Tooling up to Protect Federal, State, and Local Governments
Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup, disaster recovery, and cyber protection for the U.S. public sector. He shares his unconventional journey into a career in cybersecurity, as well as insights on the unique challenges public sector organizations face when trying to protect valuable assets.
We’ll also get John’s thoughts on threat intelligence, the skills and traits he looks for when hiring, and why he thinks cybersecurity organizations should be recruiting workers from the U.S. military.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 163 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.
Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup, disaster recovery, and cyber protection for the U.S. public sector. He shares his unconventional journey into a career in cybersecurity, as well as insights on the unique challenges public sector organizations face when trying to protect valuable assets. We’ll also get John’s thoughts on threat intelligence, the skills and traits he looks for when hiring, and why he thinks cybersecurity organizations should be recruiting workers from the U.S. military. Stay with us. John Zanni:
My career journey has been an interesting one. I actually started in the family restaurant business, so by trade, I'm a French chef. In '94, I got a degree in physics and ended up working for Microsoft out of Seattle, Washington. I spent 16 years there in different roles of which the last six were actually related to the startup of the whole cloud business.
After that, I left Microsoft and joined another company called Odin, which was also related to cloud services, and how do you use cloud services to run your business in a secure way. And then in 2014, I moved to Acronis, which was specifically focused on data protection, also on-premise and in the cloud. And in 2018, I started this company called Acronis SCS, which is an independent company of Acronis, specifically focused on cyber protection and cyber edge data security needs of the U.S. public sector, federal, state, and local, education, nonprofit, and healthcare.
Well, before we dig into some of the technical stuff, I can't let it pass that you started out as a French chef. I believe you are the first French chef that I have spoken to here on the show. Can you give us a little insight into that? I mean what was your interest there and then what caused you to shift away from that towards physics in your education?
So we come from a family of restaurant owners starting multiple generations back in Italy, then France, and then in the United States. And when I was 18, my father said, “You can either go to college and support yourself, or you can come and work in the family business and have a great life immediately,” which in hindsight, he didn't give me much of an option.
But I don't regret it, I learned a lot during those 13 years in terms of running a business, and as well as how to interact with customers and be social. How I got into tech is that the way my father did the books — they were literally paper general ledgers. So you wrote down every number in a book and did all the math manually, and that's the time when PCs were starting to become prevalent.
So I ended up writing, over a period of a couple of years, a complete back-office system for the business that we used for years. And after 13 years, I decided I really liked the technology side, and so I knew I needed a college degree to pursue a career there, so I ended up getting a degree in physics because I liked physics in high school. And then I started applying at different places and ended up at Microsoft.
Yeah, it's interesting to me because there are many people who I've spoken to who have an unconventional start before they got into the tech side of things. And most of them say that there is some crossover there. That many of the skills that they learned before they got into the tech side of things really served them well when they did get into the technical field, and it sounds like that was the case for you.
Absolutely. One of the challenges in a technical field is how do you explain technology that can be fairly complex to the layman, the non-technical person, and by having that experience, that helped me a lot.
The second part is, well, today I serve government. There's still a lot of smaller cities, different counties, and even when I was working with small and medium businesses, who run on very tight budgets, as we're learning during this pandemic. Having that experience, I mean, I know what happens when in a month you think everything's going well, and all of a sudden, the water heater goes out and the air conditioner goes out, and now all of a sudden you're short on cash.
And so having that experience and that understanding has just helped me become a better provider of technology.
Can you take us through what your day to day is like at Acronis? What things come into play?
Yes, absolutely. And just for clarity, we are Acronis SCS, so I work specifically with sensitive customers.
Yeah. My day to day focuses on three core aspects. So first, I'm going to start with people — my team. We have about 35 people today, and in a tech company, you're only as good as the people that work with you. And in this environment around COVID-19, it's been super critical to make sure that people could continue to work productively in an environment where we have to be socially distant, work from home, be connected to networks that aren't that secure, deal with the fact that some of my employees are completely isolated, because they don't live with anybody. And some of my employees are overly non-isolated because now they have a significant other, a couple of children and some dogs at home, all wanting attention.
So I spend a lot of time making sure people could be productive and have the right environment so they can be productive. The second part of my day today is, of course, the day-to-day business. If we don't get revenue, just like any other company, we can't pay the bills and I can't help my employees take care of their families as well.
And so I do spend quite a bit of time making sure that even in this new pandemic, we understand the change in the market dynamics. And there have been some, but for a cyber protection company that includes cybersecurity, it's actually not paced down at all in most areas.
And then the third one is, what's next? Technology develops very quickly. And unfortunately, the bad actors also are taking advantage of this technology. So I spend a lot of time thinking about what we need to build and provide so that we can help our customers provide the right level of protecting their digital lives, not only today and tomorrow, but next month, next year, and well into the future.
I'm wondering, can you share some insights, some of the things that you're hearing from your customers, particularly in that government and federal contracting space, as to how they're handling the current situation, and how they see things taking place as we move towards the future?
Yes. So a couple of things, first, if you look at cyberattacks that are happening today, unfortunately, the bad actors are taking advantage of the situation and we've seen a significant increase in the number of incidents. So for example, even in the last two years, from 2018 to 2019, the number of attacks, targeting state and local government and healthcare providers increased 65%. That's an average of three attacks per day, and since COVID that number has increased significantly.
So the first thing to do is really understand how they can protect themselves, given that they have a wide array of technology ranging from maybe the latest cloud technology using Amazon, AWS, or Microsoft Azure to still having a Windows 3.11 on some systems.
And the second really big challenge they have is that where up until March, they could require individuals to work in the buildings, where the networks were and the systems were, that's become more problematic and more difficult. So in isolated networks that were purely air-gapped, now they have to figure out how they can do some of the work with some remote connection and some of the work locally, while not putting their people at risk. And so that's requiring a whole new level of technology to protect those systems. We're spending a lot of time talking to them about that.
I know one of your focuses is critical infrastructure, and can you share your thoughts on where your concerns are there, the things we need to protect against when it comes to things like our electrical grid, water treatment plants, and so on?
One of the trends I've seen is when the government talks about resiliency, they talk about physical resiliency. So what happens if there's an earthquake or a hurricane or a fire? I don't see as much conversation about digital resiliency.
And today we're completely digital in our lives. So just imagine if this pandemic happened 30 years ago — I can exist at work because I'm connected to the internet. I can get Instacart to deliver food to me. So while I'm somewhat inconvenienced, life goes on, but that's because we have a digital world. And to this point, it's been pretty resilient.
Now, let's take the case of utilities, take industrial control systems, SCADA systems. They are one of the top three vectors of attack for bad actors, mostly nation-states, because they know if they broke down the electrical grid, that it would cause chaos, which would allow them to do even more damage. And you can see headlines all the time about attacks on critical infrastructure.
And so what you need to do is really to think about the things that you would do just to protect your own health. So what do you do to protect yourself against a virus? You can get vaccinated, that's prevention. You can get tested, that's detection. You can get medication, if you're sick, that's response. Real-time monitoring, alerting. If it's really bad, you can get surgery, that's recovering. And of course, you research to see how you can make this disease go away forever, that's tied to forensics.
We use the term SAPAS, security, accessibility, privacy, authenticity, and safety. But it really is around the ability to protect your critical infrastructure, so that nothing bad ever happens, but if something bad does happen, you can recover very quickly. And there are a lot of tools to help you do that, we're obviously one of them that's focused on that, that you need to make sure you have those tools along with the people in the process to have that digital resiliency.
Personally, I find that to be a really helpful analogy, comparing cybersecurity to public health. Specifically in that, when you think of something as simple as a common cold, I can do all of the things to help lower the chances of me getting a cold. I can wash my hands and be careful when I sneeze and so on and so forth.
But every now and then I'm still going to get a cold and the people around me are still going to get colds. And so, like you say there, I can try to be healthy in other parts of my life. So if I get a cold, it's not going to take me down the way it might if I were less healthy. I find those to be really helpful analogies, so when it comes to cyber resiliency.
Yes, exactly, and I'll bring up my father again. He's 90 years old and he loves giving me advice. I think he thinks I'm still 18, which is fine, I love him dearly. But one thing he told me and repeats constantly, he says, "John, no matter what you do, you're going to end up in the hospital at some point. So you better make sure you have good insurance." And the point is, and of course, in terms of our health, it's just that we're all living longer now.
And because we're living longer, a lot of it is due to the advances in medicine. It means that our body tends to break down and then we have to go fix it. Cyber resiliency is the same, you can have the best antivirus and anti-spam and anti-ransomware solution there, but something will go wrong.
A system doesn't get updated, a user clicks on a link they're not supposed to click on. Somebody leaves a laptop in a bathroom at the airport, and it's not locked. In those cases, you have to have a good backup and recovery solution and for critical infrastructure disaster recovery solution, so that you can lock out the bad actor and get up and running as quickly as possible. And that's what emergency rooms are for and hospitals are for.
I want to get your take on threat intelligence and the part that you think that plays in an organization's preparedness and defenses.
It's key and critical to do that, and one of the prouder moments I have about our society and specifically the cybersecurity world is that even competitors are willing to share threat intelligence because they know that by pooling the information we learn, we can stop bad actors, which helps all of us.
So what that means is if there is a concentrated cyberattack in California, for example, and we find out about it through one of our threat intelligence sources, now we can make sure we let all our customers know that are in California, that they need to be careful, and their systems are up to date and what to watch out for.
And if we catch something going on in Washington, D.C., and we share that information with other cybersecurity vendors, they can do the same for their customers, collecting threat intelligence and then communicating that out is critical. And of course the government, the U.S. government plays a key role there because they have access to a ton of data that they can also share, not only with other agencies, but with everybody.
Well, what sort of advice do you have for people who are looking to get started in this industry, either coming up through school or maybe thinking about a career shift — do you have any tips for them?
I do actually, and it really depends on what stage they are in their life. I'll give you an example of what we're doing to help people enter the space. And the reason we're doing it is a little bit selfish, but also not so much. I had to hire a lot of people very quickly in 2019. And before March unemployment was near zero. And even the data shows that today there's over 400,000 open ... Actually I take that back, before COVID there were over 400,000 open cybersecurity positions in the United States. Since COVID that number has increased to over 600,000.
So there's a shortage of cybersecurity experts. The way I found them is I hired a large number of U.S. veterans. So close to a third of my staff are U.S. veterans. They have a natural ability to perform well in cybersecurity-related tasks. And so we created a foundation called Acronis SCSVets that was specifically designed to help transitioning veterans enter the cybersecurity space. In that case, it's a 12 week course, you get certifications with CompTIA that allows you to get entry-level or mid-level jobs in this space.
So all of this was a long way to say, if you need a job immediately because you have a family to take care of and you want a sustaining career, look at some of those cybersecurity certificates from CompTIA. There's plenty of training companies around the United States who can provide that training in a 12 week or so period.
If you have more time, I would get a two-year or a four-year degree. And if you're a U.S. veteran, then please contact me because we have ways that through grants and donations, we can help veterans and their spouses get this training for free. Can't do it for everybody, I'm sorry, but I can at least do it for U.S. veterans.
Well, it's interesting too that you have experienced this value from veterans, but you yourself are not a veteran of the military, correct?
Yeah, that is correct. But if you think about it, most jobs out there are first in small and medium businesses, and second in organizations that are not owned or run by U.S. veterans or have the ability to have a special department within HR focused on U.S. veterans.
And so it took a little bit of learning to understand how to integrate that culture into a commercial culture, that it was absolutely worthwhile. And that's why I created this foundation because I think U.S. veterans are an untapped potential within the United States and military spouses for that matter. So if I can do my little part to really take advantage of that resource, to make America have the digital resiliency it needs, I should do it.
Cybersecurity and digital resiliency can be overwhelming. Unfortunately, there isn't clear guidance around how to protect your systems, and then they can be pretty complex, but you need to get started somewhere. And so I would suggest to people listening to this — find an advisor or a vendor that can help you, that has some tools and some training that can get you started.
And really the three things to focus on are making sure you can keep your system up to date, you have a good antivirus, anti-spam, anti-ransomware solution, and you have a good backup and recovery solution. If you've done that, you're 90% of the way there.
Our thanks to John Zanni from Acronis SCS for joining us.
Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.
Thanks for listening.