The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

40. Jose Arrieta, Imagineer, Former Chief Information Officer and Chief Data Officer at US Health and Human Services

Hello everyone, and welcome to another episode of the security podcast in Silicon Valley. I'm here today with a very respectful guest, Jose Arrieta. Welcome to the podcast. Oh, hey, John.

Thank you. Thanks for having me on. Always good to chat with like-minded individuals. Yeah, there's just something about like us crazy security people.

So I'm really excited to have you on the show. Thank you so much again for joining. Thank you to all of our listeners for tuning in as well. And I'm just looking at your LinkedIn.

And you have a really interesting background. Well, look, man, I appreciate it. My hair wouldn't be gray if I didn't have all the fun I had doing those jobs that you see on LinkedIn. So I guess I do have that blessing to count on.

You spent a good chunk of time in government. So you helped with procurement back in the day, and you helped with the TSA as a program manager, and you worked for the U. S. Department of Homeland Security, industry liaison.

Awesome. You were a director of small and disadvantaged business utilization in the U. S. Department of Treasury.

Oh, go ahead. Yeah. If you think about the operations of government, right, it's fundamentally balancing these forces that never quite fit together. Right.

So you have all these procurement rules and that and you have to follow them, procurement law. But you don't just do contracts independent of anybody. Right. You do them with industry partners and they have certain things that drive their costs.

And then in the federal system, you have socioeconomic goals. You want to drive dollars to small business. You want to create a competitive small business base from a national security perspective. That's really important.

So you've got to take into a Cal small business. So if you look at my background, right, I've built requirements, which is how do you shape requirements so you can maximize participation from the industrial base? I've entered into contracts, very large dollar value contracts. I think the largest one I did was a billion and a half with industry partners who actually deliver on that mission.

And then I tried to shape small business policy because one of the things I thought was really important when I was doing that job is that we reward companies who are reinvesting in themselves to deliver capabilities for us. And that was a part of the policy that I felt was left out in the procurement process. And so I tried to serve in all of those roles because I felt like that's the way you could fundamentally change the system. Right.

And there's some really cool missions when you think about Homeland Security, just as an example, if Homeland Security was easy, a private company would go and secure the border. If there was an easy return on investment to calculate. But there's not. It's a tough challenge to deal with.

And that's a space where government has to step in and through policy and investment actually drive an outcome. And so you get into these really 40 challenges that government should try to solve. And I found that very fascinating. So that's the arc of my career.

And they just kept kicking me out of jobs. And that's why there's so many different roles on the LinkedIn page. You were also, you dipped your toes into the academic space a little bit too. You were an adjunct at Prince George and at University of Virginia too.

Yeah. So when I was 29 years old, I always wanted to get back. I had a lot of people help me in my life. I never met my father until I was maybe 25 years old.

And my mom really struggled when my mom and dad separated when I was very young. And we had a lot of people help us. And so I thought that academics would be a way to get back. I'm not an academic, but I taught at Prince George Community College and created some of the first courses around at Johns Hopkins University.

And if you can teach something, you learn more than you actually provide when you teach, right? And it became just a really energizing activity teaching at UVA and Prince George's Community College and Johns Hopkins University. So I really enjoyed that. Actually, that's the thing I missed most.

I stopped doing that right after the pandemic. And I missed those interactions and engagements. All the ideas come from folks that are in college and have all that free time to create. Yeah.

They're not stained with the conventional ways to think about how to solve problems already. That's where I think a lot of creativity actually comes from. Yeah. And they're not afraid, especially if you create the right environment.

They're not afraid to challenge the status quo. And in an academic environment, when you're not measuring return on investment, where you don't have like broad, like presidential policy issues that are smashing together in the middle of an election year. You can really explore some of those solutions. They also don't need huge return.

So you can get folks who will try something that's really interested and they're not focused on, you know, what the return on investment will be in two years. They're focused on a project. And some of those things snowball. And in many instances, I don't think they would ever be invested in if it wasn't a college student, a college entrepreneur that was just interested in a topic.

So it's a it's a unique storm, so to speak. And you do brand yourself as a security professional. I see at least just glancing at your LinkedIn. It feels like that.

Not just branding yourself, but you actually are. And you were the chief information officer at the U. S. Department of Health and Human Services.

Yeah. So I was the CIO and chief data officer of HHS during the pandemic. And there's a really interesting Bloomberg documentary out there that just came out like a week ago that really, I would say, thrust me into the middle of the security conversation. We experienced what I believe was a nation state cyber attack on health and human services during the pandemic.

And if you watch the documentary, I believe it was a mapping activity. Right. I believe it was a DDoS event. It was it appeared to be an amplified DDoS attack.

But it was actually to map our interconnectivity within the broader health system. Right. Because HHS is about two trillion dollars a year in the health system. The health system is 30 percent of U.

S. GDP. Mapping that at the beginning of the pandemic so that you could see where capital was going to flow, whether it was payments, contracts or grants. If you look at HHS, two trillion in payments, a trillion in grants, 26 billion in contracts and completely disconnected from the rest of the world.

Right. The health sector is there to service the domestic market. And so, yeah, I really got a lot of exposure to security through that. Also, early in my career, I built out enrollment vetting adjudication and redress systems to actually identify terror threats around the world, leveraging kind of integration with derivatory databases.

And so we were post 9-11, we were trying to identify terrorists that were entering into flying over or trying to gain access to work in the United States in certain domains. And before Facebook knew you had a dog or that there were a million people on the platform that had dogs and they were marketing dog food to them. We were building vetting tools to actually identify terror threats before they entered into those domains so that we could remove them. So my background is really, from a security perspective, it's very much data focused, extremely operational and kinetic.

Right. We're talking about taking like security and mixing it with a with an operational force that's going to physically remove somebody from an environment. And so that's, I wouldn't, I'm not a security professional like yourself. I do have a kind of unique experience from a security perspective.

Yeah, definitely. You connect the cyberspace with the kinetic space. That's powerful. The other thing that I was really passionate about at the Treasury, and I want to bring this up, John, because I think this is really important.

And we talked about it a little bit at the beginning, the industrial based piece. When you, I did a research project on my own volition when I was at the Treasury, just something interesting. I said, where does foreign direct from a country in Near East Asia, where does the predominance of their foreign direct investment go? And it was very fascinating when you put it on a map at that time about, and this was probably 2014.

At that time, 90% of their foreign direct investment went into seven or eight countries. And if you drew it on a map, it encircled Japan. And it was the first time I looked at it and I said, well, that looks like a private equity rollup. Right.

And so, so how do you like, if you have this robust industrial base that creates ideas, that creates like these unique capabilities, how do you protect that industrial base without overburdening it with taxes, without overburdening it with costs so that you can compete? Because, you know, when you look at U. S. strength, we always talk about our military, but the, you know, the economic base is what actually supports that military and gives that military the ability to invest in new technical capabilities.

And that's really what you have to protect. And so that's another area that I think of security that's less talked about. We talk about securing a software, we talk about securing an airport, but how do you like create security around an industrial base to protect the fundamental beliefs and values of a country, of a democratic society? And those are some areas that I'm really passionate about, I think are really important and we need to focus in on more.

Really high level questions too. It's very like a bird's eye view. So oftentimes I'll bring in a founder and they're focused on one very specific small piece of the security puzzle, which is very important pieces, but like it's a very zoomed in view. And this is refreshing because this is like taking a step back and looking at the bigger picture.

And it's important. And please disagree with me. And I encourage it if I'm wrong. But when I look at AI, right, and everybody wants to talk about artificial intelligence, the thing that kind of goes bonkers in my brain is how are you securing the identity?

How are you creating an identity for each data asset, for each data set? It's pretty clear they're not doing that. Right. And look, the Times is now suing OpenAI and Microsoft because copyright violation, I guess is what they're claiming, but it's going to be difficult without data that has been properly identified from its source.

Right. That's right. Right. And if you just peel that back, right.

And I'm just going to touch it because this is such a deep topic. But yes, if you peel it back, we're talking about modern micropayment solutions. We're talking about completely disrupting electronic health records. There's so many new, and that's not OpenAI.

That's not like artificial intelligence. That's creating that foundation so some of these capabilities can truly scale. And I know it's not sexy, but when I think back to my time at Health and Human Services and some of the things we tried to achieve there, in particular with blockchain technology, which I have scars I can show you from trying to distance one of our business units, about a $27 billion a year business unit leveraging Hyperledger Fabric. The data question is the most important question.

And the ability to provide ownership and the ability to provide a history in just part of the duration history. Right. But it's not the sexy topic that everybody wants to talk about. Well, maybe not.

It's sexy what you can do with it, maybe. But it's not maybe sexy how to get there. Yeah. And it's hard to explain, right?

If I said to you something like, hey, man, you're implementing an EHR. I'm not going to name anybody. But you're implementing an EHR. And it's going to take you three years to build out a new care flow or a year to build out a new kind of way that you're going to care for somebody.

And it's going to take you three months to integrate a new data asset. I can do it in a day and I can build the new care flow in a month. That's a fundamental change that significantly drives down costs. That improves your ability to be agile at the edge.

And now it opens up the ability to leverage data and creates real interoperability. But that's a tough thing. It's a tough kind of sales pitch, right? And for a technologist, it may not be.

But for a hospital administrator, for the CEO of a health system, that's a tough pitch. Well, I imagine it's funny. And in terms of computers and machines, they always do what we tell them to do. And the tricky part in instigating change or having a real impact, I always think is like the human side of things.

Adoption. Like, how do you get something adopted? Like, why are people going to use that new thing? You really like 10x better?

I want to hit this for a second. So you're a cyber guy. But let's imagine that you experienced a massive cyber event. Okay?

Sure. And from a data perspective, when you look at what you log, it appears to be an amplified DDoS attack. But that's just what you log. Because when you look at your stateless layer and your stateful layer, at a stateless level, you're not collecting certain information.

Now, so if you go back and you investigate what actually occurred, you only have what you collected from a data perspective to evaluate. But it doesn't align with the broader activity that maybe occurred in that environment. Right? And it makes it really challenging to have a real discussion about a cybersecurity threat.

Yes, it does. And then you add into the fact that there's political complexity. And now you're in a situation where what is reality? And the guy like you that's on the front lines, or me, that's on the front lines of that engagement, there's a reality that's different from kind of other folks that are actually zeroing in on that from maybe a mile away.

And that is a very difficult challenge, right? And you have to have amazingly thick skin to deal with that. Absolutely, you do. And then the question of what is reality?

I think as an operator, a practitioner, cybersecurity, like someone who's close to where the rubber is hitting the road, you have to be very careful about what we don't know. It's almost like as important about what we do know. So what we do know, we can say, we can articulate inferences, or we can suggest what has happened with the gaps. Like we're human, and our brains are very good at just filling in the gaps.

And we do this through almost unconsciously. It's very difficult to notice that we do this, but we do this as humans. We all do this. Where we're filling in the gaps in order to make sense of things.

I don't want to say we make stuff up in our head, but our experiences help us understand the facts that we're looking at. And they also help fill in the gaps that are missing. So depending on where you're coming from, and like your motives, and your personal experiences, and different feelings that we have about different things happening. Yeah, I could see how that is real money.

And then you bring a diverse group of people together. You're going to have all sorts of interpretations of the facts. And the things that are missing are going to get filled in with different shades of color, depending on what those experiences like. And so just being an operator, you have to be like very self-aware.

You have to be aware that no information really does mean no information. And does it limit like what we can say has happened? Yeah, it does. It does.

It just means we don't have the perfect story. But if the evidence is there, we can articulate what that might suggest. And you can see things in real time that maybe you aren't recording because an investment wasn't made. And it's just that security is a tough field.

It really is. In terms of that breach, was there any single lesson learned that you took away that you're going to bring with you for the rest of your life forward and to all of your other gigs and perspectives? It's a really good question. I have been up to that point.

I had been obsessively focused on creating identity for data assets and data sets and being able to have a record of provenance of how those data assets and data sets were accessed and utilized. And I think one of the things that I realized during that event, well, there was a couple of things. Some of them were pretty basic. Like one, your NOC and SOC have to be fully integrated.

And investing in them and not integrating them is just really a giant weakness that you're creating. You can't have a conversation on two or three phones all at one time. But I think the second thing is that, you know, I always use this analogy when I describe this, is that when the Lakers had Shaq, when the Orlando Magic had Shaq, everybody tried to find a big guy that was big and quick and could match up with them. And then teams realized if we hire five shooters that can really shoot the lights out and make him run all over the place, we have a better chance of beating him because he's a unicorn.

And so I think that what that event made me realize is that distribution of control, distribution of identity to the lowest level is the best way to deal with a large kind of centralized entity that's using a bunch of computer capability to overwhelm a network, embed themselves in an environment and understand how it behaves. So if you change the way that you interact with them, then they have to change the way they interact with you. And it's better to be the aggressor on that side of the tape. I think that was the two biggest takeaways.

I think the third thing is that, and I still don't know that I fully understand this, but it's very hard to have an open dialogue and just say, yeah, I think that there were two nation states. I believe it was one of two nation states that attacked us. And to marshal the computing power for a million computers in 164 countries to basically focus all of their activities on a very specific point, one of the largest internet surface areas on the planet for a period of 36 hours, and foul and foul the changing of that network's behavior in real time, literally foul it as we changed behavior to deal with this event, that's a nation state. That's not some researcher in a basement.

That's not. And it may be an easy thing for my mom and dad to read in a newspaper and say, oh, some researcher in a basement in an Eastern European country. But in reality, that is not those types of behaviors. That's very complex and had to be done by a nation state.

And so let's create tools that if you don't have legal offensive capabilities to deal with a nation state, which we didn't, obviously only the National Security Agency does, then let's create tools that give you the flexibility to defend yourself in the event of a large action like that. Or let's build an architect in a way that makes it very difficult for a nation state to focus in on a single point. Yeah. I like your, I like that those lessons learned.

I especially like that sentiment of designing a system using almost the same principles, delegate and trust, right? Yeah. To decentralize things. Yeah.

Yeah. And I'm not advocating for putting the entire healthcare sector in the United States on an interoperable, on some type of blockchain platform. But how do you delegate trust? And let's realize something when we talk about it.

Decentralized trust, right? Yeah. How do you decentralize trust? How do you make sure that there's delegated authority within the organizational structures?

But realize something else. And you may have had direct exposure to this. As a private company is going to secure itself, it has all these incentives to do that. Apple, as an example.

A federal agency is going to secure itself. It has tons of resources. It should have a lot of resources to do that. And they're big organizations.

But there are, there are gaps, like in an industrial base, right? Where there's really no incentive to secure in those gaps, right? And so I was talking to a venture investor who invests in cybersecurity startups. His name is Ron Gula.

He sold Tenable for about a billion dollars. And I was talking to him one day and I said to him, I said, he's investing in NGOs that fill those gaps between government agencies and private companies. In NGOs, really? That's interesting.

Yeah. Because if you create a standard framework where threat information is shared, right? So if you have two agricultural companies and they're both dealing with cyber attack, which we, I anticipate, Maslow's hierarchy of needs, let's focus on the food industrial base, create distrust for domestic population and the food industrial base. That's a really interesting attack vector that I think if you do some research on, you'd see some adversarial nation states are focused on that.

Well, one food company A and food company B are going to secure themselves. But how are they sharing that threat information? How are they interacting with one another? Do they have an incentive to do that?

Not really. Well, that's a gap, right? That creates a real opportunity. And so I was talking to this venture investor and he says, I invest in cybersecurity companies, but I also invest in that gap via NGOs.

And I said to him, I said, Ron, you can invest in 50 companies, but in investing in that gap, you could create a foundation to create 22, 000, thousands of companies in the future. And he goes, yeah, he's, and that's the foundational kind of infrastructure that needs to be put in place to secure an industrial base of a nation. And I think it's just a very fascinating thing because it's not what you'd originally think of when you think about cybersecurity. Right.

No, I totally agree. There are certain problems that you join forces, you actually have a shot at solving, like once and for all. And you don't have a single point to failure. You don't have some ginormous, like entity that's responsible for everything under the sun, like identity and you connected identity to data.

I think those are like the two biggest hot button topics because identity is just the answer to the question, who are you? Right. It's so simple. We think of it as such a simple thing.

We don't even think about it in our daily life because we can look at each other and oh yeah, this is Jose and it's John, whoever, but in a computer system, all of this data, right? There's the data, all of this data, where did it come from? Who owns it? That's what the New York Times is upset about with OpenAI.

That's right. Just to connect the dots there, right? And that's also, that is maybe extremely valuable. And every time that I set up a cybersecurity program or a SOC 2, you know, it doesn't matter the size of the company.

Be a small two-person startup or like a ginormous industry that's been around forever. It's always, the same question always comes up is what data do we have and how are we answering that tough question of these users and these systems, right? To each other. And then how do you preserve like accountability and every layer of security?

If you think about it, in the center is that data. And that's right. That was incredible. That center is data.

And every layer around that data is just designed to protect the data. The data is everything. I don't think like the CPU system, it has some value there too. But especially with Bitcoin, you can mine some stuff if you get access to some CPU.

But like the real goldmine in cybersecurity, it's the data. It's the data. You know what? It's fascinating because you're in an area, obviously, that I find fascinating.

If you think about Bitcoin or you think about the Ethereum network, you're validating something. You're authenticating something by getting two endpoints to agree on it in some semblance to or more. That's right. Right?

That's right. And that's a very kind of costly set of check and balances. One of the things, and I'm working with a fascinating startup. I will connect you with these guys.

I think you'll find it's really interesting. Oh, name drop them. What's their name? It's based on Toronto and it's called Todaku.

And I was exposed to them a number of years ago. And what they're doing is they're creating a record of provenance of the data asset. And they're using rigging to make the data asset portable across platforms. Oh, nice.

And so I did a, I made an investment at a university to create a data asset, create a digital twin, a software-based digital twin of a functioning piece of hardware with a secure root of trust, whatever. And then I wanted to create a representation of carbon emissions reduction data that could be portable across multiple platforms and could happen at a very low cost. And you could authenticate the data asset without the kind of infrastructure that you would have to put in place for blockchain. I think there's some really fascinating disruptions, whether it's this company or someone else.

I think there's some really fascinating disruptions that will happen in that space in particular. I don't know if you've had any cool exposure to anybody that's doing anything like that, but you know what? Actually, the startup that I had the great honor and privilege to lead, Peacemaker, we were a startup that product that we brought to market was an end-to-end encryption as a service. But as we built it and we started to sell it, we realized like actually what it was, data lifecycle management, almost like a form of control and verification, not repudiation of all of your data.

And as data flowed from one system to another, you could keep track of it and you could see who was trying to access your data because you could only access your data underneath our API. It was all open source and so you could call or request the keys to decrypt this data, but then the data owner had the ability to see, A, who you were, B, whether or not they wanted to share those keys with you. So it was quite interesting. Yeah, and so imagine if you, let's just deploy that since you have some background there, right?

Imagine if you go into a nursing home, a hospital, and you have everybody's, you, between the hardware endpoint that's collecting the blood pressure and the EHR, whatever, that's managing the overall record of patient care, you had this ability to transact for that data. And even, let's say it was a half of a penny, right? Well, now what you've done is you've enabled the patient to share information about themselves with multiple providers that maybe have a different spin on how to take care of them, how to get them healthy. It may not be a great business use case, but think about the disruption that drives in the marketplace, right?

Or creators, people that are writing a song or creating content. You talked about the New York Times earlier. Well, now you have the ability to maintain ownership of something forever and you can engage in a microtransaction and there's a record of the fact that you created that content. That fundamentally distributes authority and value throughout an ecosystem.

And I think that's a democratic principle and I think that's the next wave of transformation in industry. I don't, and I'll probably get shot in the head for saying this, I don't think it's AI. I don't think it's large-scale centralized artificial intelligence capabilities. I think it's an investment and kind of identity around data assets and data ownership that powers all modern AI platform.

So it'll be interesting. I could be way off and wrong. I don't know what the economics of doing what I just described is, but I truly, I believe that's the way that you compete with a system of government that is more centralized, that is more top-down driven, that is more authoritarian. And I think it aligns with kind of some of the fundamental constitutional values that the forefathers of the United States established as well, right?

And so that mixes in kind of that not to sound like, you can see the way I'm dressed, right? I'm not a political, but not to sound like I'm running for public office, but I think it fits in with the fundamentals of the country at the same time. It does. I could totally see that.

And I appreciate that you have spotted and identified and are thinking about and mauling over and investing in like the solutions to the underlying problems that no one competencies. Like they, well, because AI is cool on the surface and it's whiz-banging. Look at that. Look at, it's talking.

Like here's a computer that's knowing, that knows how to talk and it's, well, what is actually happening there? It's exact. Right. And there's a lot of like grit that's underneath the hood that doesn't align with how society works, with our idea of ownership, of our idea of like content creation or attribution of like credit.

But if you do make, if you're Madonna and you make a really awesome hit song, like you would like to get paid, right? You like, you'd like to have your name attached to that. One of the, if you look at like the fundamentals of a democratic society, one of the fascinating things, and you can read this, it doesn't matter, is can you own property? Do you have a right to intellectual property to things that you create?

That's how you spread wealth. Yes. And these are like some core fundamentals that have to be deployed in and architected in these new technical solutions that are being delivered for mass consumption across the U. S.

And I think they're really important. Yeah, I couldn't agree more. What did the AI accept an amalgamation of everything that you have ever said publicly and everything that I have ever said publicly or written, thought about, or that all of us collectively have come together and we have birthed AI together. It's not like some one person is responsible for all of the creative energy.

Yes, there are a group of people that have put it together and have figured out the mathematical equation of how to represent all of us together at the same time. And that's why this thing can speak all of these different languages, because we all speak these different languages. And that's why this thing sounds like us, because it learned from us. these sets of words, what's the probability that the next word is going to be this?

And that's all it's doing. It's given all of this context here. All right, we can reduce human language down to a set of probabilities and here they are. Given all of the stuff that has happened, what's the probability that next word is going to be X?

It allows you to test some different things. So I'll tell you, I don't really have a normal life, right? Like a normal job. I think that's a good thing.

In fact, I wanted to ask you because you call yourself an Imagineer now. You are an Imagineer. Yeah. When I resigned from government, which was an Imagineer.

It just sounded like a cool name. That's awesome. Yes. When I resigned from government, I needed a, I don't think I was in a mental state to actually work for an organization.

And I, so I'm like, I should probably register a company and I just needed a name and I called it Imagineer. And I really just wanted to work on some really interesting, cool problems. And I thought to myself, I want, I don't know if this is possible. This is in 2020.

I'm like 38 or 39 years old and no job. And I didn't have a plan and it's the middle of the pandemic and I resigned. I'll just say that I resigned and, and I, and I found this company and I said, I'd really like to connect docs. And I don't really know how to make money doing that or even if I will, but I think that would be really cool.

And so I'll give you an example of some of the stuff. So I mentioned like the security of trust, creating a cryptographic wrap of carbon emissions data, making it portable, leveraging kind of the concept of rigging a multi-platform so that you can say, Hey, we can incentivize carbon emissions reductions, not create carbon credit because as you remove carbon, the carbon credit becomes worth less, but maybe fuel the carbon offset market, leveraging that type of technology deployment. But then some other really fascinating things came up. One of them, for example, right now, I took a company called Avelino, which is based up in the Bay Area.

It's a testing company and I went into a nurse, I just called a friend and I'm like, look, I want to test the wastewater in the nursing home. I want to identify COVID, I want to identify a C. difficile and then don't ask me how I found these things. But so, and then I'm going to test the wastewater for a month or two and then I'm going to feed them high IGY to feed the patients very high IGY eggs.

IGY is an antibody that creates resistance against pathogens. That's why you eat eggs, right? Well, imagine if you had an egg that was 25% higher IGY than anything you could buy in a grocery store right now. Somebody stumbled across this concept during COVID and now you can create human resilience to pathogens on the basis of the food you eat.

Wow, that would be a fundamental shift, right? And so, there's a project that I'm working on doing that. So, I'll give you one other one that I just find really interesting. From a healthcare perspective, the way that kind of drugs are determined safe or not is they test large groups of populations and as long as activity occurs within the norm, they're protected from a legal perspective.

What if I could test based on your genetic makeup? What if I could be that personalized? Did I just fundamentally shift the legal structure of the health space? Because I have a personalized, identified genetic structure of your body and I understand how you react to specific pathogens and I understand how certain antibiotics, certain foods actually create a counterbalance to whatever that pathogen is that's very specific to you.

And I can manufacture that real time and I can provide you with a medicine that meets your needs. Now, that fundamentally shifts the legal structure of that entire industry. And so, those are the types of things that I've been working on since leaving government. I'm working on this right now.

Imagine if I could take and develop an understanding of your skeletal makeup using computer vision so that I could deal with pain management. I could alleviate pain on the front end. Now, if you went in and you went through all these tests to determine your musculoskeletal structure, it would take a couple days and you wouldn't even come in and see me unless you experienced pain, which at a certain point, the pain would be extreme. What if I could do that on the front end as a part of your checkup?

And I could tell you like certain issues that you had in advance and behaviors that you could engage in to eliminate them long-term. How much value would that drop? Right? High weight, blood pressure, and skeletal structure imaging.

I love it. So, those are the types of things Imagineer. That's very creative. So, is your involvement, do you jump into startups and advise or do you get your hands dirty and a little bit of both?

It's both. So, I jump into startups and I advise, I work with a couple, like a quantum optimization company now that does, they did 14. 9 quadrillion combinatorial computations in 27 seconds and you know what that means from a, right? Kevin and I worked with Kevin and learned how to I work with American Binary too.

So, on one side I do this advisory work, with, I mentioned like a couple of the companies and then on the other side I actually go into integrate technologies and serve more as the kind of integrator of putting the pieces together and try to solve specific problems, right? And so, and I've somehow, when the kids still eat food every day and go to school and everything, and sometimes I've survived this way for the last three years. Good for you, man. Like, I think that sounds like the dream.

It's been amazing. When you have a government job like I had, I think I was overseeing a trillion in grants and $7 billion in technology investment. And at some point I just started focusing on the technology aspect, but I had both jobs for a period of time. You really have no life.

There's a lot of kind of things that you have to do because the bureaucracy demands it. In this kind of lifestyle, I've got to spend a lot of time up mentally on myself and like really thinking about what I want to do, what excites me. And I've also got to spend an amazing amount of time with my kids, which has been a blast for me. Me in particular, having never met my father, I love pulling my kid out of school.

The last period of the day is study hall and I pull them out of school and I played college basketball and I coached a traveling basketball team for a while early in my life before married and kids. And they practiced like 11 months out of the year, traveled 11 months out of the year, three weekends a month. All of them almost played college, almost all of them played college basketball. And now I'm like working on my son with some of those fundamentals.

That's amazing, right? So to be able to do those things has been incredible. No, that is awesome that all of that has come together. And so if you fast forward into the future, like just like for yourself as in this new role where you're engaged in all of these different dots and you see them starting to come together and connect and you're there at the epicenter to help steer all of this change that you believe is needed in the world that you can see is coming and is inevitable, what does the success look like in that world for you?

Yeah, it's a good question. Continue. Like it sounds like it's more about the journey. I, I, there were three times during the pandemic where the, my team at health and human services whom I adore said, are we going all in on this?

And I'm like, we are all, and the last time I said it, it's a, it's another story, but the last time I said we were all in there, you could get fired for making that call. And I'm like, I'm comfortable with that. I think it's the right call for the nation. We're all in.

And what I realized, and you go all in on stuff, the journey itself opens another door to you, right? And the, I don't, the outcome of some of those decisions isn't the thing that I glorify. And if we ever had a beer, would love to tell you about, right? I would love to hear it too.

It's the journey itself, right? And so for me, I don't know what's next. I have a concept around significantly disrupting the EHR space where I'm piecing together some technical capabilities and I'm going to try it. I have another concept around building a large service provider in the federal space.

And I think I have a lot of knowledge on how to build to a certain amount of scale and then buy companies and integrate them. and see if you can really cut out the wrap rates associated with the large integrators and you can really compete with them on that scale, leveraging AI to automate a lot of the backend services. And how I got to this point was different concepts and ideas that kind of branched off into different things. So I'm just going to enjoy the journey as long as I can and try to just continue to work on things that fascinate.

Right. Do you have a partner that you do this with? I have a number of partners that I've been. I've met a lot of wonderful people since I left government who have just become amazing mentors and I'll partner with them on different things and I learn as I go.

I'm not, I'm not, I've never raised money before, but. Yeah, I was going to ask if you, if any of that was ever involved, if you had a raise or anything. I've never personally raised for anything. I don't even know how to do it, but you mentioned American Binary and I made a Foco and helped them raise money right when I left government.

Had no idea that it even occurred. I just believed in Kevin. I thought he was fantastic. I'm for the securing like an advanced pharmaceutical manufacturing base and creating like a distributed capability to look into inventory management.

I'm in the process of helping somebody raise some capital to deploy that. Now they're sitting on a pretty large contract, which makes it easier. So I've just, I've learned from different partners and yeah, no, I've, I just, I don't, but I don't have a partner that I work with. It's like I've just more been learning from.

It's decentralized, very collaborative and very friendly, but very decentralized too. Just like you're. Yeah. There's people from around the world that I've never met other than video that I've been in contact with for two years and mostly in this hemisphere.

So it's, I, I, I like that, right? I think that's the way that you learn and grow and we'll see where it ends up. And I'm not too worried about it at the moment, but you never know in a couple months I might be freaking out. I think everything ebbs and flows a little bit and it's good to find that balanced spot too.

If you could go back in time and I'll let you decide like how far back in time you want to go for this one. If you could go back in time and meet your younger self, any age and share a piece of advice with your younger self, what would that be? Would you take that opportunity and what would that be? When you grew up and you don't know where you come from, you spend a lot of time trying to understand it.

And I spent many years trying to like, I never met my father, maybe talked to him on the phone twice. And I spent a lot of years trying to figure that out. And it's interesting. I moved to Washington after 9-11, I was like, all right, I'm going to be a grad assistant basketball coach.

I'm going to move to Washington and do something to help the country. I have a weird health issue. I couldn't join the Marine Corps. And so I figured I'd probably serve in other ways.

Serve in other ways. Yeah. And I decided to get my master's degree. The government offered to pay for it.

And I met my father right before I took the GMAT. And it was amazing how my brain just was able to unlock and fully engage and immerse myself in other activities once I met him and understood that. And if I could go back in time, I would tell my younger self, don't worry about that. That's not a problem that you have to solve.

Focus on the things that really help you be you. Because I spent a lot of time trying to understand that. It's weird when you look in the mirror and you're like, you have no idea on one side of your family, but you have no idea of the other side of your family. I think that would be the one piece of advice that I would give myself.

The other thing, and this is funny, so I actually used to be a developer and I built like this interface, the insurance, the states received a ton of money, the state of Pennsylvania from the tobacco lawsuits. And the state of Pennsylvania decided to deploy it for healthcare for underprivileged populations. And I built like the interface for the poorest county in the state so that they could enroll people in what they called adult basic insurance. And interestingly enough, I would have had a double major, but I dropped out of the computer science class, the last one that I needed because it was at 8 a.

m. on Friday, my senior year, and there was no way I was waking up to take that course. So I probably should have just toughed it out, slept after the class. But those are the two, one a little lighter and the other one a little heavier.

Um, no, I'm sure that your younger self would understand that all the advice comes from a place of love and just wanted to see your success, yourself be successful. There's also another point where I've never, I asked that question to a lot of folks and I've never heard anyone tell me like, no, I wouldn't change anything. I wouldn't go back in time to give myself advice, which I find really curious too, because I also feel like the things that happened to us or the things that we do that have led us to this point are really special. Even like the mistakes that we make along the way, they're part of our learning and they're, they're really part of what makes us who we are today.

And I think that you're pretty, pretty interesting guy and the world is a better place with you in it. And so I have nothing about all of the gratitude in the world for all of the experiences that you've gone through. And that now you're in a place in your career where you're like, you're giving back to the community and involved and you're clearly a leader and a visionary and imagineer and all of this other cool stuff. It's just the other, that's the flip side of the coin too.

Yeah. It's interesting. Like it's just meeting your father, right? The first time that was tough, right?

That is the full thing to do. And, but there are, and it makes other things so much easier. So one of the, one of the fascinating things that we had to do was we had to cut over the reporting of the, all the hospitals in the United States. We had to cut over from, there's 8, 000 of them.

We had to move 3, 000 of them were reporting into kind of one mechanism. We had to move it all into one. And we were told on a Wednesday, we had to have it done by like Friday. And I'll never forget the, or Monday.

And I'll never forget before we went live. They're like, are we really going to do this? And I was like, yeah, like we're going to go live tomorrow. And you're going to transparently share all the data.

And everybody's like freaking out. And sometimes you just got to rip the bandaid off. I'm like, and now in my mind, lesson learned, right? In my mind, once we go live, I'm assuming the cutover is going to have some issues, but we're going to go live.

We're going to make all the data transparent. And then now you have the largest open source project in the history of the world focused on health. Where are the data inaccuracies? You just employed the entire health system of the United States.

I didn't realize how political that would become, but. I think it was the, I think it is the right thing to do. Right. And so to your point, if I hadn't gone through some of those tough things in my life, would I've made that call?

I don't know. But we need challenges that we face. They shape us. They shape you.

They make you more comfortable with risk. They make you more comfortable with pain. Navigating complex issues. It's not like right and wrong.

It's just challenging. And when you're being challenged, you're learning, you're growing. And when you're learning, you're growing, you're becoming a better person. And yeah.

And do you, how do you challenge a system? Like, how do you like, how do you, okay, I'm going to meet somebody that I'm supposedly like, they're my dad. And I have no idea how this is going to go. But you have to do that.

That's scary. Right. That is scary. Yeah.

So you, then you have other challenges in your life related to some technical implementation or investing in a project. It makes it seem easy. Right. It makes it seem easy.

You've already done the hardest thing that you've ever done in your life. Yeah. It's in the rear view mirror. Right.

And you become comfortable with that intensity. So I think that, I think you're right. I think, do I regret anything? No.

Would I tell myself? Yeah. That? Yes.

Do I think I would listen to myself if myself from the future went back in time and told me that? Probably not. Right. Because I just, it's a program that you can't shut off.

Right. But in the end, it all works. You may want to, but then, you know, until you hit the experience, it may not. It may not.

Process. Yeah. It may not. Yeah.

Hey, thank you so much. That was really, that's a really vulnerable share. I have all of the gratitude in the world. I'm sure I speak for all of our listeners too, deep gratitude and appreciation.

Well, I appreciate that, John. It's really cool to chat with you. I can't, I went and listened to a couple of the podcasts. You really are able to call out some interesting insights from folks and I appreciate you taking the time with me.

No, I really appreciate all of the shares and the vulnerability that you've shared with all of us and nothing but gratitude. Keep it up. Let's do this again for sure. Would you like to leave our listeners with any final words of wisdom?

Yeah. The one word of wisdom I would have is just go all in. Go all in. I love it.

If you have that instinct that you feel like you should be all in on something, then go all in. Even if you don't get the outcome that you wanted, it most certainly will open up a door that you could never imagine. And I think that's very exciting. When that door opens, you'll be like, wow, that was really worth what I thought was a risk really created an amazing opportunity for me.

I love it. Chat again, John, and I really appreciate you taking the time. All right. Well, I'm so happy that we got a chance to meet and thank you so much everyone for joining for another episode of the Security Podcast in Silicon Valley.

Thanks, John.

‹ 41. Michael Moore, Chief Privacy Officer at Lacework, Securing Tomorrow: Navigating the Cyber Frontier

39. Steve Orrin, Federal CTO at Intel, on Tech, Trust, and Transformation ›