Karissa Breen [00:00:10]:
Welcome to KB On The Go. I’m coming to you from my new place of residence, Orlando, Florida. And today I’m being hosted at the SimSpace Summit. Cybersecurity is hitting a breaking point, compliance checklists, tabletop exercises, and confidence claims. Aren’t enough anymore, especially as AI accelerates both attack and defense. This summit is about something different, proving readiness under real pressure, real tools, real teams, real-world chaos. Today, I’m speaking with leaders and former US government officials pushing cyber training testing and validation out of theory and into reality. Because when the next incident hits, what matters isn’t what looks good on paper, it’s what actually holds up.
Karissa Breen [00:00:57]:
Stay with me, we’re diving into the conversations that matter. This is KB on the Go from SimSpace Summit 2026. Let’s get into it. Joining me now in person is Peter Lee, CEO of SimSpace, and today we’re discussing Are we cyber ready or are we just saying it? So Peter, thanks for joining and welcome.
Peter Lee [00:01:20]:
What a pleasure to be here, KB.
Karissa Breen [00:01:22]:
Okay, so I really want to start with your view around readiness. So you say readiness isn’t something you claim, it’s something you prove. So what do you mean by this?
Peter Lee [00:01:35]:
Well, in cybersecurity, confidence without evidence is just hope. And so readiness really only matters if it holds up under significant adversarial pressure. You have to test and validate in a realistic replica of your production environment under real-world scenarios. Otherwise, you’re talking about certification versus true preparedness.
Karissa Breen [00:02:05]:
One thing that’s interesting to me, Peter, would be across a lot of my podcast interviews, everyone’s talking about preparedness and resiliency and all these sort of things. What would you say, given your experience, preparedness looks like? Because I think that people have different versions and definitions of what that means.
Peter Lee [00:02:21]:
Yeah, that’s a great question. I think preparedness is ultimately something that’s earned and that’s proven. I think that’s really the single most important message. Preparedness isn’t a series of courses or certifications or a self-judgment. It’s got to be proven. That’s really the high bar.
Karissa Breen [00:02:45]:
One thing that I’ve noticed and observed, and maybe you agree with this, is companies are saying like, yeah, we’re ready, we’re ready. But then either they get breached, something happens, there’s some outage. So what I’m curious is why are people claiming it? And I know it’s not super binary where it’s like, okay, yes, we are. No, we’re not. I know there’s a lot of gray and these things are kind of hard to prove, but are you seeing that happen a lot with people in the market?
Peter Lee [00:03:12]:
You know, I really think that’s a great question. I think it really depends, KB, on what level of the organization that you’re engaging in. It’s obviously very difficult for the lower levels of an organization to admit that they have vulnerabilities or they may not be as prepared as needed. I think when you get to the senior levels of the organization, certainly at the CISO level, no CISO believes that they’re extremely well prepared, that their team is absolutely on their marks, that they have the right tools to succeed. I think anyone in the senior levels of the organization are very open to messages of transformation, And really true preparedness. That’s really, you know, true resilience. So I think that really depends on where you’re addressing the organization.
Karissa Breen [00:04:06]:
So just staying with preparedness for a moment, it depends on who you ask. Some people are like, no, I don’t believe in, you know, getting out the IRP plan once a year. Some people are like, we’ve got to do the drill. We’ve got to do things in a different way. I mean, I’ve spoken to so many people on so many different opinions. So I’m keen to hear yours because again, the way things with AI and everything that’s going on in the world, things are a lot more different to how it used to be. Things are changing so quickly. Perhaps what was a good solution last year for being prepared fundamentally changes this year and so on.
Karissa Breen [00:04:34]:
So how do you stay always prepared then?
Peter Lee [00:04:37]:
Yeah, it’s a great question. I’ll answer it in two. I think you had two parts. So first of all, from our perspective, I’ll just share with the audience that our founders came out of US Cyber Command and MIT Lincoln Laboratory, a federally funded research lab that was very focused on top secret capabilities for national defense. And so we come from a culture where the bar is mission rehearsal. You really prepare. The bar is, can you accomplish your mission or not? It’s a binary bar. And I think that’s really important to put that stake in the ground.
Peter Lee [00:05:13]:
I think the second part of your question about really, I’m going to call, you know, change of pace or how things are really changing from an adaptability perspective. And I think we would say that training without testing leaves blind spots, that testing without training creates snapshots. It’s like a doctor’s visit doesn’t mean you’re healthy now. So I think resilience and validation, you know, kind of go hand in hand. You have to validate with realism, otherwise you have a sense of false confidence. And certainly today in the age of AI, You are seeing an astonishing pace of really autonomous attack execution, reconnaissance, vulnerability assessment, penetration, full kill chain exploitation, and then it learns and improves. The current pace of human certification training is really a very poor mismatch to this. And so I think that’s really where You know, from our perspective, where we see the clients and where the market moving is, a cyber range really gives you an opportunity to rebalance the asymmetry between attackers and defenders.
Peter Lee [00:06:30]:
It gives you a chance to continuously conduct mission rehearsal and really actually secure your borders, secure your frontiers.
Karissa Breen [00:06:39]:
So going back to your comment before around mission rehearsal, So if you come from a military background, it’s sort of engendered into you doing this type of work. But if you’re working in a company as a, let’s call it, white-collar worker, it’s not the same. Like when you go out and you do like, you know, military training and that, like it’s not the same when you’re working in company. So would you say that’s a big disconnect at the moment?
Peter Lee [00:07:02]:
Well, I think obviously there’s significant cultural differences between military organizations and commercial organizations. I think you’re right to point that out. I think again, when you look to the large commercial organizations, they realize that they’re under siege in this AI-fueled threat landscape. And I think you realize that they’re investing in a multi-layered defense architecture and a multi-layered defense preparation for their teams to actually be able to repulse the significant threats that they face. So I do think that mission rehearsal, it may not be as— and I think you have a good point there— mission rehearsal has this kind of contained notion, doesn’t it, KB? It’s like a particular mission. The mission never ends really from a commercial perspective. It’s a continuous threat landscape. And so it’s less a series of discrete missions as much as a continuous culture And a cultural change, isn’t it really a cultural adaptation that they have to have?
Karissa Breen [00:08:07]:
So then speaking of continuous threat landscape, do you think this is where companies at the moment are getting caught out because things are changing so quickly? So it’s not like it’s anyone’s fault or they were lazy or they were complacent. It could purely just come down to things are changing day by day. It’s really hard to keep up because people got to keep the lights on. Like just doing preparedness isn’t all people do each day, right?
Peter Lee [00:08:28]:
Yeah, that’s absolutely right. I think that there is, like any organization, there’s a certain amount of prevention and there’s a certain amount of cure. And really, you know, our argument is that the more you put in prevention, the better prepared you are, the less you’re going to have to invent— to invest, excuse me, in curing. I think that organizations are really caught in a bind, right? There’s significant capabilities which have to be detected, which have to be directed, excuse me, towards detection engineering, threat hunting, resolution. Adversarial dwell time is plummeting. And this means that there needs to be even more resources directed at ensuring prevention of lateral movement, prevention of full kill chain kill chain exploitation. But I think at the same time, what we’re seeing in the age of AI is that if you don’t get in front of this, it’s going to overwhelm your defenses.
Karissa Breen [00:09:30]:
Okay, so if you zoom out and get a bird’s eye view, given your background and experience and the level that you’re operating at, where do you believe the biggest gap is when it comes to preparedness that you are seeing?
Peter Lee [00:09:42]:
I think the biggest gap is that we’ve got to see humans plus AI. It’s not an issue of subtraction or substitution. It’s really addition. It’s humans and AI capabilities working side by side. We believe that the confidence that really comes from seeing performance under pressure is really going to be built from joint training and having humans and AI being held to the same standard. I think that’s really what we see as kind of the next evolution, if you will, or the next advent of where security investment is being directed.
Karissa Breen [00:10:23]:
So when you say performance under pressure, people that I’ve interviewed over the years saying that, yes, being prepared, but then sometimes when there’s something going on in that moment, all the preparedness seems to go out the window. So how do you get to a point where even if something intense is happening, you can still handle it with control and make decisions with precision.
Peter Lee [00:10:47]:
Well, the reality is that we have to go into a culture and a regime where we have a very significant amount invested in rehearsal, in practice, in preparedness, because to your point, teams are going to fail, tools are going to be ineffective. We’re gonna have to learn the frontiers and be comfortable where risk really lies. And at what point do we need to really invest to turn the tide? Where do we need to direct our resources to actually win? So I think that it’s just absolutely critical to do this in advance, to have a culture of resilience and a culture of preparation because you don’t want to learn that in production. You don’t want to learn that in the real world. You want to be able to fail well in advance and be able to take the corrective course actions. We have a whole philosophy around letting AI and holding AI to the same standard that human operators are. I think right now it’s in the very early stages of adoption. So we’re seeing that AI is really good at maybe all, let’s call it automating the signal from the noise, but the most consequential decisioning is still taken from humans in the loop.
Peter Lee [00:12:06]:
I think over time we’re going to see a lot more of that decisioning taken over by AI, and you’re only going to gain that confidence by actually deploying it in something like a cyber range where you can really test and train in the same environment, in a realistic replica of your production environment. Under real-world adversarial conditions.
Karissa Breen [00:12:28]:
When you said before, like, you know, people can start failing a lot more in tools, et cetera, do you think things are failing more today than even opposed to like 10 years ago?
Peter Lee [00:12:39]:
Well, I think that by definition, I think the threat landscape compared to 10 years ago has vastly changed. So, you know, I guess it, I think the, tools, the sophistication, the, the absolutely, I think that’s a fair question. I think that the reality is that the threat landscape has been exponentially increased. And by the way, the attack surface has significantly expanded compared to 10 years ago. It just puts pressure on defenders, you know, attackers and defenders. It’s always been asymmetrical, KB, right? It’s You know, if you’re a fan of the hit movie, Everything Everywhere All at Once, that’s what defenders have to do. Attackers choose the time and place and how they’re going to attack. Defenders have to defend everywhere continuously.
Peter Lee [00:13:34]:
It’s a fairly daunting challenge.
Karissa Breen [00:13:35]:
So Peter, you said before holding AI to the same standard. So can you define what that standard is?
Peter Lee [00:13:42]:
Well, I think first of all, you have to have trust. I think, how do I know that the AI is actually going to behave in a way that is in accordance with our governance and our rules and our objectives? I think that’s a really important and unanswered question that has to be proven out. That can’t just be represented. That has to be proven out. I think secondarily, I think it’s important for us to understand that introducing AI with its awesome capabilities also requires that we understand its vulnerabilities. AI itself is another attack surface. And so we’ve got to, you know, the same types of like insider threat precautions and policies that have proven helpful with employees is still going to apply to AI. And I think thirdly, when we think about autonomy, The same type of governance principles that we have with our own people are going to equally apply to AI.
Peter Lee [00:14:48]:
Autonomy means that you’ve got significant risk, you’ve got a significant impact in the event of failure or collateral damage. And I think that has to pass the same type of governance and the same type of management framework that we have with our current security operators.
Karissa Breen [00:15:05]:
So following the trust talk track for a moment, many leaders sort of struggle with, you mentioned before, the tools, teams, those sort of things, now AI systems. So what would be your view to install confidence back and the trust? And I know sometimes trust can come across as a bit of a fluffy word, but I do think it’s important.
Peter Lee [00:15:25]:
I think first and foremost, we have to make sure that we are creating the right incentives. We can’t reward activity over outcomes. We have to understand that completing training and deploying tools and passing audits are not going to be a substitute for proving effectiveness. So I think the really the only way forward is to continuously test and train organizations from a people, tooling, and AI perspective together in production-grade conditions without risking actual production environments. That’s really, I think, where you’re going to build confidence, where you’re going to see this market move. There is absolutely no way that you can be sure, but you can come as close to that as possible. And I think that’s really where this market’s moving.
Karissa Breen [00:16:21]:
And when you say create the right incentives, what would those incentives be?
Peter Lee [00:16:26]:
Well, I think there’s an emphasis in the cyber market, or let me not use the word emphasis, but there’s efforts where individual training are held up as being helpful. And I would call individual training, you know, or really not helpful, but sufficient. They’re not sufficient. They’re really training skills in isolation. Being individually trained in a particular skill has absolutely no bearing to how you’ll perform under pressure in an actual team environment. Similarly, certifications, audits. I mean, I think there’s a lot of cyber activity that goes on that on paper looks like it’s going to be helpful, but it really has very little bearing, KB, on the actual performance of an organization under real-world conditions. And I think that’s really what we’re evangelizing.
Peter Lee [00:17:27]:
What we’re trying to do is we’re trying to really help our clients actually outsmart cyber threats before they take hold, you know, outsmart cyber threats, any cyber threat in any terrain. And that really means preparedness in real-world conditions.
Karissa Breen [00:17:45]:
So just a quick question on the certifications. I’ve heard some part of the industry say, yes, we need them because there’s a standard of what we need. But then also when there’s that base level, it’s hard enough to get people in this industry as it is. So therefore maybe they are disqualifying people because they don’t have the base level. But then other people are saying, no, it’s a good thing. So therefore we’ve got a governance layer and we know that people aren’t saying the wrong thing or they’re not pushing a certain agenda. Where would your sort of thoughts sit on the whole certification side of things?
Peter Lee [00:18:12]:
Yeah, well, I think, look, It’s obviously beneficial to have cybersecurity skills and to be certified with minimum level of competencies, but we would really direct a substantial amount of the effort and focus in organizations towards team training and away from individual skills training. I think in short, and the definition of team for us is now humans plus AI. It’s not just humans. I think that’s really the key message. You know, certifications, skills in isolation, compliance-level checkbox capabilities, they’re helpful. It’s a minimum bar of competency, but it’s a far cry from what actually needs to happen to really secure an organization.
Karissa Breen [00:19:01]:
And so Peter, what would you like to leave our audience with today? Maybe one key takeaway.
Peter Lee [00:19:06]:
Well, I think the really, the key takeaway is that while we’re early in the adoption of AI, the future is today. I mean, the future is absolutely today. We’re seeing that humans plus AI has to be the rallying cry, and that means organizations need to invest in the team training, in the tooling, in the testing, in a real-world production-grade environment like a cyber range in order to best prepare.
Karissa Breen [00:19:39]:
Joining me now in person is Ernie Ferrareso, Senior Director at Cyber Florida, and today we’re discussing why Florida treats cyber like a mission. So Ernie, thanks for joining and welcome.
Ernie Ferraresso [00:19:48]:
Hey, great, thanks for having me.
Karissa Breen [00:19:50]:
So Ernie, I’m new to Florida. I’m a new resident here, last 5 months. I’m from Australia, and I’m curious to understand What’s Florida doing differently in terms of how they approach cybersecurity?
Ernie Ferraresso [00:20:03]:
So it’s actually interesting. You probably figured out Florida’s a big state. We’re the third largest state in the United States, and I want to say we’re something like the 15th largest economy in the world. So it’s a big place and everything, and things range from, you know, some of the largest cities and school districts in the nation to some of the smallest. So there’s no, I’ll call it one size fits all. So it’s how do you deal with a decentralized multi-capability type entity? And that’s what I believe is unique is what it is that we do at Cyber Florida because we are a state-funded organization that’s housed at a university. So we’re not a state agency, but we do work quote in service of the state. So it’s basically providing services and resources to communities by the way of providing experiential learning opportunities for students.
Ernie Ferraresso [00:20:56]:
So that’s a big mouthful for saying that we have students that do work for these communities, providing them the services that they need. But then we can also take that information that we learn and then let the state know how they’re doing as far as levels of cyber resilience across the state.
Karissa Breen [00:21:12]:
So to put it in perspective, so Florida in terms of population is like upwards of 23 million.
Ernie Ferraresso [00:21:18]:
It’s a big place, yeah.
Karissa Breen [00:21:19]:
And there’s a contrast that Australia is like 26 million, and which is quite a big country spread all around. But just to provide a little bit more context to see the scale of it. So then one thing I’ve also observed being an expatriate here is there’s a lot more companies moving here to Florida. I don’t know whether it’s the better weather or the no income tax situation. However, this is a big boom in like technology and cybersecurity. So what, is that driven by what you’re saying here, Ernie, or?
Ernie Ferraresso [00:21:50]:
I think so. I think there’s some of that. I think a lot of it has to do with, in the companies that we talk to, it’s access to to tech talent is one of the big driving factors that—
Karissa Breen [00:22:00]:
so they live here?
Ernie Ferraresso [00:22:01]:
Yeah. Being housed at a university, we work through a lot of the universities and the educational system. And so that’s where I think Florida’s made some very significant investments, certainly in its public university system. It’s got one of the top-rated public university systems in the nation. The costs are very low and the quality of the education is very high. And a lot of those graduates they want to stay in Florida. So that’s where I think companies see that. They see that there’s quality of people.
Ernie Ferraresso [00:22:29]:
Then there’s also the, you know, I’ll call it the quality of life here in Florida. It’s, generally speaking, it’s nice. I mean, current temperatures aside, it’s normally pretty pleasant, but I think that’s tied to it. So it’s, I think it’s access to the talent. But the other part is there’s also a different type of, I’ll call it tech community here. It’s this thing that we’re in this together and we all are gonna, you know, We want everybody, we want people to succeed here. You know, these tech companies, they want each other to succeed. It’s a true ecosystem.
Ernie Ferraresso [00:22:58]:
And then it’s almost like, hey, if this company grows, we can also expect that’s gonna provide positive growth for us as well. So it’s very, I’ll call it symbiotic in that sense. And I think that’s unique. It’s not very, it’s not cutthroat. It’s not like I have to, you know, stab somebody else to move ahead. Certainly in the tech space down here, which is unique and interesting.
Karissa Breen [00:23:18]:
So a couple of questions then on that. As you were speaking, there’s been, you know, Silicon Valley is still the original and then there’s been talk around, oh, it’s going to be Austin, it’s going to be Atlanta. Do you think it’s a fair assumption, given what you’re saying, it will be Florida that could overpower, if not overpower Silicon Valley?
Ernie Ferraresso [00:23:36]:
I believe so, because we’re talking from the state, the state level. There’s so many different areas in the state that are each moving. So you have just here in the Orlando area, the greater Tampa Bay area, down in, you know, the South Florida, Miami area. All three of these are just, they are just booming with tech entrepreneurial energy and, you know, startup communities and such. So, you know, it’s not just a, it’s not just a quote, a valley, it’s a whole state. It’s not just, you know, Austin, it’s Florida. It’s taken us a bit to get rolling, but now you’re starting to see that it’s a state that’s rolling. It’s not just, these indiv— these small little isolated communities.
Ernie Ferraresso [00:24:16]:
It’s the whole state. So that’s going to be this, like, the secret power there is that we’re big and, oh, the giant is awakening. That sounds kind of hokey, but that, that type of sense, that’s what I believe.
Karissa Breen [00:24:26]:
Do you think historically people assume— now, Orlando is the most visited US city in the world. Over 70 million people visit here, probably for Disney World and Universal. But historically, people have this view and opinion that Florida is the, well, it’s the Sunshine State, but it’s also where people go to holiday or vacation, to use American vernacular. So is that perception going to change now? Because when people think of California, yes, LA and Hollywood, but then they think San Fran, they think Silicon Valley.
Ernie Ferraresso [00:24:59]:
So that’s something that I’ve struggled with, and also I think the state has as well, because yeah, we’re known for, you know, alligators and oranges, right? That’s been it for a long time. We’re getting a lot better at telling the story of the tech community. We’re getting way better at telling that story. I mean, if you look at across the state, like up in places up in the Panhandle area, I mean, we have some of the leading robotics research in the nation going on there. You know, you talk about here in Orlando, it’s some of the leading research and development in the modeling and simulation community is had. And this is all, you know, tech-based, you know, the Tampa Bay region with the University of South Florida, for cybersecurity and artificial intelligence. These are all these areas that are leading the nation. But again, it’s tough because of the— heck, you go on TV, you just Google Florida Man and they know that Florida Man doesn’t come up and it turns out it’s somebody who’s just invented the next, you know, semiconductor or artificial intelligence.
Ernie Ferraresso [00:25:54]:
So we’re getting there. But that said, the other regions, they shouldn’t sleep on us. The way I believe it, it’s that the work will demonstrate the capability, meaning someday, one day people are just going to wake up and it’ll be Wow, Florida is actually this really impressive technology, technology, very innovative state because they weren’t paying attention and they just were there now. And it’s going to— that’s what I think is going to happen.
Karissa Breen [00:26:16]:
So given what you just made before, how do we as an industry, as a state, country, change Florida man into the perception of like new Silicon Valley dude here?
Ernie Ferraresso [00:26:27]:
The way we do that is it’s the grind. It’s a generational type of thing. You just keep showing that This is where good technology stuff happens and you just keep doing it and eventually it’s going to, people are going to pick up on it. I mean, you can do all the best, you know, the best marketing in the world is word of mouth. People say, yeah, they’re actually doing good stuff down there. And so that’s what I think we’ve got to do because if we start, if we start, you know, promoting and marketing and saying all the things, oftentimes people, it’ll be like, oh yeah, that’s fake. That’s just the window dressing. But we actually are actually doing it.
Ernie Ferraresso [00:26:57]:
And I think that the work will end up speaking for itself. And I think you’ll start to see more and more of that over time. It’s, again, it’s a generational thing because the other part is like Silicon Valley didn’t become Silicon Valley, you know, overnight. It took years to build it. And we’re really rolling now. And I think it’s gonna be far more durable than a lot of other places because of the overtime. It’s not gonna be something that is just a flash in the pan and we’re done.
Karissa Breen [00:27:20]:
So when you say durable, what do you mean specifically?
Ernie Ferraresso [00:27:22]:
I mean that it’s, this is gonna be something that is here to stay.. It’s not gonna be a, oh, we, yeah, well, we were once these tech folks, we shifted on. This is like, no, this is, we’re building this solid foundations. And when I talk about that, it’s, you know, those infrastructure developments, it’s a strong higher education system, it’s a strong technical college system. It’s all of those underpinnings that cement the foundations in the community that then grow into the, those things. They’re not, it’s not like we had a, you know, oh, there was a big tech company that moved here and then they went bust and then the town died. You know, like the steel industry, you know, that, that type of thing. It’s becoming self-sustaining and growing that you’re seeing now.
Ernie Ferraresso [00:28:03]:
You’re seeing companies not just moving here, but they’re starting up and they’re staying here, like a ConnectWise, like a KnowBe4. These are companies that started in this area that are now, you know, billion-dollar companies that started here. So it’s not just moving in, it’s growing our own. And that’s when I talk about durability, is that you have this ability to grow and sustain, I’ll call unicorn company status.
Karissa Breen [00:28:25]:
So given that, given what you’ve said, do you assume that Florida will become more powerful in terms of like GDP as opposed to states like California in the future?
Ernie Ferraresso [00:28:37]:
That’s a good question. I’d like to say yeah, I’d like to think so for a variety of reasons. It’s still trying to figure out what, you know, what your quote manufacturing base is and how that’s gonna build. But I do believe that In the not too distant future, Florida’s gonna move ahead of that because of the types of things that you’re gonna start to see to come outta here. I do believe that.
Karissa Breen [00:28:59]:
One interesting thought is when I moved here and I live in Orlando, people were like, why would you move to Florida? Now I said there is a growing tech hub, but now you are saying in a little bit more fidelity, which just gives that assurance. ‘Cause I think naturally there is that stereotype of, oh, Silicon Valley and all these other places. So I think it’s just more that it’s changing that narrative, and you’ve reinforced that.
Ernie Ferraresso [00:29:23]:
Yeah, it’s— and I tell you, that’s, you know, I joke when I say the alligators and oranges, and they’re not the meth-addicted alligators. Those are the ones in Mississippi. I just want that, you know, clear. But it’s exactly— it’s how do we change that? And it’s because, first, the other part I’ll add is Florida as a, a very popular state, that’s a fairly recent thing.
Peter Lee [00:29:43]:
Right?
Ernie Ferraresso [00:29:43]:
So if you think about it, Florida doesn’t get to be popular until post-World War II and air conditioning becomes a thing. So if you think about it, we’re a very large and geographically, but also economically, but that’s been in a very short time. If you look at it in the span of time over, over the long haul. So we’ve made tremendous progress in that period of time. So I like, I can’t expect us to shed the, you know, oh, the alligators and oranges and the tourist destination overnight. But that said, we’re moving very rapidly in a thing to say we can be a tourist destination and a technology destination and a bunch of other things as well. And we can do it pretty well and it can be a really great place to be.
Karissa Breen [00:30:28]:
So they can coexist.
Ernie Ferraresso [00:30:29]:
They can coexist.
Karissa Breen [00:30:31]:
Because when people— I remember speaking to someone I first met here, they’re like, oh, Orlando, they’re like, I haven’t been there. Last time I went there, it was just full of swamps. It’s still swamps. However, it’s a little bit more built up. So that’s why I’m very curious to understand someone who’s an expatriate coming into this country and living here in Orlando. It’s really good to hear your sentiments on this. So I’m aware that Florida is often cited one of the most cyber-forward states in the country. So you’ve given all the reasons, but what I’m curious to know, like, what are other states doing or not doing?
Ernie Ferraresso [00:31:04]:
A lot of it depends on the state. A lot of states, they’ll have high aspirations. You’ll see, you know, statewide strategies and things. But the challenge that I see with other states is it’s in the implementation of those strategies. What I think puts us in a unique position is that, again, we’re that— we’re in that space where we’re an entity of the state, but we’re not an agency of the state. And so that allows us to engage with a lot of folks. And one of the things that we really pride ourselves at doing is identifying the resources that are out there, but more importantly is getting them in the hands of people and organizations that need it in a way that they can actually use it. So I think you’ll see a lot of states that’ll begin to allocate— they set aside resources, but oftentimes the folks that need them can’t access them for a variety of reasons.
Ernie Ferraresso [00:31:50]:
That what we’ve seen around here in Florida is, you know, different grants, whether at the state or federal level, for, I’ll call it, school districts. In order to get that, they have to apply for either a state or federal grant. School districts, certainly small, the folks that actually need that, they don’t have the resources to actually apply for and manage a federal or state grant. So again, that, that’s, so that’s where we would come in and say, okay, let me help you. How do you build out a state, a grant program? What are the types of things that you can do? Or we’ll even go to the state and say, hey, have us manage the grant program and then we’ll figure out how to get it to the people that they need. It’s that last mile. That’s always the problem is how do you get what it is you need into the hands that need it? And other states are trying to get to that. It’s often difficult because if you’re a direct arm of the state government, oftentimes people aren’t going to— they’re not going to let you in because, hi, I’m here from the government, I’m here to help.
Ernie Ferraresso [00:32:41]:
And most people are like, I don’t believe that. But that’s where we can do things a little differently because, yeah, I’m here from Cyber Florida at the university. Can we help you? And they’re, oh, that sounds like a good idea.
Karissa Breen [00:32:50]:
Do you think a lot of it’s also attributed to talent shortage, perhaps not living in less desirable states as well? Maybe it’s colder, maybe it’s desert, maybe it’s hotter, maybe there’s no beaches there. I mean, whatever the reason, strokes are different folks, but do you think that is attributed to some of the gap in where some of these states are performing in terms of cyber readiness?
Ernie Ferraresso [00:33:10]:
Yeah, there’s probably some of that, but that said, you know, states like North Dakota, they’re actually doing pretty well. The university, I believe it’s University of North Dakota, has one of the better cyber programs. The states are pretty— now, that said, they’re a lot smaller as far as population and complexity. They have big cities, but a different manageable problem. The other part, as I’ll say, is they’re getting it right because their state leadership decided to get it right and made it a priority. And I think that’s some of the other thing that is— that’s what’s going to make an entity or a state successful, is that their state leadership makes the decision that this is going to be a priority. And then even more importantly is then follows through on that and ensures that it’s actually happening. Because oftentimes you’ll say, oh yeah, this is a priority.
Ernie Ferraresso [00:33:56]:
And what does that mean? It just means, well, it’s a priority. And so that’s why I think here in Florida, the governor and the state has made a significant effort to say this is something that’s important. We’re going to put resources behind it, both at the state agency level for the communities and organizations like Cyber Florida. We’re going to make sure that they have the resources that they need to do the job. And I think that’s That’s the key part, is that states that make it a priority and actually don’t just talk the talk but walk the walk with it, that’s what makes them successful.
Karissa Breen [00:34:23]:
So speaking of walking the walk, I’m aware that, as you mentioned before, Florida’s a big state. It’s supporting a lot of state agencies, local governments, critical infrastructure, academic institutions, and Florida is ranked quite highly with how many there are, as you would know. Obviously, that’s a lot to secure. So maybe talk through how cyber ranges change the way agency like prepare and then respond then as a unit.
Ernie Ferraresso [00:34:48]:
When we first started with our cyber range, and this goes to, and we were providing training and exercises to, you know, state and local government entities, we started it with just as like a training type activity where it was, okay, hey, you go in, your team goes in, can they do X, Y, and Z? Check, congratulations. And that in itself was a new thing for these places. So that, that in itself, so that’s just doing that was of tremendous value to them. The next part that we’ve been moving to is now being able to let them know about different levels of how they’re able to do things. Okay, so you can do this at this particular level, or you are able to do it to this certain degree, which is okay, but you can be better here and here. And so now you’re talking about building this culture of improvement through through exercise and training, that exercises and training opportunities are not a thing for nights and weekends, that they become more built into the organizational culture. Like, hey, this isn’t extra. This is part of your job.
Ernie Ferraresso [00:35:49]:
And that’s kind of where we are now. Where we’re going is— and this is where if somebody had asked me where this was going to be when we started with the range, it’s now— it’s also now let’s use this thing to test out different ideas, test out different tools, test out different things so that you can then better prepare for incidents as they happen. Hey, listen, we want to see what would happen if cyberattack variant X happened to our network, and then how would we deal with it? So that’s moving from just the training side of it to a no-kidding simulation that has a simulated response. And that’s what I also believe that cybersecurity folks need to be able to get to, is you want to be able to identify, I’ll call it emerging problems early on so that you can see that when a sophisticated attacker’s coming in, oh, the first thing you’re gonna see is this, and that’s what it actually looks like on my tools. Oh, I know that. And also that I can know that this is may what happen if I don’t do X, Y, and Z. And that’s where we’re getting to get to where it’s more being able, people to actually able to test and simulate actual emergencies based on actual threats on their actual systems So they know what it is. And then also, okay, if I change my system to do this, how does that impact that as well? So that’s kind of the, it’s more of that using it as an evaluation and testing ability to fine-tune their defenses.
Karissa Breen [00:37:13]:
And would you envision Ernie as well that if Florida’s the North Star for how things should be done, will the other states follow?
Ernie Ferraresso [00:37:19]:
I hope they do. I hope they do because I think that’s where, that’s the approach that we’ve been taking with a lot of the things that we do. Even though the services that we provide are free, it often surprises me how hard it is to get people to even engage with a free product. You’ve heard the, you can lead the horse to water, but you can’t make them drink. So we spend a fair bit of time running the horses around, making sure they’re very thirsty. And so that then when they get to the water, they want to drink. And that’s the, you know, engaging, starting small, building up, letting people know that, hey, this is actually worthwhile, that they actually participate in it. And so by taking that approach, I think we’re out in front..
Ernie Ferraresso [00:37:58]:
And if it helps pave the way for others to, to skip a couple of steps to get to where we are, then I, I think that’s actually a, a big win because at the end of the day, you know, this isn’t, it’s not Florida in isolation. It’s gotta be, you know, it’s the United States and arguably, you know, the rest of the world too, because it’s not just a, it’s not just a Florida problem, it’s everybody’s problem.
Karissa Breen [00:38:18]:
And that leads me to my next point, cuz when you were talking, I’m thinking there’s 50 states that make up this country, which is a lot. Big place. So in terms of population as well. So I’m then curious, if one of the states isn’t perhaps at the same level in terms of maturation as Florida, that overall impacts the whole United States and the capability moving forward. What are some of your thoughts to how to bring that together and operate more as one union? But then obviously, I understand that there’s going to be strengths and weaknesses across Florida and other states, etc. But ultimately the US is still one huge country. So how does that sort of look in your eyes?
Ernie Ferraresso [00:38:58]:
So it’s an interesting, interesting challenge, that’s for sure. I think when we talk about what are the things to go for, it’s the first thing that’s good that needs to be really continued is this information sharing regarding, you know, breaches, reporting and such. And that the MS-ISAC, it still is a very powerful organization in that sense because we need to be able for entities to share information about what has happened, what are the vulnerabilities, and push that information out. I think as we see with changes in the federal government, the responsibility of securing infrastructure and systems and services is being pushed down to more to the states. And then, you know, so it’s down to the— even down to the agency or city and county level. So that’s, I think, what we’re seeing. That said, So there’s the responsibility of providing the security. But the way that it’s got to work is that we’re all sharing information so that when something happens here in Florida, that the folks in Oregon can know about it very soon because odds are they’re going to see something similar coming to them.
Ernie Ferraresso [00:40:02]:
And so how do they then, you know, tune and update, dial in their defenses as well? The more we decentralize the actual operations, the more we’re going to have to rely on information sharing between the entities to pull that off. I do believe that as AI and automation takes on more, you’re going to see a shift in the different types of talent. So not that the talent gap is going to get smaller, the types that you’re going to need are going to change, but that day-to-day type things are going to become easier to manage. So that’ll, I think that’ll lift some of the burden off some of the, I’ll call them resource-constrained entities because they won’t have to hire a team of, you know, 10 folks, it’ll be one of the right person, which may or may not be it, but a child is still not— it’s not 10 folks, it’s still—
Karissa Breen [00:40:52]:
it’s less than that. So, so with CI-ISAC International, for example, sharing intelligence and knowledge from an Australian perspective, people have tried this but then they don’t want to do it. Now, why do you think that’s the case? Because it’s not necessarily a zero-sum game. Like, if someone else wins doesn’t mean you lose. Maybe it’s different here, but it’s definitely happening in Australia where there’s a lot of pushback with the overall mission is if I share something with you, Ernie, maybe that helps better you. Why do you still think there’s a bit of contention going on with the knowledge sharing?
Ernie Ferraresso [00:41:25]:
I think it has to do with, I’ll call it legacy mindset for a lot of things, and it’s just the shifting nature of cyber threat and cyber landscape. The reluctance to share information is a lot tied to, I’ll call it compliance and regulatory risk that worried about. People are worried about— even today, when most entities have a cyber incident, instead of— the first call is to their lawyer, you know. So, and the law enforcement folks have a terrible time with it because in that sense of, you know, it’s a significant cyber crime, but they’re— the organizational attorneys said don’t let law enforcement in here because we got to make sure that, you know, protecting the entity from litigation is their principal job, not so much getting the information out to, you know, to the larger community. So I think that’s what’s going to have to shift, is that who you share information to has to be an entity that is not going to get you into trouble for sharing that information, if that makes sense. Because I think you look at it, how the current regulatory environment is in the United States, you’re required to report certain things If you don’t report certain things, you get in trouble. If you report certain things to certain folks, that’s going to get you into trouble. But they all end up going to different places.
Ernie Ferraresso [00:42:44]:
It’s very confusing. And an example would be, so CISA is not a regulatory agency. When you report something to them, you’re reporting it so that they can get the firefighters to do what they need to do. They’re doing it so that doesn’t spread to others. So arguably that’s the important one for the reporting. But if you look at how the regulatory environment is framed, that should be the first one that you send it to. But they’re the last because they’re not the ones that if you don’t do it, you don’t get in trouble. So now it’s the incentives are wrong to how to share information.
Ernie Ferraresso [00:43:18]:
So that’s, that’s what I think is the challenge. It’s that the incentives are on the regulatory side, not on the information sharing side for the sake of improving it. Because if you look at what is actually needed from a threat intelligence standpoint, they don’t need to know how many customers are affected. Heck, they don’t even need to know the name of the company. They just need to know that, you know, okay, it’s this, we saw this TTP, it was on this technology, and it came in through this vulnerability. Maybe it’s important that they say what sector I’m in, and it was, I was in the healthcare sector, because then it could help tailor the alerting. But at the end of the day, if it’s Jacksonville Health System, nobody, it’s like, oh, I don’t care. It’s not important to me.
Ernie Ferraresso [00:43:57]:
But the current reporting regime says you got to do all that. And that all of a sudden pins a liability on Jacksonville Health System of something, all those types of things. So they’re not incentivized to share.
Karissa Breen [00:44:05]:
So how does the country correct that then? Because no one wants to bite from the hand they feed from effectively.
Ernie Ferraresso [00:44:10]:
That’s right. So the challenge that is— and you’ve probably heard about it— there was a term, they’ve changed it. It used to be regulatory harmonization. Now it’s regulatory optimization. And there’s several things are moving to try to get that through. There was— you may have heard about the CISA Act of 2015 that had to get reinstated, and some of that included liability protections for organizations that participate in information sharing. So it’s doing those types of things, keeping those legal frameworks in place. But then the other part is also ensuring that entities know that they have those types of protections to do that.
Ernie Ferraresso [00:44:42]:
You have the frameworks, but it’s also getting the word out that, hey, yeah, you can do this, you don’t need to, or take advantage of it. I also think that’s just a generalized awareness of how to live in the 21st century. A lot of places, a lot of companies don’t, I mean, if you were to ask their CEO or their president or their founder, okay, so tell me what’s your critical function? And they would say, oh, it’s, and okay, how is, and where is that information? How is that system cyber-enabled? And then where is it? Most of them wouldn’t know. They’d say, I use Microsoft. Okay, great. But that’s not, that doesn’t answer the question because at the end of the day, if your point of sale goes down and you’re an online store, You stop being an online store, but they don’t, but they’re not, but they just say they don’t. It’s understanding that that has real consequences for your organization and that’s all cyber. It’s based on a cyber-enabled system and that’s just a changing mindset of folks to get there.
Ernie Ferraresso [00:45:34]:
It’s most people will tell you, oh yeah, if I’m a trucking company, it’s the trucks. Well, actually your truck now is your, your point of sale system. It’s your scheduling system. I mean, ask any hospital that’s had their, their patient, their patient management system taken offline. You stop being a hospital then.
Karissa Breen [00:45:51]:
So another question that I have, and probably my last question for you today, would be, I may be wrong, but do you think there’s a little bit of state-by-state rivalry on like who has the best cybersecurity? And does that really not matter? Because for example, I mean, when you go to the Olympics, you’re the USA. You’re not, hi, I’m Ernie from Nevada or Ernie from Florida. Like no one cares. You’re just the United States of America. So how do you get to that point where it’s like, yeah, okay, I get it. There’s competition. I mean, it’s a big place, a lot of people. How do you move it to that point where you present as the USA?
Ernie Ferraresso [00:46:23]:
I think the challenge that you’ve got with it is, first of all, I’m not sure that you’ll ever get there from a cybersecurity standpoint. I don’t think you’re ever going to have a consortium that is made up of all 50 states that speak as one voice. I don’t think you’ll ever get that. I do think if you’re talking about facing externally to the outside, that’s where entities like the Office of the National Cyber Director, you know, the head of CISA, you know, DHS and those types of entities, US Cyber Command, they can speak to that aspect of it. I do think that as cyber grows, changes, and matures, I think you’re going to see it just becomes part of the normal lexicon that we all talk about. So meaning, I don’t think you’re going to see us say, hey, we’re better than you in this. It’s part of it’s just going to be you have to be as good as you need to be, I think is the right way to put it, because some, some states are going to need to put more energy against it, more resource against it than others. And that’s just a function of their state is different and has different things that they do and that they’re reliant on.
Ernie Ferraresso [00:47:25]:
And so I think you’re never going to have a unified posture or structure. But I also think that’s good because through that, it’s just like the electrical grid. Part of the reason why we haven’t had a nationwide blackout is, for good or for bad, is electrical grids are all managed at the local level and each one of them different. And so it’s not like there’s a, okay, if we leverage this attack, it’s going to take down everything because everything is different. So it’s their strength in the diversity. It can be a feature and a bug. It can exist in what is a quantum state of yes and no at the same time.
Karissa Breen [00:47:56]:
And so what would you like to leave our audience with today, Ernie?
Ernie Ferraresso [00:47:59]:
Two things. First is I’m very excited about where we are in the state of, I’ll call it cyber. We are at a really unique point in history. Particularly with artificial intelligence and the increasing in computing power and such. We are very much at the point if you can come up with an idea, you can turn it into action just like that. And it’s not that you have to have a whole litany of certain skills to do it. So that’s, that is very exciting. And I think that the more we embrace it, the more we get used to, I’ll call it living in the 21st century, I think we’re going to be, we’re going to be very, uh, very well off.
Ernie Ferraresso [00:48:35]:
I’m not concerned that we’re near the end times of humanity by any stretch of the imagination. And I would also tell you that if you’re ever worried about the future of the world, all you got to do is go visit some— go see a high school cyber competition, go talk to some kids in the summer camp, go see university students in their security operations center, and you will walk out of there saying, yeah, we got no problem. The younger generation is so much smarter, so much more engaged, so much more willing to try and do new things than middle-aged folks like myself. And we have such an opportunity community to, you know, to show them the way. So I’m pretty excited about that, and I’m very excited that I get a chance to be a part of that, you know, here at Cyberforce.
Karissa Breen [00:49:17]:
And there you have it. This is KB On The Go.
Peter Lee [00:49:22]:
Stay tuned for more.
