to it.

Eric: I'd like to see, "We want to bring this new capability online. How do we do it securely?" That should be the question. What do we want to do? We want to bring this online. Great. How do we bring this online securely and have it built in from the beginning, conceptually? We saw with COVID, everybody worked from home and they just tried to get things going.

I would argue in many cases, customers still haven't applied security to the new, more relaxed connectivity capability because they had a mission. They had to do something to get their workers productive and working. Let's go back and fix that, but as we bring new capabilities online, it should be how do we do it securely?

Manny: COVID was a great example. The immediate need, and the industry saw it, was to get users connected from home. Many users came from home via VPNs, that's how they were connecting to their applications. The security was being provided inside the data center and/or they had to get through their own data center apps. And/or if they had to surf the web, they still went through their data center back out.

If you think about that, hundreds of millions of dollars were spent almost two years ago buying more VPN concentrators, buying more connectivity to get users to connect back to corporate.

Securing the End Managed Devices

Eric: Only to secure the pipes. It did nothing for securing and managing devices, the endpoint or anything else or the data.

Manny: Exactly, it was all about, "Can I get my employees to be productive? They need to get their applications because they can't come into the office." Let me be honest. VPN is like one of the worst technologies because you're actually stretching your corporate resources to an individual's remote location. You don't even know where.

Eric: Outside your security boundaries.

Manny: It could be their house. It could be at a wifi on a Starbucks, where they could be providing that WiFi connection and spoofing it. 

So VPN is an extension of your corporate assets where you spend all this money. You have buildings, you put cameras, firewalls, and you put everything in there. All of a sudden, you put a hole inside that perimeter, and you drag it to everybody's house. By the way, you dragged it to everybody's home or wherever they work from. Once you're on the network, you're on the network. It means you can go anywhere on that network quite often. 

So it's the horrible connectivity versus if you look at the concept of zero trust, which is the difference between implicit versus explicit trust. The zero trust model says, "I'm allowed to work remotely. But when I'm granted access, I'm only granted access to that one application or those two applications. I don't get access to the network. So I may need to get onto the corporate network, but I only get access. I am restricted to going nowhere but one or two applications."

A Different View of Cybersecurity in 2022

Manny: It's a very different view of security. I'm not saying that when Rachael's working from home, she's maliciously going to do something. But how do I know that she doesn't have something on her computer that is acting maliciously? In a VPN world, there’s free access to the whole enterprise. Move around wildly until you find somewhere to stick and jump off her computer to something else.

In a zero trust world, only two applications will that hacker be able to go to when they connect to the corporate resources. That's all we grant them in a zero trust environment. These technologies are out there, but they're taking a while. When change happens like COVID,

it is a significant change. Nobody said, "We need to have zero trust." There was no time to think of zero trust. Can I buy another VPN concentrator? I know a lot of folks in the industry and I've checked with them what would be now almost two years ago. VPN concentrators did very well for a quarter or two. Now, nobody wants them again.

Eric: The industry did well. I equate the VPN to a highway with no seat belts, no airbags, no speed limits. You're just flying naked down the road as fast as possible. We just gave you a road to do whatever you want, with zero trust, they're checking you. Are you wearing a seat belt? Do you have airbags? Are you obeying the speed limit and are you really who you are? That's what we're seeing more of these days.

Manny: Even in the VPN world, that's it, you're done. You're connected. Anything else has to be augmented on top if you want to provide a script.

Entrance To the Highway

Eric: Yes, you get on that highway and we give you entrance to the highway. You can do whatever you want.

Manny: The user experience is even worse because you've got to hairpin all your traffic back to that corporate location, wherever that VPN gateway is. That means you're going back to your corporate environment. You’re probably punching back out of that corporate environment to go to the web because you got to go to Salesforce. You got to do something else to get the security profile.

In a zero trust model, you avoid a lot of that. It's a much more direct connection, so it's secure. The list goes on and on of the benefits, but it's going to take time to get there. There are thousands of VPN concentrators, millions of them all over the world. That technology is going to take a while for people to get off and to get into the next evolution that makes it much more secure. Zero trust network access is an example of various technologies that are out there.

Eric: We beat the hell out of the VPN companies of which we're one, by the way. Where do we go from here?

Rachael: I read an article this morning and I'm astounded how attackers are so successful using old school tactics. The group name was Finn Seven or something. They impersonated the health and human services and sent people USBs that they would put in their computer then it delivered the ransomware. It just blows my mind that in this day and age, that could still be successful. "Oh, we got a USB in the mail. I can't wait to plug it in my computer and see what's on it." It's so successful.

These Attacks Are Not Sophisticated

Eric: The old USB in the parking lot trick, a free USB stick. I was going to quote Forrest Gump, but I'll hold back.

Manny: Some of these attacks are not sophisticated. Whether it be phishing attacks, you get an email, "Click on the URL," you click on them. Now, you're seeing them on your mobile devices. You get a text, I got one this morning. It was interesting because it’s about, "If you do this every morning, you'll lose 10 pounds. Click on this link." I'm like, "Maybe I would like to do it every morning, but I'm not going to click on that link."

Eric: I keep getting one from AT&T, but I hate AT&T so it's totally flawed from the outset.

Manny: There's so much data that the hackers have access to. They can socially engineer a connection that's one or two degrees away from the individual. That sounds pretty legit. They get people. Unfortunately, we're vulnerable. We want to assume everybody's good, but there are some bad ones out there.

Rachael: When the barrier to entry for attackers is that easy, it's astounding. How do you keep up from a security perspective? Then you have these other things coming up online like the metaverse. There'd be much information available on people that we could see social engineering attacks really ramp up in the years ahead.

Manny: Metaverse is an interesting concept. There's no question about it, but it's probably a little bit of still the Matrix thinking, the metaverse. It’s a good example to equate it to the Matrix. If you really think about the whole principle of the metaverse, it's how we create this new world.

[36:47] A Visual Augmented Cybersecurity in 2022

Manny: By the way, we are participating in some of that degree today. There are lots of different environments that you go in and you interact either through a visual or augmented reality. You have this concept of a world inside of it. But the metaverse is really one step beyond that in the sense that you are connecting everything together.

You might have seen there's some good videos out there on the metaverse. Now, you can find them on the web. There's one that I like, which is somebody's flipping through one of their social sites. I can't remember if it was Instagram. They actually see one of their friends posting about how they were going that evening to a concert. You could click on that and you're transported to the concert through your visual device. You're next to your friend who accepts you. You could actually make eye contact and talk to them and do all that.

Eric: It's a virtual reality world and then a concert?

Manny: It's a virtual reality augmentation to a real world all coming together. The concept is almost like the matrix where you're transported into a world. In that world, you have access to everything that you have, including the physical world. Everything is connected.

Obviously, there's a lot of intelligence that comes in that world. We're a long way away from that. There's no question about that.

When we get there, I'm sure there'll be few security challenges. It'll be interesting, but we are not participating in it. I don't. I'm not a gamer, but every teen out there, anybody who has a teen. Specifically, the teen boys will know that they live in those Xboxes or watching those glasses that they put on, the Oculus or whatever.

Virtual Reality Worlds

Eric: Yes, the VR headsets.

Manny: They're living in that and that's all driving us in that direction. There are worlds also, whether the World of Warcraft or other virtual reality worlds that people are beginning to participate in. So it's going to be interesting. You're seeing a lot of talk these days, but it's still early.

Eric: Almost like Second Life. That's two decades ago.

Manny: It's Second Life brought to a much more real reality, where you may be living in worlds of holograms also. You're in augmented reality, and it's your room for a change. That's the concept that we're trying to get to, which will be quite interesting. We got a long window, but who would've said 20 years ago we'd be where we are today?

Eric: Early in life, I used to contemplate if I was just out of my mind crazy, but I was happy. Would that be a good life or is it better dealing with real life like I have now? I don't think we have the answer to that question. Going back to your Matrix analogy, I'm going to take a blue pill on this one for a little while. I'll just remain ignorant right now or I'll sit back. I'd rather not know.

Rachael: I could pay a lot of money to dress my avatar and to kit myself out with a bling.

Eric: My kid does it for games. Hundreds of dollars of babysitting, dog watching, lawn mowing money, he'll drop on avatar themes.

Manny: Sometimes, they buy a new gun or a new wardrobe or something that unlocks something. By the way, it's creative marketing because they're getting kids to pay, meaning getting parents to pay.

Web Three and Cybersecurity in 2022

Manny: Most kids don't pay. Sometimes it's all connected. You can't walk out of a store without walking through a bank of credit cards that are prepaid cards. Then you can buy them and get to your kids only so they could buy avatar clothing. That's the hell of the world.

Rachael: My favorite topic right now is Web3. I'm still really interested in it because there's no middle ground from what I'm seeing in the articles. You think it's the best next thing or it's over hyped, depending on who you talk to. It's rare that you see something that has such strong opinions one way or the other versus a middle of the road approach. I'm always wondering why.

Manny: We're heading down a web 3.0 world. The 1.0 world was the early world where it was very simplistic. A content provider puts content on the web and a user goes and usually downloads a read-only content. That's basically it was, and that was the early creation of the web in the '90s. Then over the last 20 or so years, you started to see the web 2.0 developer. More content can be published by many folks, and not only is it read, it's read, write.

So we interact with the web and we can read, write. Sometimes it's as simple as liking a post or putting a post or something of that nature. The concept of web 3.0 goes one step further. It's, "Can I distribute the content?" Does the content need to be owned by a publisher of the content? That's an interesting value proposition because the content can then live anywhere and be anywhere.

The Decentralization of Cybersecurity in 2022

Manny: That creates a lot of value, but it goes beyond that because it's not just the decentralization of all of this content. There are some basic principles in web 3.0 that are also interlinked with the metaverse a little bit. One is this concept of the semantic web, which means that not only can the data be everywhere, but the data can be processed by machines.

That means you could have machines working for you, very intelligent machines with artificial intelligence, which could be figuring out everything for you. You could just speak something and let it figure it out, and it comes back with answers for you. We see some examples of that. You could talk to Siri, you could talk to Alexa. It's still not as diverse because all that content is not connected. But AI is playing a role in allowing a machine to go talk to other machines to give you back a response. That could even go further as we move.

The third element is graphics, this virtual reality, 3D graphics, which you brought up as a great example. Second Life is a good example of that. That is a big part of some of the properties of web 3.0. Then the last is this concept of ubiquitous access. You can access this anywhere at any time at any place. You see some of it in the movies, people walking through a room and turning the lights on. Well, we can do that today with some of the home automation technology, but you can ask it for content. It could connect you to somewhere else and figure out an answer for you.

A Larger Scale

Manny: The concept of, can we distribute this content, allow more people to publish the content, and allow more people to own that content is an interesting premise. It's just more scale. That's all it is. It's a larger scale, but it goes beyond that. AI, semantic web, 3D or virtual reality are all going to play a role in this. It reminds me of Star Trek. Remember when he used to go into the holograph and he was in the little world? We’d stream behind him. He's out in space. This thing is what we're referring to.

When you talk about the metaverse or web 3.0, it's how do we get access to that in a much more powerful way. I know it sounds that it can't be done, but it can be done, but you are right. There's some people that think the web 3.0 is going to be a disaster, and it does come with some challenges because it means the industry needs to continue to transition as it moves forward with that. Some of the devices that we have today won't be able to participate. They're not capable of participating in a web 3.0 world.

Look, this will develop. Who would've thought that the web would become the web 3.0? We're probably in a 2.5 world today versus the three world. We have some of the things that I referred to, available. Or we see smatterings of those things as we begin to do our daily lives and they do make our lives better. Some of this stuff does make our life better. It’s what drives it forward, why the change occurs, and then the crunch to this, can we secure it?

[45:46] Can We Secure Cybersecurity in 2022

Manny: Can we secure it so that we have all of this freedom that we want all of this great productivity and capabilities to communicate in a secure way?

Eric: The good news from my perspective, data should be similar to currency in blockchain. It seems like we're able to distribute it securely. There's enough redundancy in there that it works. So the data should be protected if it follows that path. The concern I would have, though, is that companies like Chain Analysis are able to follow the blockchain. They understand current currency transactions.

Will marketers come online who are now following your data and understanding the data patterns and leveraging that or monetizing that against you? If you're a private company, for instance, and your data is no longer stored just inside your data centers or with your CSPs, your cloud service providers, will marketers be able to market that? Will competitors be able to track that and gain some advantage?

Manny: There will be things that they can do today. Have you done a search lately and went on any website? Then you went to a social site and found out how much they're marketing to you? The amount of data sharing today is unbelievably off the charts. I try to stay off the web. At least, stay off of some of those things as much as possible. I don't think that'll change, unless regulation forces it to change.

That's a large minefield that has to be explored at some point in time. The good news is, because blockchain is a big part of web 3.0, there will be stronger governance around that data. You can see the data, transact the data, or do anything with the data, but there will be a chain.

Protecting Data in a Meaningful Way

Manny: That will have confirmation of some kind, of what something. If it's a financial transaction, it'll have confirmation of the financial transaction or something like that. It could have some marketing data. It’s certain that, hopefully, they are value-added with the appropriate regulation to allow us to function while the data is protected in a meaningful way.

Eric: I've got to take a few minutes to wrap my head around there. I could have the next COVID vaccine, a piece of that data sitting on my computer at home in a decentralized fashion one day. That's just bizarre to me.

Manny: You have to make sure that it's equally protected. The concepts that we began, the podcast around users needing access to information, it does distribute that further. Now, the information's in multiple places and there's machines talking to machines and not just users. There’s a lot of new things, new technology that makes it much more productive.

But there’s the concept of being able to intercept or get in the path of those transactions because it might not be one, it might be many. Make sure that that is secure and at least logged. Maybe you just want to say, "Okay. This is what happened." But you want to make sure, hopefully, it's secure on top of that. That doesn't change where we're going.

To some degree, you could argue where security is going. If the information's going to be everywhere, users are going to be everywhere. The data is already everywhere. Is security better served out on the internet than in the Ivory towers that we've all built? For the time being it's probably both.

The Principles of Metaverse and Cybersecurity in 2022

Manny: You need to have your on-prem technologies that are appropriate. Begin to really think about, "Where are all my users and where's all my data? How do I get in front of them in a much more elegant manner?" Which means maybe in the cloud around that, and then maybe over time as we get to these principles of the metaverse and the 3.0 and all of that. The on-prem technology may no longer be as relevant, probably won't be as relevant. Your on-prem is just another point where there might be some data or might not. You really got to think about, "No, my data's everywhere."

Truly, your data today is everywhere. If you think about your corporate policies, you have a Microsoft account, guess what? Not only is your data on your computer, but it's probably on OneDrive sitting out in the cloud. Who knows who gave access to that and where they moved that data? So it becomes a bigger challenge to solve, but there are answers today. That's the good news. I encourage all the listeners here to think with an open mind.

Go in, talk to the industry. If you could describe where your business is going, then most of the industry could help you with answers. Moving through more holistic platforms that enable you to protect these new data paths that are out there. 

Eric: That covers everything.

Manny: One thing is for the new generation who's growing up in that environment, they may have a leg up on us.

Living In a World That’s Not a Real World

Manny: I don't know if I could ever wear virtual reality glasses and live in a world that's not a real world. But the next generation seems to be adapting through that well.
I'll give you a story. My stepson contracted COVID, the new variant that just occurred. It’s going through the world and getting most people. Obviously, he got quarantined in his room, and we brought food to him every day. Everything was fine. He came out of it six, seven days later, tested negative. I sat with him and I asked him, "How was it?" He goes, "It was great." I'm like, "What do you mean it was great?"

He said, "I sat in my room playing mostly Xbox," and he played a couple of different games on the Xbox. "I was hanging out with all my friends," because they live in this world, playing the game, talking to each other. That's their own little metaverse, version 0.1 that they live in. As far as he knew, every two, three, four times a day somebody knocked on the door. There was food there and he went and got it, then he put it back out there at the end of the day. Seven days later, he had to really function in the real world with family, come out, have dinner, and do things of that nature. I had to knock him as well.

Eric: Which is disappointing to him.

Manny: The world that he was in was a way better world. So with COVID and all, he was a happier kid. I don't know. The next few years, we'll see how they go.

Eric: How old is he?

Manny: He's 15.

Online Friends

Eric: I have a 14 and a half years old son and I would say the same thing. He would be perfectly content to play with his online friends, both nationally and internationally all day every day. He’ll never have to engage in life other than bathroom and food and beverage.

Manny: For those of us that think that reality isn't real, look at your kids or look at your friend's kids. It's coming and it's coming at a very fast pace to all of us. There's value in it, different value for different people, but we'll see. You should check out their screen time. Their screen time is another very telling story, so much time in the basement, but it's okay. Humans will evolve.

Rachael: Thanks everyone for joining us this week. That's our episode. I can't stop laughing. As always, smash that subscription button. You get a fresh episode in your inbox every single Tuesday. So until next time, stay safe.

About Our Guest

Manny Rivelo is the Chief Executive Officer (CEO) at Forcepoint. As Forcepoint CEO, Rivelo drives the company’s strategy to accelerate enterprise and government agency adoption of a modern approach to security that embraces the emerging Secure Access Service Edge (SASE) architecture. According to Gartner, more than 40 percent of enterprises will embrace SASE by 2024.

Rivelo brings to Forcepoint more than 30 years of experience across executive leadership, product management, customer support and sales functions with some of the world’s leading security and information technology companies. Rivelo joined Forcepoint from global investment firm Francisco Partners Consulting where he served as Senior Operating Partner. Prior to Francisco Partners, he was Chief Customer Officer at Arista Networks, where he was responsible for the company’s global sales and field marketing functions. Previously he also served as President & CEO of AppViewX, a low-code infrastructure automation provider.

Additional senior leadership roles included F5 Networks where he served as President and CEO as well as Executive Vice President, Security, Service Provider and Strategic Solutions responsible for launching and driving new market adjacencies in Security and Service Providers, Product Management, Marketing, and Business / Corporate Development. Prior to F5 Networks, Rivelo held various senior leadership roles at Cisco Systems including Senior Vice President of the Engineering and Operations group. While at Cisco, he oversaw roles in sales and multiple businesses, drove technical solution requirements for Cisco customers of all sizes and was responsible for operational excellence, standardization around processes and tools as well as enabling new business models.

Rivelo is currently a Director at Sandvine, Outdoorsy, WootCloud, Valtix and Fashwire. He holds bachelor’s and master’s degrees in Electrical Engineering from the Stevens Institute of Technology.