CyberArk is a member of the Massachusetts Technology Leadership Council (MassTLC), an industry consortium of 500 organizations. Every year, MassTLC joins their counterparts across North America to attend the Computing Technology Industry Association (CompTIA) Fly-In. MassTLC invites a select group of technology leaders to join them for this conference and Capitol Hill visits to talk to legislators and educate them on the most important issues facing the technology community. For the past two years, Adam Bosnian, EVP of Global Business Development at CyberArk, has attended the DC Fly-In as a representative from CyberArk.
Three areas where the MassTLC delegation focused are– infrastructure, talent and data privacy. Bosnian advocated for improved infrastructure. The delegation to Capitol Hill was ten people – Tom Hopcroft, president and CEO of MassTLC; Sara Fraim, director of policy for MassTLC; and representatives from top technology companies and start-ups in Massachusetts.
The group spoke with Senator Ed Markey, Congresswoman Lori Trahan, Congressman Joe Kennedy, Congresswoman Ayanna Pressley, Congresswoman Katherine Clark and representatives for Congressman Stephen Lynch and Congressman Seth Moulton. With each representative, the group had approximately 30 minutes to make their case.
After Adam returned from DC, I asked him a few questions about his experience.
When you went to talk with the legislators, what did you advocate for?
Very often infrastructure legislation is mostly focused around transportation. CompTIA’s position is that when you’re working on infrastructure bills, you need to consider smart technologies and funding for those technologies. You can imagine this to be things like sensors in roads or cars.
I said that while we absolutely want to put dollars into smart technologies, we shouldn’t forget money to refresh the backend systems that are supporting things like energy grids and public utilities. Currently, those backend systems can’t support smart technologies.
As we refresh those backend systems, it will also allow us to put cybersecurity on those systems. Today, the grid is running on technology that’s at least 20 to 30 years old. We can’t adequately apply cybersecurity controls to it. Almost every legislator said that they’d heard a briefing regarding the grid and how it’s susceptible to attack.
Modernizing the backend provides not just an infrastructure modernization benefit, but also a national cybersecurity benefit.
So, where does CyberArk fit in? We primarily focus on securing the data center and the IT side of the house. But all of the problems that we solve on the data center side exist on the operational technologies side of the house – consider manufacturing production lines, managing power lines or the power grid itself.
What we’re seeing is that there are vulnerabilities on the operational technology side that are not being addressed. Very often they can’t be addressed without modernizing or refreshing the backend technology. They’re not being refreshed or modernized because it costs a lot of money and, if the generation unit is working, companies don’t have any incentive to fix it. But, the “if it ain’t broke don’t fix it” mindset doesn’t apply when it comes to national security and support a more resilient national security posture.
What can we do here and now to affect policy in a positive way?
The problem we have is that, while we can highlight the cybersecurity problem to the utility and the utility may even agree that it’s a problem, without regulation motivating them to fix it, they aren’t necessarily going to fix it in a timely manner without some kind of incentive. So, I do feel that CyberArk has a responsibility to both shine a light on the industry to show what needs to be improved and to work with key stakeholders to influence an environment that allows and empowers organizations to solve the problem.
What role do you see CyberArk having in this going forward?
I think we should find ways to be more involved in national, if not international-level initiatives, whether that’s through something like CompTIA or being part of the Identity Defined Security Alliance (IDSA) or something like Cyber Threat Alliance. I think we have a responsibility as a leading company in the cybersecurity space to use our position and our voice to highlight areas that need more attention and prioritization.
What issue in cybersecurity do you most want to advocate for?
I don’t think we talk about cybersecurity in the schools enough. We barely talk about programming at the schools, never mind cultivating the next generation of cybersecurity-aware students and future professionals. Cybersecurity is interesting, cool stuff and I think we should expose more kids to what we do.
I just don’t think people even think about cybersecurity as an alternative career path, because we’re not in the elementary schools, the middle school and the high schools talking about what cybersecurity is. In their minds, cybersecurity is something that just gets in the way of their day-to-day activities with their phone, laptop or iPad. But, it’s so much more than that. I don’t think we bring it home in a consumable way for a broader set of people to help them really get it. That’s something I’d like to help change and advocate for.