In this week’s episode of The Future of Security Operations podcast, I'm joined by Travis Howerton, Co-founder and CEO of RegScale. Travis began his security career with roles at government and regulated organizations, including the National Nuclear Security Administration and Oak Ridge National Laboratory, before being inspired by inefficiencies in compliance processes to co-found RegScale. As CEO of RegScale, he oversees their Continuous Controls Monitoring platform, which enables rapid GRC outcomes for organizations like Wiz, Keybank, and the US Department of Energy.
Travis and I discuss:
Protecting the world’s most sensitive data, from nuclear systems to the world’s fastest supercomputer
Navigating bureaucracy and moving fast in highly-regulated environments
The transition from public sector leadership to co-founding RegScale
How organizations can take the pain out of compliance through automation
Where AI fits in GRC today - and where it absolutely shouldn't
Where to find Travis Howerton:
Where to find Thomas Kinsella:
Resources mentioned:
In this episode:
[02:15] How an interest in computer science led Travis to pursue a career in security
[03:20] Working in “the Major Leagues of cyber” at the National Nuclear Security Administration
[06:20] Moving fast in highly-regulated environments
[07:10] Securing the world’s fastest supercomputer at Oak Ridge National Laboratory
[10:30] Supporting digital transformation at enormous scale at Bechtel Corp
[15:15] How outdated compliance processes inspired Travis to co-found RegScale
[18:15] How RegScale acquired its first high-profile clients through "hustle and luck"
[19:20] The challenges of building the first version of RegScale
[21:15] Taking the pain out of compliance
[23:20] The biggest GRC roadblocks teams are facing right now
[25:10] Practical advice for moving the needle on your automation program
[27:33] Eliminating redundancy and inefficiency in federal compliance programs
[32:30] What’s next for RegScale
[33:45] The best applications of AI (and which decisions should "never" be made AI)
[35:45] Navigating regulatory uncertainty when it affects your whole business model
[38:40] What SecOps and compliance teams might look like in the future
[40:20] What the best compliance teams do to build rapport with security, IT and other business functions
[43:30] Why AI adoption is a risk-based conversation every organization should be having with their CISO
[46:00] Connect with Travis
TL;DL? Read Travis’s take on:
The unique challenges that come with securing the National Nuclear Security Administration (NNSA)
“If you watch Oppenheimer, that's what ultimately became the NNSA... They have a bunch of really unique, really important national security missions. It's the only data in the US that doesn't declassify, because it’s always sensitive... It's a very dynamic threat environment. A lot of the static, after-the-fact tools that work in many places don't work at all in that kind of environment, where you have sophisticated adversaries who are well resourced that spend all day, every day coming after you. It requires a different level of diligence and proactivity.”
You’ve got to learn how to protect data forever against the most extreme sorts of adversaries. I describe it as the Major Leagues of cyber. The people who run that program in the NNSA are some of the best in the world at what they do.
His time as a security leader at Oak Ridge National Laboratory
“The scale of data at Oak Ridge National Laboratory (ORNL) was pretty insane. They openly collaborate on the toughest science problems in the world, with the smartest people from all over the world. I went from an organization where we trusted nobody who wasn’t a cleared US citizen to having people from all over the world collaborating in real time. While most of the data was unclassified, there are some very sensitive data sets at ORNL - a lot of human genome and climate data is there. People spend their entire careers coming up with problem sets and simulations and theses where they need to prove it, and the only way to prove that in a reasonable amount of time is to get time on this supercomputer.”
The trick there was, ‘How do we create a world-class research environment where people can collaborate with the least amount of friction all over the world, while making sure nothing sensitive goes out the back door?’
How RegScale aims to get teams more excited about compliance
“I used to be on the other end, where I had to approve it, and I joked with people that they hired me to lead, not to read. When you have to do it in a static way, in a dynamic environment, you have a mismatch that doesn't work for people. And that's what creates the pain. People don't mind locking down their systems - they want to keep bad guys out. What people get sick of is constantly updating paperwork to satisfy some checkbox.
I've never been able to get anyone excited about compliance... How we got people excited was by saying, 'Just don't do it anymore. Let automation do that for you. You just lock down your systems. You focus on operational excellence in cyber, and let us give you all the risk and compliance checkboxes for free.’
The biggest GRC roadblocks
"I think there's a huge cadence mismatch. That's the thing I always tell folks, 'Cyber attacks move at light speed, compliance programs in the government and highly-regulated industries move at geologic speed.' We're literally dealing with regulations that were written 20 years ago - it takes them so long to update themselves that they're they're way behind the times."
Go build some playbooks to automate your response to these [threats] so you have better security, don't spend all your time updating 1,000-page Word documents. One of those - you just wanna slam your face into the thing. The other - you feel like you're making a difference for your company. And that's the shift we want to help people make.
The limits of AI and why ‘supercharging, not eliminating humans’ is the way forward
“The biggest problem with AI today is precision.. I don't think we're at a stage where we want to take humans entirely out of the loop and rely on AI. I think we're probably a fairly long way from that. But I do think if you look at the amount of work it takes to get to the human decision, a bunch of that can be automated with AI. I’ve met a lot of companies who say, ‘I hired some really smart people who are completely overwhelmed. I need to get all this low-value work off them so we can use the big brains we hired them for.’ So we talk a lot about supercharging humans, not eliminating humans. There is a day in the future where some of this work that's being done by humans will be done by AI. But I don't think risk-based decisions will ever be one of them.”
Cyber is not a game where being 99% right is good enough — it’s a volume game. If they can get you 1% of the time, they can get you all the time.
What SecOps and compliance will look like in the future
“Part of what compliance forces people to do is buy armies of tools to satisfy little bits of things. So what you end up with in security engineering is like, ‘How do I put this spaghetti mess of crap together in a way that functions consistently?’ I’m a big believer that a couple of the right tools, instrumented and integrated well, can solve almost all your problems. If you know the playbook, you run those plays well, and your fundamentals are solid, you're gonna perform at a high level most times.”
Part of what we suffer from is data silos - too many different systems that don't talk to each other. It's more of a checklist-based approach to security, versus, ‘What threats am I trying to protect against? How do I put together a couple of well-architected platforms so that I can solve this problem end-to-end with the least amount of overhead maintenance and opportunity for error?’
Listen to more episodes of the Future of Security Operations podcast.