(Transcribed by AI Powered Machine)
Mark Shriner
Hello, everybody. Welcome to Secure Talk. My name is Mark Shriner and I’ll be your host for this episode of Secure Talk. Today we’re going to be talking with Steve Orrin, who is the Federal Chief Technology Officer and Senior PE, which I believe is principal engineer for the Intel Corporation. Steve orchestrates and executes customer engagements in the federal space, overseeing the development of federal solution architectures to address challenges in the government enterprise, national security, and other federal areas of focus. Steve has been in the IT space for many years, has a lot of different specializations. We’re going to talk to Steve about specifically what Intel does in the federal space and then just kind of talk about current events and so on. Steve, how are you today?
Steve Orrin
I’m doing well. Thanks for having me today, Mark.
Mark Shriner
It’s my pleasure. I looked at your LinkedIn profile, and it seems that you reside in a place called Vienna.
Steve Orrin
That is correct. In Vienna, Virginia, which is about 11 miles outside of DC.
Mark Shriner
Okay. Makes sense, given the space that you’re in, but I didn’t know we had a Vienna in the US. Any story to how it got its name?
Steve Orrin
Actually, it was named for Vienna, but it’s one of the older cities in the area. Obviously, Virginia is one of the original colonies. It was one of its interesting tidbits. It was one of the first free areas post Civil War, and so it has a long history of supporting the African American community as one of the first free cities that was designated post Civil War.
Mark Shriner
Well, that’s amazing, and I’m sure it’s not related at all, but we have a city, a small little town out here called Leavenworth, and it’s kind of a Bavarian village-themed place. And I don’t know when it originally started, but it’s been there for along time. Do they have anything in Vienna that resembles Viennese architecture or not at all.
Steve Orrin
Nope. It’s all Colonial Virginian style architectures here.
Mark Shriner
Okay, well, that’s still pretty impressive stuff. Well, hey, Steve, I got to ask you, your Federal Chief Technology Officer and Senior Principal Engineer, you work in the federal space. Are there any major differences between working in the federal space and serving the federal government versus working with private enterprise in the context of delivering security solutions?
Steve Orrin
So it’s a really good question, and I think it comes down to the way we think about it in a couple of different areas. On the one hand, oftentimes dealing with the federal government, there’s an extra level of complexity around contracting and how money is appropriated to purchase or develop systems and solutions. Typically, in the commercial space, you have fairly short sales of times and lead times as far as going from initial customer contact to acquisition, whereas government has a much longer sales cycle. On the flip side, two of the really two interesting things that I’ve always enjoyed working with the federal government actually three things.
One is the scale, the sheer size of the problem of the number of users, the number of systems in the case of cybersecurity, the size of the threat and the amount of systems that you have to protect. So it is a bigger problem than you’d find in individual corporations. On the private sector side, the other really interesting thing having done my started my career in the startup space, developing products and technologies is the federal government is a macro of every use case. So you think about when you’re looking at various different vertical markets, IE financial services, healthcare, manufacturing, retail the federal government has it all.
If you want to talk finance you can talk IRS or you could talk to the Medicaid, Medicare parts of HHS. They’re dealing with financial, the same kind of financial transactions and financial data that you would at a bank when you talk about health care. The VA is the largest insurer and provider of healthcare in America and really in some cases in the world because of the sheer scope of what it has to service. And then of course you look at things like citizen services and the kind of data sets and so it really does have every possible vertical all in one place. So it makes it a very exciting area where there’s always interesting unique challenges across multiple vertical domains. And then lastly, it’s the mission. As much as I want to make sure that all the banks and the healthcare organizations are protected and able to scale their organizations, at the end of the day, our US. Government is serving us and serving our country. And by helping them, we’re helping the common good and helping the citizens and really helping to affect the mission, whether it be saving actual lives to making sure people’s tax returns happen fast, to making sure that the vets get the right services. The things we do matter and I think that’s what makes it exciting. And then there’s a calling to that to help. Even when you’re in the IT space, you’re actually seeing the effect of what you’re doing.
Mark Shriner
Awesome. Hey, I’m wondering because I’ve dealt mostly with private enterprise, I’ve been involved in a couple of different government contracts as well. And the incentives tend to be a little bit different. In private enterprise, the incentive is obviously turn a profit. And if you get really deep into it and you listen to somebody like Drucker, it’ll be like, oh no, the purpose of a business is to get a customer, but at the end of the day, it’s all profit driven. Okay. In the federal government, though, some of the agencies aren’t necessarily measured on their profitability. In fact, some of them are just continually perennial money losers. But they provide really valuable services. So when you remove the profit motive, I’m wondering, does the decision making process, does it change at all?
Steve Orrin
So I think it’s a very interesting question to look at because there’s sort of two sides to that coin. On the one hand, when you don’t have the profit motive, oftentimes you can get better decision making because it’s not driven by the bottom line all the time. Yet at the same time there is a bottom line there. You’re not trying to turn a profit, but you have an allocated budget that’s dictated by Congress and that’s all you get to spend. And so in some respects, they’re held to the same barrier and therefore need to be able to deliver on time and within the budget. And they’ll go for the lowest cost solution because they’ve got to stretch that budget. They can’t go back to a VC to get more money or increase their revenue by selling more product. They get the allocation they get and that’s it for the year until the next continuing resolution or budget approval that comes along. And so it is a different set of criteria, but they have a lot of the same challenges. The flip side, on the positive side of that, is that they’re not beholden to just the bottom line.
Whether it be building a new airplane for the Air Force or designing a better system for delivering data through the GSA. Their mission is what comes first. It’s executing on that mission. And so profit doesn’t come into the story. That’s the sort of secondary of how do we afford to make it happen? But they’re definitely driven by the requirements of what they’re trying to execute on. And so it is a very different conversation when you’re looking at it from what can I do with the budget I have to solve the problem versus okay, I’ve got X amount of budget, I’m going to peanut butter in a couple of places until the revenue is better and then we can do better. So it does lead to a much more mission oriented approach to how they deliver solutions.
Mark Shriner
Makes a lot of sense. I’m curious, because you must deal with a large number of different agencies. Do you find that the response in terms of current cyber threats varies based upon the agency?
Steve Orrin
So I think, like you would find in any other vertical Market, they’re sort of the haves and the have nots. If you go to the financial institutions, you have the very large banks, have very large teams, large It and cybersecurity budgets, and are also the main target. So they see a lot more. Whereas you talk about small regional banks, credit unions, things like that, they obviously have much smaller teams. They don’t have the same capability and depth in their workforce to be able to address every kind of threat. And you see the same thing in the federal government.
The DoD is the big dog. They have the teams, they have the money, and they have the threat that they’re dealing with, where if you go to smaller civilian agencies, are often very small organizations and in many cases have to outsource a lot of their It security to either managed service providers or to other parties or contractors. And so you have the same kind of have and have not. There are two key differences. Again. It doesn’t matter if you’re the International Trade Commission or the National Security Agency. You are a target because you’re part of the federal government.
So you do have a big target on them, regardless of how big or small the agency is. And at least for the civilian agencies and also for the DoD, in a separate division, there are agencies whose job it is to help provide security for them. So it’s not up to the International Trade Commission or Gao or the Department of Veterans Affairs to do it all by themselves. DHS for the civilian agencies is tasked with helping provide the network and operational security and threat monitoring for the civilian agencies and the law enforcement arms necessary to help prosecute. And of course, DoD has multiple different divisions and services that are in the cyber domain, from protection to defend.
Steven Orrin
To network management. So inside the DoD there’s Dissa, Defense Intelligence, the Defense Information Security Agency and then you of course have Cyber Command and both of those work in coordination to protect the core infrastructure and the data as well as the systems and platforms globally for the DoD. And so you have dedicated agencies that you don’t get that kind of benefit out in the private sector.
Mark Shriner
What does Intel do differently or what does it provide that’s different to the Federal Government versus private enterprise?
Steve Orrin
Very interesting question because at the end of the day Intel is in the business developing and producing commercial products that we sell to the broader industry worldwide. The way we go after the government is really in two areas and it’s different from a lot of the other providers. What they call the defense industrial base where whether you take like a Lockheed or a Northrop whose job is to sell capabilities and services and products to the Federal government almost exclusively, or even other commercial entities, the OEMs or the CSPs, that develop federal focused solutions specifically for the government. Intel looks at the Federal Government in more of a strategic way. What are engagements we can have with the Federal government that are strategically important to both the government and to Intel? Whether it be as a vanguard of technology.
So building out technology today that the Federal government wants for its requirements because of the scale or scope or threat that they’re dealing with that is going to have a commercial viability down the road. And so looking at them to sort of help do the early stages, the early piloting, the early prototyping on something that we see commercial needing later and advancing technologies along those ways to taking commercial products and customizing them together to understand how the end customer would use various ingredient products.
And so we build technology, architectures and solution whether it be in the area of AI and supercomputers with government requirements but they’re always tied back to what’s the commercial viability, commercial capabilities to be able to deliver it at a global scale. Because we’ve seen this over my career, I’ve seen this many times. A requirement today in the federal space will be a requirement in the financial services and regulated industries in a few years and then it will be for everyone else a couple of years after. So the government does often have the requirements first, especially in the cybersecurity realm but we also see it in the scale realm. They have the largest of data sets, the largest of networks and so if you can solve it for them, you can solve it for the private sector.
Mark Shriner
Yeah, I think that’s kind of an often overlooked, I guess, benefit of the Federal government is it serves as this incubation ground and massive area for deployment to help companies one commit to actually developing the technology that’s needed. Because if there’s no Market, private companies are going to be like, well, where’s the upside? You’re telling us we need this technology, but where’s the Market and federal government says we’re going to buy your chips or we’re going to buy your tools. It could even buy we’re going to buy your electric vehicles if we’re going to be your first Market and then you’re going to so that kind of gives you that guarantee that allows companies to go ahead and invest in those key technologies. And I think that oftentimes people well, maybe I’m just reflecting on my own thought patterns, but we overlook that benefit of the government and how the government can be strategically used. I know that. And this is not related to cybersecurity. Well, it’s related to national security. A big part of the plans to deploy or develop renewable energies technologies is to get the federal government to commit to being a consumer of those services.
So it makes a lot of sense. Let me ask you, because you cover a lot of different areas. Which technologies are most exciting and conversely, which threats are most concerning for you?
Steve Orrin
So Mark, we could spend an entire day on some of those topics, but let’s talk about one of the ones that I think everyone is seeing right now. AI is a game changer. It is changing the way it’s all in the news. And everyone’s talking about whether it be chat GPT or autonomous vehicles or the new robots. And the technology is starting to get pervasive across all aspects of daily life. And what we’re seeing is as we move beyond the hype and start looking at where it’s actually making a difference, whether it be in processing the sheer volumes of data and being able to get better Intelligence, better information out of data of operational efficiencies. There are some great studies in the Air Force published one a number of years ago about using AI machine learning not to solve some big data problem, but to just get operational efficiencies into their contracting and acquisitions process. So looking internally on the process of buying things and how can they reduce duplication, get better efficiency, make the process more straightforward. And in some cases it sounds like.
Mark Shriner
You’ve been through that process a few times.
Steve Orrin
Yes, indeed.
Mark Shriner
The last time I went through the process, it was funny, because if you don’t have a dedicated team that knows all the ins and outs and I forget the huge procurement platform where if you’re going to do business with this, happened to be with the DoD, you create an account and you have to add all this information. It was so torturous. And I remember talking to one of my colleagues because I was like, how can we possibly send our military overseas and invade? I just don’t know how we can sustain it because this is just not working. But at the end of the day, it all came together.
Steve Orrin
We’re seeing AI really being one of the exciting areas of technology that’s still evolving and we’re still seeing great innovations there. And so I think that’s one of the exciting areas and it is a buzzword on the technology front. Everyone’s talking five G and I think a lot of commercial industry is thinking about from the phone and the public access of 5G. But really when you think about what it unlocks, whether it be private, public or a combination thereof, it’s the ability to deploy diverse heterogeneous distributed edge nodes. And what’s at the heart of that. That means your sensors, your vehicles, your platforms, your compute. And even the individual, whether it be a war fighter or a census taker, can be connected real time to an infrastructure to be able to share data, be able to get real time Intelligence, real time applications, access wherever they may be. And so 5G are the what we’re calling advanced communications because it’s more than just the 5G standard. It’s WiFi six, it’s the advanced comms, it’s softer to find radios, all of that working together is unlocking the capability of pushing more capability out to the edge and to be able to help everyone from again in the federal government space, obviously war fighters and the individual workers within the government.
Steve Orrin
But it’s every industry, whether it be remote health, whether it be in the case of a forestry, being able to have that connectivity reliably with the high data speeds is really changing the game. And so those are two of the key technologies that we’re seeing become exciting as they’re applied to various different mission and enterprise use cases. I think right now when it comes to security, everyone’s talking Zero trust. It is the buzzword duo. We have an executive order and a mandate that says the agencies not only have to have a plan for how they’re going to achieve zero trust but they have to start executing on it so they can’t just have a paper document.
They actually have to have an implementation that follows. And so we are seeing a strong push to changing the way we look at security and a lot of folks are struggling and I talk to public sector, state, local government as well as federal and a lot of them are asking a question of well, where do I begin? And the reality is you don’t throw away all the security you’ve done for the last 50 years. Zero Trust is really an evolution and what we’re seeing the successful agencies do is take the work they’ve done in the past of understanding their assets, of doing that risk management which is sort of the core of what it takes to do security at scale and applying Zero trust principles back into it.
Steve Orrin
And why this is important, it goes to your second question is the ever evolving threat landscape that we’re dealing with. And what we’re seeing is the stuff that you hear in the news like the ransomwares and the data breaches and the supply chain tax, those are obviously part of the bigger story. But when you look at the actual nation state actors or the kinds of threats that are being used against both the federal government and private industry globally the sophistication we’re seeing and the types of evasion techniques to get around or hide from your typical antivirus and firewall products, the targeting of individuals and the data that they have access to. So getting very focused on knowing that these type of individuals have access to this kind of system. So I craft an attack for those environments as opposed to the prior generations of malware which were sort of scattershot or shotgun approach. I throw a million of these out there and eventually one of them is going to hit. They’re getting very laser focused and that means we need to change the way we do security and evolve our security to be something that’s different.
And one of the key tenets of zero trust that I think is exciting is that concept of default deny. Basically the idea is that even though you’re a legitimate user and you’ve authenticated just this moment, that doesn’t mean you automatically get access to everything. And so by taking a default deny approach, it makes the systems and the people and the networks constantly reevaluate. Are you allowed to access? Is this the right thing for you to be doing at this moment in time with the current threat? And that change is helping to narrow the window of exposure that these targeted attacks are occurring.
Mark Shriner
A couple of follow up questions that then in terms of timing to deploy zero trust or implement it, what are we looking at for the federal government? And then also you say like default deny and zero trust, can you walk through a kind of use case of what’s it going to look like for me, an end user, if I’m in the federal government and we’ve implemented zero trust?
Steve Orrin
It’s a great question. So let’s start with the timeline. I think one of the first misconceptions that a lot of people have, and it’s important to state is that there is no binary. I don’t buy zero trust. Flip the switch and I’m good. It’s a process, it’s a journey, it’s not a destination. And so the key is that what the mandate said and what was really important about how it was crafted is that you have to start. It doesn’t say you have to be finished by a certain date because there is no finish line. It’s a constantly evolving approach to how you do security. It’s not, well, I buy this product and I’m done. And so everyone’s got to start. Those time frames are now the mandate came out last year and they were given 180 days to come up with a plan and start exiting a plan. So everyone is looking at 23 as the implementation execution start point to get the ball rolling. Where they begin is going to be somewhat unique to each organization, whether it be around stronger authentication so that they can do better verification of their end users to network segmentation.
Steve Orrin
So not having one big network for everything but chopping it up into individual subdomains and subnetworks and doing that segmentation that allows you to provide those policy controls between the different domains. So HR should be different from finance should be different from say, health tax to use a commercial use case. They shouldn’t all share the same network from a logical perspective so that you can apply those policies. So let’s talk about your questions. A really good one is what does it feel like from an end user?
Well, if we do this all right, and it’s going to take us time as an industry to get there. So today it’s not going to be as seamless as we want it to be. But the idea is that as an end user, your experience should not be degraded because you’re in a zero trust environment unless you’re doing something wonky. If you’re going to go on and access your teams in your Microsoft Outlook or go to your Google Docs or whatever, your normal business activities, they should work the same way. You’ll have a stronger authentication, it should be multifactor. So whether your password and a token or some sort of app on your phone, a combination of more than one credential to initially authenticate yourself, a lot of the work that validates that and validates the activity is going to happen behind the scenes.
But to walk that scenario, you’re going to go into your systems, you pull down your SharePoint and you’re looking at the docs that you’ve used for the past six months. Everything’s great. You’ve authenticated your access to Doctor. Now you’re going to go look at in our case, I’m at Intel, I want to go look at the design specs of the next generation chip. Well, that’s an interesting thing and I’ve never done that before, at least I haven’t done in six months, let’s say. So I’m now doing an access to a data set that I have authenticated, I have access to, but should I have access is really the question the policy system is going to ask. And so before giving me access to that design spec, they’re probably going to present me with a couple of challenges like reauthentication. There may be also some additional risk management things that will happen behind the scenes. So a system may check. Is my antivirus and security policy patching up to date on my laptop? Am I in a location that’s compliant with where I should be to perform that action? One really good example of this that we’ve implemented and we’ve published papers on is that authentication isn’t just about the individual, it’s the device, the network and the geolocation I’m in.
And so one great example of this is on my phone, which is managed by Intel. I can access my email, I can access most attachments through a secure container but I can’t access any of the documents on the SharePoint. I have to be on an Intel network, on an Intel provided device and now I’m on my Intel department of device. But I’m going in over Pvpn from home so I can access most of the documents on the SharePoint, that kind of thing. But the design specs I have to be in an Intel office and I have to be in an Intel office that I’m supposed to be in because I have badged in to the Fairfax office. So my access should be coming from the Fairfax, not from Oregon or not from China. And so having that more rich approach to validating who I am at that moment in time and then looking at what I’m trying to do that’s happening behind the scenes. But those are the kind of questions the systems will ask when I do something that’s sort of asking for elevated privileges or going after a piece of data that isn’t within the scope of what I normally do.
And those kind of policy controls, decisions and reevaluations of my authentication is the kind of thing zero trust is going to enforce behind the scenes. My experience probably would be that when I go ask it, I’m going to get one of two strands going to say please authenticate again to verify that I want to access this and I really want to do it. And then I may be able to view it, I may not be able to download it. I’ll be able to view it, but I’ll not be able to download. That’s going to be based on policy and the current threat environment. And that could change if tomorrow I come in and I try to do the same thing legitimately and there’s a change in the policy because the threat level is different or because I’m now associated with a different program, that experience could change. I could get easy access to it because now a policy decision has been made. But the change is it’s not automatic. Today you sign into your enterprise, you’ve got the keys to the kingdom and that’s what fundamentally is shifting segregating the data, the networks, the applications and applying real time policies.
And I think the other thing we talked about the fault deny, but it’s also the continuous part, continuous monitoring, continuous evalidation, continuous risk management because the world that we live in doesn’t stay static. And then the idea of only checking your security updates every six months to see if your policies correct isn’t going to fly anymore. And so that continuous monitoring means that if, let’s say, we’re seeing an increased amount of attack of targeted phishing campaigns coming after Intel from China, they may reduce the access and spin up the dials on the policy to require multiple authentication steps or prevent people from downloading documents without a two step process to help reduce the threat at that moment in time. Zero trust is what the architecture that enables that kind of next gen approach to risk management?
Mark Shriner
Yeah, but a lot of that anomalous behavior detection and behavior analytics has been around for a while. But what I’m hearing you say is that in addition to that, they’re communicating with kind of threat awareness, threat detection, and it’s just going to be all that much more powerful. They’re getting more signal from more areas, and the ability to detect this anomalous behavior is being increased probably because of the use of AI as well. And so it’s just becoming much more powerful, much more pervasive. Then on the humorous note that would you call it just allowing somebody to download what’s the technical word for that?
Steve Orrin
It’s denying the download.
Mark Shriner
Deny the download. Can we just, like, regardless of what party they’re in, whoever’s in the White House, can we just enforce that? I just imagine, think about how few documents I actually print these days and then some people that we all know who have time to or have their colleagues download or print crates and crates of these documents and then move them around, deny download, problem solved.
Steve Orrin
One of the key things that links those two also, like you said, the analytics has been around the better threat Intelligence. It’s the connection to policy we’ve seen time and again, you hear about a data breach or attack and they go back and do the forensics and they say, well, yeah, the sensors picked it up. There was the blinking light, if you will, on the dashboard, but it took two weeks for the analysts to see it. That’s the problem, is that we’re relying on humans in the loop often to find some little blinking light. That doesn’t tell us that it’s really a vulnerability, just says something’s weird here, as opposed to pushing that to an automated policy enforcement. So you’re saying I don’t know that there’s an actual threat because it’s a blinking light, but seeing those blinking lights I’m using that in the proverbial way could drive a policy decision to provide stronger controls in real time. As opposed to waiting for someone to come back in later and flip a switch and turn on a firewall firewall rule that’s the game changer in their trust is moving to that automated versus sort of static manual approach.
Mark Shriner
Totally makes sense. And whenever possible, automate agree with you on that policies are super important and get the right ones in place from the beginning. I got to ask, as the government moves towards zero trust, we already talked about the size and scale sometimes, which presents its own set of problems, right? I mean, you have to kind of get some forward momentum and you get a critical mass and you do this. But I would imagine that one of the challenges is just getting enough people with real world experience who have done this kind of change. Well, you can call it change management or you can just go through this process because if you’ve got a bunch of people saying, yes, we’re going to do this, but they don’t have the experience, how does that happen?
Steve Orrin
It’s a big problem, not just for the federal government, but for private industry as well. We’re all on this journey together towards zero trust and no one has, as you read the news, no one has the ample cybersecurity workforce they need or the training they need to be able to be 100% effective. But what we’ve seen in the successful organization is that they don’t let that get in the way of starting. You enable your teams to go off and in a lot of cases it’s not trying to solve or boil the ocean all at once. You pick key areas. So in one case, some agencies, it’s focusing on better authentication. That’s not new. We know how to do multi factor authentication, we know how to do stronger sort of context authentication. Not just what you are, who you are, but where you are, what you’re connected from. The tools for that exist and the processes for that part exist. Other agencies are looking at that segmentation so that it’s not all one big network, but they break it up into small pieces. Like I said, there are products, technologies, processes and best practices that have been around for doing network segmentation.
And so what we’re seeing is that it’s not about trying to do zero trust all at once, it’s picking the key area to start based on your risk management and start it. And I have to stress that it’s not analyzing the problem to death, it’s figuring out where your most important key areas to start. It may be ten of them picking a priority. It doesn’t have to be 100% right because if you get the priority order and you’d start on number three, priority before number one because that’s what you thought was right, you’re still working on the top ten priorities and you start executing. And we’re seeing that both in private industry and you talk to the banks, you talk to the federal government, you see a similar response. We picked these key areas and we’re starting on that. We’re starting with stronger authentication, we’re starting with better risk management and policy connection, we’re turning on automation for patch management, those kind of tactical execution, but all with the notion of what does that tie into an overarching framework. And that’s what zero trust is about. It’s a framework, not a product. So as you start executing on these individual components, it’s part of a long term plan and it’s coordinated.
And so no one’s ever going to have the cyber workforce they need. I mean, everyone is struggling in that space and that’s why it’s one of the most exciting industries to be in. I’ve been in it for most of my career. And I have to tell you, it’s recession proof, depression proof. It’s just always needed. And what you’re finding is that they’re targeting the teams, the areas that they have the highest priority and they also have the visibility to how to execute against that problem and they’re tackling it. And that’s the way that these large agencies and small and private industry are going after Zero trust is they’re starting to sort of slice up the problem and take on different parts of it.
Mark Shriner
Sounds like a great approach. Let me ask you on your job specific side. I understand typically what a CTO or Chief Technology Officer does, what does a principal engineer do?
Steve Orrin
So a principal engineer really it’s about understanding that you’re delivering capabilities. So you think of the difference between sort of a CTO evangelist and a technical. CTO evangelist is really sort of a very technical person that’s helping to sell and Market technologies. That’s what a lot of evangelists do. And some of the CTO evangelists, that’s what their job is, to help government customers or whatever their industry they’re in understand that technology. And that is absolutely part of my job. I like to say I can translate Intel speak into government speak and government speak back into Intel speak to be that conduit.
So the government knows how to adopt our technologies and our business units know how to build to the government requirements. But also being a senior PE, it means I’m driving technology innovations, driving technology capabilities back into the business units and for the government customers. So it’s actually helping to develop the next generation architecture or be able to use our technology to solve a next generation threat with the government customer. And so it brings that understanding of the requirements for the mission or for the customer working with the business unit, technical and product roadmap planning folks to actually build things and develop capabilities and solutions.
And so I get to play the best of both worlds. I get some of the most interesting problems and use cases, and then I also try to go solve them and actually provide solutions that get executed into the ecosystem so that whether the OEMs or the CSPs or the system integrators are taking our technologies and the way we’ve designed them and the way myself and my team have delivered them and bringing them to Market. And so you get the best of both worlds, in my opinion.
Mark Shriner
That’s got to be a pretty cool feeling when you are there at the initial discussion stage where they say, hey, we’ve got this problem, how can you help this? And you help co design or design a solution with your team and go back and present it and then see it accepted and then take it to Market and then deploy it and you see it out there being used and you’re like, I was there when it was just a concept. I mean, that’s pretty darn cool.
Steve Orrin
It is. And it’s exciting when you see it scale and when you see standards get written about how it’s implemented. It it is an exciting thing to do and it’s one of the reasons why, you know, I started out my career as a startup guy. I did multiple security startups throughout the but I’ve now been at Intel for almost 18 years. And really what it comes down to is the scale and impact you can have. When I design something or we execute a solution, it goes to millions of users. And the scale that you have is something you don’t find often in a startup environment.
Mark Shriner
Awesome. Hey, I got to ask you one more question. The listeners can’t see this, but you have your camera on, and I can see that you’ve got I’m looking at maybe a couple of hundred books behind you there. What kind of books do you read?
Steve Orrin
So I have sort of two kinds of books that I read. The ones directly behind me are a lot of them are security or sort of better understanding how businesses work. So I would say my non fiction section. So I’ve got a lot of books by Bruce Schneier and Ross Anderson, books about hacking, about international threat, interesting reads on sort of the things that have happened. And then I’m also very much into Sci-Fi fantasy. So that other bookshelf you’re looking at there is all Neil Gaiman and various things that he’s written or things that have been influenced by him.
Mark Shriner
Okay, so give me for the nonfiction and people who are working in the cybersecurity space, something that is a must read.
Steve Orrin
So I think there are two books that are absolutely important, and one is a security book and the other is a business book. So the security book one of the very first ones I read, and even though there have been multiple other books out there that are also good applied, cryptography is a great starting point, not just because some of the algorithms they talk about are obviously a little bit dated because it was written back in the 90s. But what it does is it gives you a way of looking at things that is really important to understand, that just because you can build a crypto system or build an encryption scheme doesn’t mean it’s secure. And it really teaches you how to look at cryptography in a way. And cryptography is a microcosm of all of security, is that if you’re going to build a solution, you need to understand how things fall apart, how things get hacked to better understand. And that’s almost the antithesis of how other technologies are built. If you’re going to go build a new car, you want to understand how cars work and how they go and make improvements on it.
Steve Orrin
Security, the best security professionals understand how cars break, how cars get hacked as an example. And so. It’s that mindset that I think was one of those key things I learned from Applied Cryptography is understanding how things fall apart before trying to figure out how to fix them. And then the other book that’s actually been a really good guidepost for me as I’ve grown in my career has been that Jim Collins Good to Great Love, introduced to that early in my career. My CEO Intel is in there.
Mark Shriner
I think Intel’s in there. Andy Grove takes a good role.
Steve Orrin
So one of my early CEOs introduced me to both to Jim and to the book, and he came in and gave a quick talk to our executive team, and we all had to read the book. And at the time I was like, why am I reading some nonfiction business book? I tell you, it was game changer. Understanding not just how I would want to build a business, but as I engage with customers, understanding what makes them tick. Because whether it’s a good organization or it’s him in his terms, even one that’s not operating effectively, by understanding why you better understand the customer and what their needs are. And so it’s really helped me both in how do I build companies about surrounding yourself with people smarter than yourself and being able to listen to them. Exactly. And then understanding what companies are in the business of doing so that when you’re looking to help them, you understand what makes them tick. And that, again, valuable information, whether you’re in security or anything else. But it’s been very helpful to me throughout my career.
Mark Shriner
That’s awesome. Yeah. I remember the Intel chapter, or it might have been multiple chapters, but that was a massive transformation. I actually recently read I think it was John Doer’s book, and he was talking about the existential threat that Intel was facing early on from Motorola and how fast the organization was able to rally the troops and put out a kind of response to that. Pretty impressive company you work for there.
Steve Orrin
Thank you.
Mark Shriner
Those are some great recommendations. In terms of the Applied Cryptography, is this something that somebody with a non-super technical background could get through?
Steve Orrin
Probably not as easily, because it does go deep pretty quickly. But Bruce Schneier, who’s the author of that one, has some other really good books that are at the higher level. Secrets and Lies is probably a really good book to read from him that he put out. And then he’s got a new book that came out last year I’ve got on my shelf. I have to go look at the title, but yeah, Secrets and Lies is a really good one to understand the dynamics of cybersecurity, and it’s a less technical read for your layman.
Mark Shriner
Awesome. And then on the fiction side, one recommendation.
Steve Orrin
One recommendation. Good Omens.
Mark Shriner
Good omens.
Steve Orrin
Good Omens. It’s Terry Pratchett and Neil Gaiman. And when I try to explain to people why I like Neil Gaiman and really Terry Pratchett as well. It’s a good intro book because it’s it’s a funny take on a fantasy concept of funny take on the end of the world. And so it’s a really good, fun.
Mark Shriner
Read, funny take on the end of the world. Kind of juxtaposition of ideas there. I understand what you’re saying. I actually just read a Stephen King book, and I’ve never read I’m not into horror movies or horror books at all, horror fiction. But he did a historical fiction kind of Sci-Fi book called 11 22 63, which was when Kennedy was assassinated. And it has it relates to a time portal where a person can go back in time and he tries to prevent the assassination. And it’s amazing because he researched so much about the late fifty s and early sixty s, and all these real events were interwoven into the story. And I was like, googling everything because I was like, there’s no way that happened. I’d never heard of that. And it all happened, man. It was very cool book. It’s about 850 pages, though, so it might take you a while. Hey, Steve, I’ve really enjoyed this conversation. I’d like you to so, hey, thank you so much for your time and wish you a great rest of 2023.
Steve Orrin
Thank you so much and thanks for having me today.
