Episode 12

Strategize a Secure Foundation with Lonye Ford

00:00:00
/
00:28:28

October 20th, 2021

28 mins 28 secs

Your Host

About this Episode

When it comes to industry and government technology, who is the glue that holds it all together? Lonye Ford joins Carolyn and Mark to give her insight on roles and responsibilities within the cybersecurity field. From Lonye's time at the U.S. Air Force help desk, to her current role of CEO at Arlo Solutions, she offers a unique perspective on cybersecurity career path. #CybersecurityAwarenessMonth

Episode Table of Contents

  • [01:02] The Ever-Evolving Landscape of a Secure Foundation
  • [09:20] Understanding the Importance of a Secure Foundation
  • [16:37] The Secure Foundation of the People
  • [26:28] A Secure Foundation Is Void of Decision Fatigue

Episode Links and Resources: Secure Foundation


The Ever-Evolving Landscape of a Secure Foundation

Carolyn: Today, we have Lonye Ford, CEO of Arlo Solutions. Lonye served for over 10 years in the U.S. Air Force and was named one of the top 50 in tech visionary at Intercom 2021.

Since it's cybersecurity awareness month, we're super excited to talk to Lonye about her 20-year career in the cybersecurity field. Her experience on both the government and industry teams, and insights on the ever-evolving landscape of government cybersecurity.

Lonye: Thank you Carolyn, for having me. Hi, Mark. When I heard the intro, I think I'm going to ask next time to move out with that 20-year experience. Makes me sound super old.

Carolyn: You caught Mark and I discussing your age because we looked you up on LinkedIn, we're like, there's no way she's been doing this for 20 years.

Lonye: I appreciate being invited, so thank you, I'm looking forward to this conversation.

Carolyn: It's October. We have the best holiday of the year, which is Halloween, but also, super important, cybersecurity awareness month. We'd like to start out with you talking about your cybersecurity career journey. Why do you think it's such an important component of our lives?

Lonye: Halloween is actually my favorite holiday as well. I have two little ones and so I get all into Halloween.

Carolyn: What's your costume this year?

Lonye: We're going to be the Space Jam family and I'm going to be Lola Bunny.

Carolyn: We got Alice in Wonderland theme going on at my house, I will be the Cheshire cat.

A Proud Veteran

Lonye: COVID messed Halloween up for me because, we get into it, as far as in our house and a holiday party. We open our bottom floor, so whenever the kids come through, we do a scary, little, haunted house and give. They'll have to come in and have scary movies playing. I missed that, I can't wait till we can open back up that way.

My journey started in the Air Force, I am a very proud Air Force veteran. When I started at the Air Force, I started at the help desk. I like to tell people I started from the bottom, literally. No offense to help desk technicians, but working on a help desk gave me an amazing place to start. You get experience, visibility just across the gamut.

I’m a service type of person, I like to service people. I am a person that really likes to help in every capacity, so I love the help desk when others hated it. Started at the help desk, then I did more network admin stuff, SOS admin, and network admin. I've been a cable dog, I've pulled cable through buildings. Then I went on to work for the program offices within the Air Force, doing things still in cybersecurity.

I like to be very specific in what part of cyber I'm in, because cyber is such a huge domain. My focus is more on assessment and authorization of systems, so we started at a system called Disc Cap. It's the way that they used to do it back in the day, and then it matured into a program called Dye Cap. Now you hear people talk about RMF, Risk Management Framework, so that's what we're doing now.

A Secure Foundation Focuses on Risk Assessment and Authorization

Lonye: So, that was my journey in the Air Force, I got out of the Air Force and I supported the government via contract. I was contracting government, went both ways, but I've supported DOD CIO, Army CIO, and the Air Force CIO. I've also supported some programs at the program office, which I love. But satellite-based systems, telephony, all focused on risk assessment and authorization.

What happened in my career is that you start technical. As you mature with cyber, as you increase your skillset and your knowledge, you get to the point where now I'm focusing more on policy, procedures, compliance, building strategies. That's what I really do, that's what my niche is, what I love to do.

I helped build the strategy for the Air Force that's an authorized called the fast track ATO process, doing the same type of thing for department USDA. Working across some of the Air Force, major acquisition programs like the Aircrafts and the F35's. But now I'm looking at DevsecOps, how do we assess and authorize code? How do we assess and authorize what we're putting on a cloud that may be code that's transitioning over to the aircraft?

Mark: Is that what Arlo Solutions is? Is that the primary function of Arlo Solutions?

Lonye: It’s what you would consider the sexy part of Arlo solutions. The part that we talk about the most is cyber, but we have more work probably in the Intel space. We do Intel and cyber security, but even from an Intel perspective, we're still looking at strategy.

The Strategy Level to Secure Foundation

Lonye: We have a contract. It's still personnel security, but the process of how they transition that personnel security over to DOD. So we are still at the strategy level, we have contracts at the Pentagon actually. We still really work, we're advisors to senior leadership.

Mark: You started talking a little bit about Cybersecurity and the early years of cybersecurity. It seemed like it all started with the network. You did a lot of networking type stuff early and computing and cybersecurity. It seems like it's changed over the last 20 years. Can you talk a little bit about the development or how cybersecurity has grown or advanced?

Lonye: First, I would say, cyber is now sexy. People didn't like to see us coming. The focus in the government is call, schedule, and performance. Typically, cyber in the past, they wouldn't send us one of the friendlies. Nira calls more, it really decreases the time, and increases the timeline. It affected the schedule. Many times before we were mature, it could possibly affect the performance. I would say the difference now. Senior leaders didn't like to see us coming, the tech people didn't like to see us coming. We were not usually welcomed, and cyber was an afterthought.

Some of it is because of the cyber security workforce. Back then cyber security focused on NO, I would say everything someone wanted to do. We found NO is insecure, you can't do it. So holistically, we weren't very helpful, it's just my opinion. Now we are integrated into the team. From a maturity perspective, once you're building these programs, cyber security is a tenant that you're going to have to speak to.

Understanding the Importance of a Secure Foundation

Lonye: People are understanding the importance of cyber now, and that wasn't the case in the past. Number one, the cyber security workforce has matured in the way that they communicate, and we need to do a much better job. In the past, we may communicate, Hey, AC One! You don't have AC One talking and control and specific cyber jargon, which has not been helpful.

Now it’s starting to learn how to communicate with senior leaders, to help them make decisions. Because you should be posturing your leaders to make risk based decisions. Not saying no, just saying that this risk is high. But for leaders, it could be okay to accept this high risk because maybe that risk is for 10 seconds. So we have to learn how to communicate risk to senior leaders.

Carolyn: You're tapping into something that a lot of our guests bring up. It's about culture and that you have to find a way, or change. I don't know if it's change the culture, but it has become part of the culture. Look at you now, you have your own domain and the best month of the year.

Lonye: Yes, it is. I was going to say culture changed at night, but I didn't want to sound so cliche because that's what's happening. It's difficult. I'll give you an example, I just told you my history. If you think about that, that means I haven't touched technology in years. But I’m the person that's developing a strategy and telling you what the policies are, and what the process is. Do I fully understand Kubernetes? Am I a developer? The answer is no.

The Risk Management Framework

Lonye: So the difference now is we have to learn how to collaborate. These people that have advanced in their career, that's putting out these policies, they have to be able to collaborate with developers. The same, if you look at the risk management framework and any type of framework, and sometimes RMF gets a bad name. But I love it, because it's a framework. It's just really how people implement it, but the framework is a really good framework.

The issue is that we have to integrate the developers, the operations, the decision makers, as you develop these policies and thresholds. We're maturing there, and from a culture perspective, what I'm saying is a lot of issues with ego. Because now in these domains, everyone, they're experts. I have a developer that is an expert, I have an operations person as an expert, I have a cyber person as an expert. These experts don't talk to one another, because they're all the smartest in the room.

Carolyn: How do you do this? How do you facilitate the collaboration and deal with the egos?

Lonye: I would say, that's my niche, that's what I do well at, that's what I like actually. You break down those egos. I go in and I'll start the conversation with, I'm not an expert in Kubernetes. I'm not an expert in containers, I'm an expert in my field. You may be an expert Kubernetes, but I promise you, you're not an expert at what I do.

Break Down That Ego

Lonye: So what we have to do is work together, this is the only way that we're going to do it. I'll break down myself and try to break down that ego so they can understand what we're saying. I see a lot of that, a lot of bickering and back and forth because everyone has their own perspective.

And I understand the developers because if I'm a developer, I'm moving fast. Here you come at the end saying, “I've integrated all this cybersecurity”. Now the cyber person’s saying, “Can you give me 50 documents to document what you did? Developers, you're antiquated.” “No, I'm not.” That's what I'm seeing a lot from a cultural perspective.

Mark: You talk about culture, and you've seen this from both sides, industry, and government. Can you tell us how you've seen change over the past few years between government and industry?

Carolyn: What does it look like now?

Lonye: I'm a very optimistic person, so I'll say that in general, so honest, but very optimistic. I'm proud of the government, and what the government is trying to do. I don't think people understand how difficult it is to either change culture, to integrate all of the industry because the government has their own processes and procedures. It's not in compliance to statutory requirements, law, acquisition law.

It’s very difficult to sometimes integrate more of the smaller, innovative companies into the acquisition process. So, I would start there. I would say from a maturity perspective, I do see the government trying to do innovative things.

Secure Foundation and Streamline the Acquisition Process

Lonye: Use the OTA, check and help streamline the acquisition process so that it's more consumable by smaller companies. I do think that they're trying the best way they can to innovate companies outside of the larger defense companies, which is difficult. It's really difficult, but I see them trying. I'm on programs, they're doing CIBERs, they are finding different ways to integrate.

From an industry perspective, I see more of a partnership. I see the government trying to be more open. In the past, the government has stayed away from even having a lot of conversations with industry because there's a lot of rules. For industry, I can't go out to the government. I can't buy them a meal if it's over $25, I can buy my friend a meal. I'm not bragging.

Carolyn: I hear you, I feel that pain.

Lonye: So many rules stand in the way of open collaboration because everything has to be fair competition. You can't give that perspective to anyone that is not. It could be, I just want to talk to the industry about this issue. I just really want to be open and tell you, this is my problem. The government has not been comfortable doing that in the past.

They're starting to, more freely, open up those lines of communication. It's not for around upon, so I do think that, that's the difference with industry. Another way that we have to mature, in my opinion, is that the industry likes to throw tools at problems. They like to scale the government, all these different tools, and a tool that can answer all of your problems.

The Secure Foundation of the People

Lonye: But if you don't have the foundation of the people in the process, those tools do not work. They don't, you have to be configured right. You have to have the right people that can run these tools, they have to make sure they are interoperable. That's an area that industry has to continue to mature in, because the government doesn't always have the workforce to consume your tools. You're talking about huge enterprises.

That's an area that industry can mature in, and that's an area that we focus on. I don't sell tools and I'm trying to be very non-biased on tools. I'm looking more so at the capability. The work that I like to do is really to team with the government, to work on behalf of the government. To team with the government versus coming in as a new industry selling something like a tool.

Carolyn: Often, we have the tool, we have the features in existing tools. But rather than figure out how to use it, we're like, let's just throw a new one at it. That's so frustrating. On a macro level, it sounds like government's getting better at diversity with smaller, innovative industry companies. What about on a micro level? So within your teams, how are you managing the need for diversity? Just on the people level or do you see that as a need?

Lonye: From a diversity perspective, it goes back to, you have to have a diverse team now. The domain is so much larger than it used to be, the internet of things.

When There’s a Secure Foundation, Everything Is Connecting

Lonye: You know, everything is connecting, it's so many different types of technologies and tools. Your team has to be set up sometimes for people that understand strategy. People that can understand that you want to do these cool things, and I'll come in in this case sometimes.

But how do I cross-map this to the requirements, the compliance, the statutory law, and make sure that you're covered from that perspective? How do you integrate these cool things that you want to do into current processes and procedures and laying out roles and responsibilities. You need a person that can do that. But then, you also have to have diversity from a person that understands technology.

You have to have diversity from a person who's going to use it, the user community, or the operations community. From a thought leadership perspective, you really truly need a diverse team. Technology is moving so quickly, every week there's a new technology. You really have to have folks that understand that, and those typically are not the people that's been in this domain for a long time. They graduated from the technology part.

Mark: Do you see the recognition of this across customers? Or you have to go out and make that happen?

Lonye: Make it happen. I will almost consider myself a cyber security integrator and that's not necessarily a domain. The government is not saying I want to hire a cyber integrator, they hire technology integrators. The issue the government is having, to me and some of these major programs, is the acquisition process. The way that the acquisition process is working now.

A Secure Foundation Needs an Integrator

Lonye: We may have a company that comes in and focuses on infrastructure or building a cloud. You may have another company that's coming and doing the pipeline work. Then you have another company that's coming in, maybe doing integration of that. Another company comes in and does O and M, so that's doing maintenance. You have another company that's coming in that's doing cyber.

They're on all different contracts. They are supporting the same client and there's a lot of integration. So you miss that. There has to be an integrator that truly focuses on, maybe technology integration, but then they crosswalk the contracts. Some companies are very specific about what's in their statement of work. So if the government is not very tight on contractual actions and acquisition upfront before the company even comes, they have failed.

It's a failure because of those gaps there, no one is going to fill it. A lot of times, bless the government but, you may not have a strong program manager in some of these programs that can talk across all that technology, or can do that integration as well. As we continue to mature on being diverse in all the different companies that we bring in, the government has to really focus on acquisition, and how we integrate those.

Mark: That's no easy problem.

Carolyn: Let's move to our tech talk questions. Our tech talk...