Speaker 1:
From the library of the New York Stock Exchange at the corner of Wall and Broad streets in New York City, you're inside the ICE House, our podcast from intercontinental exchange on markets, leadership and vision and global business. The dream drivers that have made the NYC an indispensable institution of global growth for over for 225 years. Each week, we feature stories of those who hatch plans, create jobs and harness the engine of capitalism. Right here, right now at the NYC and at ICE's 12 exchanges and six clearing houses around the world. And now welcome inside the Ice House. Here's your host, Josh King of Intercontinental Exchange.
Josh King:
In the early years of the New York Stock Exchange, the public was barred from listening in on the trading to keep from information seepage. A major scandal erupted in 1837 when the exchange discovered a hole drilled into its wall by an enterprising curb broker. He's part of an outdoor exchange that met on the street outside the NYSC and he wanted to use this crude data feed to trade his securities off the market conditions that he heard about inside. In security parlance, the wall quite literally had been breached. These simpler or times of plugging holes and eradicating eavesdroppers were soon disrupted by Samuel Morris's invention of the Telegraph followed by the stock ticker two decades later, which was quickly adopted by the exchange members to transmit trade information and quotations. In fact, Thomas Edison himself notched his first successful invention in a product that made sure that no ticker jumped the line and received data before anyone else.
Josh King:
So fast forward to 1889, the NYSE began the New York Quotation Company to replace the use of several different organizations, including Western Union, reporting simultaneously from the trading floor. This ensured that the marketplace would remain orderly, transparent and secure to the control of the collection and dissemination of trade information. Intercontinental Exchange, which has owned the NYSC since 2013, still follows those principles today, even as the market has gone from ticks to quants. Now, I don't need to tell you that across the Fortune 500, information security is at the forefront of modern business, especially those tasked with maintaining regulated markets and entrusted with the personal and financial information of millions of clients.
Josh King:
The environment certainly has changed since Thomas Edison's day, but protecting data and policing the flow in and out of a business's computer and cloud networks has never been more important. So here in the ICE House, it's time to talk to an expert. Our guest today, ICE's chief information security officer, Jerry Perullo joined ICE in 2001 back in its earliest days and he's overseeing the company's information security sense. As the business continues to innovate how it transacts and communicates globally, it's Jerry's job to ensure that our walls are more secure than when the curb trader drilled a hole in one back in 1837 and that we're constantly imagining the threats to our virtual walls out into the future to 2037 by red teaming our potential vulnerabilities 24/7.
Josh King:
It's a job that's ongoing surely at all other 499 companies at the Fortune 500 as we speak. Our conversation with Jerry about securing financial data, identifying threats and why information security shouldn't be judged by its level of inconvenience. That's all right after this,
Speaker 2:
It's more than an iconic building or a global financial marketplace. It's anywhere technology, commerce and people intersect. The innovation that makes people's lives better. Dreams that were once impossible are now realities. At the New York stock exchange, we help tech companies flourish and change the world. So go ahead, bring those ideas to life. We'll bring it to market. We are living tech.
Josh King:
Our guest today, Jerry Perullo, is the chief information security officer of Intercontinental Exchange. He heads the company's cyber security program, securing critical economic infrastructure across multiple subsidiaries, geographies and regulatory jurisdictions. Jerry is an active leader in the cybersecurity industry serving on boards and working closely with peers, investors and entrepreneurs developing solutions to critical challenges, frequently published and featured as an expert at a wide range of cybersecurity events. Jerry Perullo, welcome finally inside the ICE House. We wanted to do this for a long time.
Jerry Perullo:
Thanks for having me, Josh,
Josh King:
The physical security team of this building reports up to you. Are they on the lookout for newly drilled holes to hear what's going on inside the building?
Jerry Perullo:
So the risk that you mentioned which was actually really a market manipulation risk at the end of the day, that's always been prevalent for all markets and it's kind of ironic that the electronification of these markets has in many ways, just by democratizing access and transparency to them, obviated a good deal of that risk. You wanted to get into the walls because there was a inside ring there and there was an insider info in a literal sense. And in the case of electronified markets though, now everyone really has equal access.
Josh King:
So physical security, staying on that for a second, I mean, to get it right here at the intersection of Wall and Broad Street, you have your own team, but you've got to work in close cooperation with New York City Police Department, federal authorities. Certainly we are within striking distance of the World Trade Center. These streets were closed the year that you joined ICE in 2001 because of the attack on the World Trade Center at 9/11. And so the physical security of this place is not something that you can do only on your own and in the same sense, Jerry, the cyber security is something that you also can't really do alone or at least not without great cooperation from both peers and authorities.
Josh King:
I'm looking at a basically a list of acronym of the collaboration that you're involved with. So the FSISAC, the FSARC, the FSIE. I mean, you could name this alphabet soup I have in front of me, but how much of what you can do physically are things you do alone versus in cooperation with others and how much also in the cyberspace do you rely on other people and collaboration?
Jerry Perullo:
Beginning with that formation of the information sharing analysis centers and the FSISAC is the financial services one, as you might imagine, sponsored by the Department of Treasury. That pushed the need past that barrier, past that friction. And all of a sudden people were not only permitted to begin sharing information, but encouraged to. And it even went so far as nowadays, you'll see that as part of a standard regulatory exam. They want to hear how companies are taking advantage of information sharing. And so that's been hugely valuable, but I think more specifically, that whole exercise has really been a validation, a proof of concept, a proof of value around the concept of information sharing. So it all started with what we call threat intelligence. Hey, I'm seeing this, it looks like it's this adversary, maybe you have a like business, are you seeing it too?
Jerry Perullo:
Either thanks for the heads up, now I'm ahead of the threat or yeah, I'm seeing a too. Everybody else is in the world. Okay, it's a commodity threat. It's not really targeted, super valuable. But that was very limited to threat intelligence, very easy to past legal monster and to talk about, okay, we're just looking at attacks. But what's happened from there is with that proof of value, now things have moved a little bit further and now you see companies sharing information on defensive strategies and it's only a natural evolution. Of course, I mean, enough is enough about they're coming, what are you going to do about it? And now you get a little bit more of here's things that are working, here's tactics. And there's some commercial consideration in that too but I've never seen anyone disagree with the fact that we want the entire ecosystem to be sound.
Josh King:
I mean, talking about the big financials and this balance between physical security and cyber security, used have a lot of friends at prior jobs that have been connected to JPMorgan Chase. And they used to tell this story about how there was an attempted or there is an attempted bank robbery at a Chase branch once a day. And people in the audience will always sort of open their jaw in amazement that the bank is robbed once a day and said do you know how many times an hour that our network is attacked? And then you'd give out that number and then people's jobs really drop. Is the balance and perspective right these days between the cost and expense and effort made it physical security, protecting this landmark, for example, versus the cost and expense and collaboration needed to secure the data and cyber aspects of businesses like this?
Jerry Perullo:
The most effective strategy around managing these things is really to step back and look at what I call threat objectives. So when you look at the overarching program, whether it's physical security or cyber or anywhere in between, it's really easy to get bogged down in the means and forget about the ends. Once you've established a control, whether it's a guard dog or police or a firewall or whatever it is, you can get married to that control so much, that's all you focus on. And then if you have a problem, you have a breach, you just think, well, we need more firewall or we need more encryption or whatever it may be. And it's important to step back every now and then, remember why you put that thing in and what you were worried about.
Jerry Perullo:
So the threat objective focus, we track 10 thread objectives in the cybersecurity domain. And just to give you an example and I'm going to go through all of them, but some of the more data theft really makes up only three of those. And that's what you hear a lot about in the press is about data, data, data, data security. It's important to be aware of that because there's a lot of firms, particularly critical infrastructure, who have totally different threat objectives they're worried about besides data theft. So for example, sabotage. On the data side, we all hear about PII theft all the time and it's very important. You also have intellectual property theft that we've all heard of.
Jerry Perullo:
And then you have material non-public information and that's a little bit further away from the public eye, but that's really insider trading at the end of the day. So those are all data centric threats without a doubt, but sabotage or even asset theft, extortion, data manipulation, these are all threats that are not necessarily captured in the news feeds that you're going to hear about. And the reason is because they don't necessarily hit home to the consumers. They're not going to get the press coverage like.
Josh King:
But a guy in your position has all of these threat objectives matrixed out across the likelihood of the threat occurring and the threat potential impact of them occurring?
Jerry Perullo:
So what we did is we take these threat objectives and just like you said, we measure the inherent risk of those. And that is where threat intelligence comes in. So is this happening in the world? Because there's your inherent likelihood right there. And then the impact obviously is very business-centric. So to run security, whether it's cybersecurity or physical security, there's a few things more valuable than being close to the business, understanding the business, partnering with the business to understand what the impact would really be. Else it's really easy to just say the sky is falling. Oh, well, if this happened, it'll be the end of the world, end of the world, on and on. And in reality, a lot of these things have a quantifiable less than infinity impact and we should understand those and be able to compare them.
Jerry Perullo:
And so that's to measure the inherent. And then after we apply our controls, we gauge the residual risk of each of these. But the real value in this is that it drives the priorities so that we're not chasing every news story and what I like to call solving other people's problems, right? That's not what we want to do at the risk of neglecting our own. So by setting up these threat objectives, then we can come out and say all right, well, this is the thing that would really hit home here with input from not only what we just called the business sitting here at 11 Wall, but all of the global ICE subsidiaries because it does vary by subsidiary and they all have to have a seat at the table.
Jerry Perullo:
And so we review that and then we set our marching orders. And as you alluded to early on, our strategy is what we call a red team first strategy. So if we decide we care about sabotage, let's hear how it worked at Sony or at Saudi Aramco and then play back those bits in our environment and see which ones work, which ones don't work and where the failings are, fix everything that we need to, rinse and repeat.
Josh King:
So if you've been listening dear listener to Jerry Perullo talk for just a few minutes, you know that he lives and breathes this stuff, but how is such a person created? How do we create a chief information security officer? So for the next couple minutes Jerry, if you're okay with this, I want to go back in your career and sort of mine about where someone gets sort of this passion, this level of interest in this range of issues. And you make it to Clemson University getting a computer engineering degree, but much of your learning came outside the classroom including Liberty Life Insurance, which-
Jerry Perullo:
No degree. I got a computer engineering education.
Josh King:
Yes. No degree. I mean, you're working at Liberty Life, which is now part of Globe Life, which happens to be NYSC ticker symbol GL, how did a summer crisscrossing the south help you develop your network abilities?
Jerry Perullo:
Right. So I had a co-op job and that was crisscrossing the south, as you mentioned. And we were actually installing computer systems for local insurance offices and a colleague and I, we would actually set up shop in somewhere like Baton Rouge, Louisiana. And then we host classes in the hotel conference room and we would bring in all of the admins that worked in the different offices and we would teach them about this newfangled thing called Microsoft Word, Microsoft Excel. And then at the end of a week long class, we would then start making road trips all around places like Houma, Louisiana and Lafayette and all the Hammond and all these small little areas and we would physically install these computers and then we would tie out the training that we had delivered. And in the process, we got a lot of little questions ranging from how do I do a mail merge? I could send all these customers this to the hotel staff bartering drinks for, if we would just create them a new menu. I remember that actually happened. But in any event being-
Josh King:
I mean, did you dig this kind of life to go to places like Lafayette, Baton Rouge and setting up in these hotel ballrooms and making new friends who said look, I know you can do all these different things for me, but what I really want is a menu for my restaurant.
Jerry Perullo:
Yeah, absolutely. I mean, my remit was to go out there and work this let's say eight hours a day. And then I'm isolated, I'm far away, but that concerted time sitting with computing equipment that I never had access to before. And me and my friend, we would hook up the computers on a local area network and we experimented with IP networking. And by the time I was done with that summer, I knew how ethernet worked and I knew how switching worked. And it was a lot of things that were actually pretty new so you weren't going to run into them even in an office network. So that was a huge leg up.
Josh King:
I mean, you eventually did return to school. You got a job at an internet service provider. You remember what they were called? ISPs. Which was just coming of age in the mid '90s. Let's listen to Tom Brokaw and Eric Schmidt then of Sun Microsystems and later CEO of Google explain to the NBC audience the technology that would replace Yellow Pages.
Tom Brokaw:
Just what is this main artery of the information super highway?
Eric Schmidt:
Every business, no matter how large and no matter how small will be on the internet in the year 2000. It's how the primary way that people will look up information. It will replace the Yellow Pages as we know it today.
Josh King:
I mean, Eric Schmidt sounds so quaint. How did you learn the skills for the job? And were you able to balance school and work or was work going to take over at this point?
Jerry Perullo:
Right. So I returned from my co-op job and I remember literally busting out the Yellow Pages. I still remember what the book looked like in my cheap little rinky in apartment outside Clemson. And I remember thinking, oh, well, I'm going to be out of money in let's say November. So I've got a semester and a half or so so I might as well start looking for a job now so that I can make tuition when it comes around. And I started with this internet idea fresh off of all this learning and I opened up the phone book, found a small ISP right there in Clemson and I gave them a cold call and they hired me on initially to be a PEARL developer. So I came on board to do that and within a matter of weeks the few staff that were there had left for various reasons.
Jerry Perullo:
The president and founder of that ISP who had outsourced all the infrastructure to a large company in Atlanta had a falling out with them and all of a sudden I became the network manager. I still was the PEARL developer. I became the web developer. I became the email administrator, systems administrator and everything. And I really had to build a ISP with not just looming 60 to 90 day launch date, but it was live at the same time and had to build all the authentication services and the underpinning infrastructure while expanding.
Jerry Perullo:
So while taking on new customers and having to roll out new, we call them POPs at a time, points of presence, in borrowed office space behind in law firm closets and things like that all over upstate South Carolina. That was a, I wouldn't just call a full-time job. I don't have any count of it now, but I had to be working 12 to 16 hours a day pretty easily. Whether I was sitting in a unheated garage building the infrastructure, traveling around, setting up the modems. And by the way, we actually had physical modems, banks of 48 at a time. And troubleshooting those with individual phone lines is something-
Josh King:
The old Hayes modems.
Jerry Perullo:
You could only imagine.
Josh King:
And at some point, enough of working for someone else, it's time to start your own business. That becomes WAN Solutions?
Jerry Perullo:
Yeah, that's right. So after doing that thankless job and you asked about my studies and they fell off cliff during that time. I got my transcript recently and dug it out and looked at it and tied it all back together. And yeah, things just fell off a cliff. It was third year engineering, if I remember right and you just can't fake it at that level. First or second year, you can get by, but you can't walk into advanced mathematics engineering course having just opened the book last night.
Jerry Perullo:
So, but then well enough, it turns out now that I was getting hell of an education, so no regrets. So I'm on AltaVista, I'm learning all this, I'm throwing it all together. And it was a thankless job, almost literally. It was worth $7.50 an hour of thanks. And by the end of it, despite getting my raise up to $12.50 an hour, I decided I was going to go out of my own here. I'd visited so many businesses to hook up their old AS400 or mainframe systems to some kind of IP network and get them on the internet. And I had gone through so many cubicles and office space where I was the one who brought them internet browsers for the time and I saw how their eyes lit up. And so I just started doing that on my own and I made cold calls, I opened that Yellow Pages back up and I drove all around upstate South Carolina hooking companies up to the internet.
Jerry Perullo:
So my workload definitely decreased once I got done building the ISP and handed it back over and jumped ship and went on my own. But it was still untenable school wise. But I was still in school and I was the guy with a pager in class that would go off and I had to go run off and fix something. I wasn't dealing drugs. I was dealing internet service so I'd run off.
Josh King:
I mean, how many other kids had a pager?
Jerry Perullo:
None. I mean, none in at Clemson University.
Josh King:
Right.
Jerry Perullo:
That's for sure. And it was nothing glamorous about it whatsoever. It was really a negative thing whenever that thing would go off. So I did that for a while. And then after doing that on my own for a while and paying the bills, all my friends that were either in class with me or in my social circles were all getting ready to graduate. And I still had a path, I had a plan. And so just like everyone else, it's nine months out. I started putting together a resume and sending it out. And I sent half of them over to the big metropolis at Charlotte, North Carolina and half over to the grand city of Atlanta, Georgia. And the reaction, no, is not what I planned on. I planned on oh, okay, come down to the career office and we'll start interviewing you and in four months, we'll have a second interview and that sort of thing because that's what my peers were all getting. But what I got was can you come down tomorrow?
Josh King:
Right.
Jerry Perullo:
Can you start next week? And I came down to Atlanta.
Josh King:
You realized the demand of this field that you're in?
Jerry Perullo:
Yeah. And it's funny. One of the things that I really jumped on was I found some companies had quizzes online. And that was really the first time that it happened. So you can go on there and take a networking quiz to show how much you knew. And I thought this is great. I do know a pretty good bid, but more importantly, I'm willing to actually AltaVista around and learn the other bits. And whenever I would do that, I would get at least recruiters, if not the end employers just jumping through the phone lines to grab me 48 hours later. And I understand why now because I put quizzes out and I get a lot of radio silence. A lot of people are intimidated by that. But when I do get a good response, yeah, I just want to get ahold of that person immediately.
Josh King:
So what was the path then that eventually ended you up at this place called Intercontinental Exchange?
Jerry Perullo:
Sure. So I got a job offer. It was double salary that I would've had if I graduated anyway so I jumped. I came down to Atlanta and started working for a consulting firm. I spent three years there. The first one I was in as a network architect and put out at the client, that was part of my interview. The next one was actually at BP as a systems administrator during the Amoco merger, which was just fantastic, phenomenal experience there. And then the third one, by then I had spent enough time with network security and computer security generally and taken some formal certifications and classes on it. So that third year, I was in house with a consultancy building a line of business, building a cybersecurity consulting practice which involved a bit of sales, somewhere between a sales engineer and a consultant. So I would sell some work too. I'd built the book, a business and then I'd go out and actually deliver whenever I could.
Jerry Perullo:
And so after that third year in doing that, then I said you know what? I can do this. I can go out of my own. So I went out of my own. I dusted off the old LLC that I formed back at Clemson and I went off and I found a few great clients early on doing some project based work. And then I ran into this guy named Edwin Marcy Allen at a bar and we started talking about security. And so he brought me on to build a security program and I did that as a... It was a Wacom customer, ICE, and that was in July of 2001. And so I worked and built a program for ICE and by the end of that year, it was mutual. I had realized this was a really good shop that I want to be a part of and I soon realized that they need someone full time going forward.
Josh King:
What did it say to you that a guy like Jeff Sprecher wanted to take a shot with someone like you who had all this sort of hardworking, diligent, entrepreneurial experience that we've been talking about and yet it was not really traditional? Rather than looking to a candidate from military or Central Intelligence or someone from the major banks.
Jerry Perullo:
A lot of my peers at other financials or even outside finance in information security have similar starts in that those kind of artificial barriers don't work when you just need people to execute and get things done. So everything kind of gets torn down. So it's just the doers that emerge no matter what. And at a startup even today, and this was certainly the case with ICE, it was always on the back of my mind that I didn't want to be a cost center. Right? Because at some point when you're a startup, you're willing to absorb more and more risk because it's table stakes. If you lose the business, then what's the point? How will you mitigated some obscure risk? So from that early stage, when I came in having the hands on networking background, the coding background and the systems background, everything I did had a security guise to it, but a lot of it was keeping the lights on.
Jerry Perullo:
I assembled a small team and we actually built the authentication and encryption infrastructure that made ICE, that freed up ICE so that it could scale so that suddenly we could bring on customers. It used to be every customer we brought on, we had to go to a third party and get a username and password created, do the same thing in our platform and they couldn't change our own password because otherwise they'd get out of sync. So we broke that all down. But the bottom line is that I had to prove value and contribute to the bottom line always. And as long as you're doing that, you're going to have value to an organization. Now, incidentally, while doing that, pure play cyber security for the sake of cyber security just became more and more prominent and critical in the world but a also at ICE because we had a startup investment group that were some of the biggest players in both the speculative investment side, as well as the the core consumer side and the energy space in particular.
Jerry Perullo:
And they were driving a a hard bargain when they were evaluating us as a vendor. We had to pass master. We had to have a strong program. And then we quickly jumped into the regulated space with the International Petroleum Exchange acquisition as well. So even though we were a small company by some metrics, we were judged by the same criteria that any of the largest banks in the world would be judged by.
Josh King:
What has become over the years since those early days your special sauce? Does it just come down to transparent processes and educating employees, executives, boards and other stakeholders or is there something beneath the surface that is endemic to Jerry Perullo and to ICE?
Jerry Perullo:
Well, it definitely goes back to that, what we call the red team first strategy, which is figure out what we're worried about and then you'll see if it would happen. Will this happen here or not? And I mean, not only are there finite resources in the world, and by the way, that's not just a money game. I've seen many organizations that the pattern, the cycle, they have the breach, they get the blank check and then they hire a lot of bodies and they buy a lot of equipment and then they all stare at each other and say what next? And they don't really know what to do yet. And that's just a hacker's paradise because you have a lot of new people, no one understands, there's no institutional knowledge. No one really knows how anything is plumed. Everyone is scared to touch anything except the hackers. If they accidentally cause a production [crosstalk 00:26:42] it's no big deal.
Jerry Perullo:
Yeah. That's the worst case scenario. So you starting out with that, well, what would a hacker do? And that's just it. And you have to start with a threat objective because you have to talk about motivation a little bit too. And going to the outside world, seeing what's happened, whether it's a data breach for PII or whether it's a nation state attacking the financial infrastructure to actually monetize it to actually contribute to their GDP, which is something relatively new the world's starting to see now. Or whether it's ransomware hitting a municipal government. All of those things we have to start with who's doing that? Why are they doing it? And would they come after us? And if there's really anything to that, then we start out with okay, what would it look like if and when they did come after us?
Jerry Perullo:
And we have an internal red team and they emulate, they call it adversary emulation. So they emulate the actors that took on this breach or that. And time is of the essence too so you can't just read five year old's playbook or five year old playbook and then reenact it. They also have to be reading the wire in real time. So we have commercial providers as well that are feeding us threat intel and they already know and they say hey, there was a breach at XYZ. Our next question is going to be how do they do it? Have you got the forensics so that we can recreate in our environment?
Jerry Perullo:
And that's been key. So every information security organization really has two halves to it. There's the first line of defense, which is really the reactive and the incident response and that kind of technical bit that you'd expect and the preventative controls. And then there's the second line, which is really the proactive identification of risk and figuring out what could go wrong. And I can tell you from a lot of experience that a lot of IT departments at many companies kind of roll their eyes when security comes in the room or when audit comes in the room or when risk comes in the room because we can, if things don't go right, just generate this deluge of risk without any real context to it. So doing this threat objective study though and having red teams go in instead of just saying hey, these servers need to be patched. We're able to come in and say here's a video of someone exploiting it from Uzbekistan. It was our guy fortunately. People will get up out of the room and go fix it. There's no more back and forth.
Josh King:
I mean, let's talk about some problem solving that everybody who works in an office environment can relate to. We've all been in the position whether we're opening up a financial services account or creating a email password or anything that creates an account identity for us of following these protocols that we've all become used to, which says capital and lowercase letters, symbols, hieroglyphs, everything else that must go into your password to make it super secure and it must have at least eight characters. And surely 15 to 20 times a day, I'm not dealing with those eight characters, I'm dealing with 15 characters and yet it's an easier process for me, the worker, and probably a more secure and successful process for you, the information security chief.
Jerry Perullo:
That's a good example. So you asked me earlier about secret sauce and then I went right into the red team for a strategy and at the highest level, that's certainly important. But I think more tactically, the idea of dreaming big and nothing being off the table, the idea of we have a problem here, it's easy to jam some draconian solution that's going to impact productivity and going to have a lot of friction and frankly be unwound, right? That's the biggest threat of bad controls is that they ultimately get torn down. You get a lot of exceptions. Over securing is actually a lack of security at the end of the day. So what we've found that that really works is I try to say, if you walk into our security operations center headquarters in Atlanta, you're going to see people innovating.
Jerry Perullo:
It looks more like a, like a startup incubator. So we take these challenges and we throw them up there and they come right out of the red team results. So we're really banging things off the wall and we are not saying... We're not married right to the solution. We're not saying, oh, well, we only use this antivirus product so what can it do? What knobs can we turn? We actually start out with things like, well, should we have no attachments or should we quarantine all attachments? Should we have the supervisor required to release an attachment? Whatever it may be. And we try everything on. And the ICE senior management team is extremely collaborative, extremely supportive and extremely reasonable and we sit in a room in our governance meetings with Scott, the CFO and with Chuck, the vice chairman and Mark the COO and on and on and we work through these things and we really hash it out in real time.
Jerry Perullo:
Which, I think that that can be an unapproachable body at a lot of organizations, but having that open door policy has been great. But so getting on a password policy. So taking that innovative kind of incubator mindset and looking at passwords, so passwords are something that's highly audited because it's very easy to do. If you're an auditor and you're trying to assess whether somebody's password master, you can have this rule set and you can walk in and either they pass or they fail you. And you'll see a lot of that and a lot of companies have this password policy to come straight out of audit. Eight characters and three or four of uppercase lowercase, special characters and numbers and just rattle it off. It's been almost 20 years of that.
Jerry Perullo:
So we looked at that though and as we went through the red teaming, we found that one step in what we call the kill chain, if a attacker were successful and then we actually give them a leg up, we actually bring hackers on and bring them in as stake employees. We give them a laptop and a password and they start. And when we found one step in a kill chain was taking all the passwords and cracking them. And they would run computers with graphic processing unit augmentation and they'd run for hours and they'd be able to crack a few passwords and hopefully they'd find a privileged account and then they were off to the races with that. So while that was only one step in what I called the kill chain, we just said we want to win that battle and here we are compliant, but it's just not getting it done. We're just meeting compliance.
Jerry Perullo:
So we ran some math on the whiteboard and we said well, what if we went out to a really long password, 15 characters, but got rid of all the complexity requirements. And I have a lot of a lot of people with high math SAT scores on my team. Let's put it that way. So we had some great whiteboard battles and how much better would it be and that sort of thing. But what kept creeping in there because of kind of that tick box mentality was, well, we have to have complexity and everybody's expecting that. We have to have uppercase and lowercase and on and on, but we said, well, let's just try it out. So the math held and we felt pretty good about it. And then around that time, the National Institute of Standards and Technology, NIST, released an updated standard and they said, well, length is king and if you can get a longer password, you can get rid of some of that stuff as long as you look for commonly used passwords and block them out.
Jerry Perullo:
So long story short, we did it and it took about 90 days to roll it in. And the impact has been substantial. And the only reason we were able to do that is because we innovated and created this thing that we called the cracken that every single the day tries to crack all the passwords in the company. And we see the success rate of that machine just dropping precipitously. We saw it drop all through the 90 days it took to get on the policy and then that drove other... I mean, just having that machine that's constantly red teaming us has really exposed a lot of other things around cleaning up accounts and visibility and looking cross acquisitions and geographies. And so we've just driven that metric down. And for one, having a metric is challenging enough in cybersecurity. We have one. And then being able to turn the knob and do something to watch that metric become very positive and prove value has been great.
Josh King:
So it's great to know that there's a cracken moving throughout the company's networks keeping us secure. After the break ICE's chief information security officer, Jerry Perullo and I talk about some of the specifics of Intercontinental Exchange's unique take on InfoSec and what he thinks will be the biggest threats to our data in the future. That's right after this.
Speaker 3:
And now a word from Artur Bergman, CEO of Fastly, NYSE ticker symbol FSLY.
Artur Bergman:
Fastly is a edge cloud platform. We help deliver digital experiences for amazing customers like Spotify and Ticketmaster and New York Times. We [inaudible 00:34:53] eight years ago. It's been an amazing journey. We work very closely with our customers. We're a very critical part in their business. And we're very selective in type of customers we want in our network. Fastly is built by developers for developers. Fastly is listed on New York Stock Exchange.
Josh King:
Welcome back. Before the break, ICE's chief information security officer, Jerry Perullo and I were discussing how his career and how information security fits within the larger company. As we kick off the second part of our show Jerry, I want to go back to those headlines and here is a report from CBS News, it came maybe last year.
Speaker 4:
In privacy watch now, government computers in 22 Texas towns are being held hostage by ransomware. The state's department of information resources said that the coordinated attack happened on August 16th and many of the local governments still have not been able to get back online.
Josh King:
We were talking about ransomware earlier. Attacks like these have hit a number of towns from large to small. Baltimore comes to mind. Often it's reported that a known vulnerability was the entry point for the attack. Something that could have been easily fixed by running a patch released by this software company. Does good patching habits solve most systems vulnerabilities?
Jerry Perullo:
That certainly is the drum beat, patch mania is what I like to call it. Everything could be solved if only there were a patch. And I think there is a lot of validity to the idea of hygiene. That's certainly very important, but in the, and you mentioned that particular ransomware incident and then we've had a number that have had just knock on effects that weren't even the intended targets, whether it was Nyetya or the WannaCry attack of last year that were even much bigger than these targeted ransomware attacks in their scope. And inevitably after any attack like that, we get well, if only someone had had applied patches on every single one of their computers. And people even roll their eyes and kind of mock the systems administrators, how could they not have applied the patches?
Jerry Perullo:
It is very difficult to manage assets. I mean, especially when you think about manufacturing of some of these operation and technology. If you deploy patches very quickly, I guarantee you'll have interruptions and service. Guaranteed known. A known guaranteed issue versus a potential issue, you're always going to take the potential issue. So I think that's somewhat unreasonable, but the other bit that people don't weigh into the equation a lot is the concept of what we call zero day vulnerability. So the way that the cycle usually works is that a benevolent researcher will find a vulnerability in a popular piece of software. They'll hopefully alert the manufacturer to that and then the manufacturer will code a patch for it and then they'll release it.
Jerry Perullo:
And usually they'll coincide with the release, because the researcher wants to get credit for it and they'll say, okay, let us get the patch out and then you can get all the glory. And that'll happen. So the patch will come out. And then when the researcher comes out with the information, the vendor will be able to say well, and we've patched that. Yeah, that was true, but it's patched now. Meanwhile, the adversaries are reading the news too. They're hearing about the vulnerability and they're weaponizing it. And then three to nine months later, there will be some kind of software like WannaCry that relies on some of these vulnerabilities. But everything that we see and that we've talked about in that cycle I just described is really based on the idea that there was a benevolent researcher, that they brought it up to the opinion of the... Or they brought to light for the vendor and that they had a chance to fix it.
Jerry Perullo:
Meanwhile, we have these what we call zero day vulnerabilities. And a zero day vulnerability is one where it's not a benevolent researcher. It could be discovered by an intelligent agency for any government out there or organized crime or even hacktivists or anyone in between. And so the idea that just patching is going to solve everything doesn't hold any water because you already know immediately that there are no patches when you talk about a zero day vulnerability. So there has to be something more than that. And what we keep finding in a lot of the ransomware incidents that you mentioned or WannaCry or Nyetya or any of these, we find that yes, it is a hygiene issue, but it's not really the patching so much because I mean, if you tell me that the reason NHS for example was negative... The National Health Service in the UK was negatively impacted by WannaCry was just because they weren't patched or more importantly, if you tell me that everybody else in the world that wasn't effective was patched, I'll tell you that's not the case at all.
Jerry Perullo:
The problem was hygiene, but it was really basic networking. It's really a simple understanding your threat surface, understanding what services that you have available. If you have a internet service, then you need to have internet connectivity, otherwise you don't. Whatever you're serving over the internet, if it's a website, then that website needs to be exposed to the internet, but that's it. You don't need to have all of your mainframes exposed to it, all of your PCs and on and on.
Jerry Perullo:
And that's the type of hygiene, things that been solvable for 20, 30 years. That's really set a lot of companies back and it's not chasing patches. But when you have these organizations, you'll find that to push them and say I can't believe you didn't have that patch out, the patch applied, it's been out in the news for a whole two months. And the real issue is we haven't able to upgrade our infrastructure in 20 years. And you realize the real problem is a lot simpler, but a lot more difficult at the same time.
Josh King:
A lot simpler and a lot more difficult at the same time. I mean, if you go back 19 years, heading information security, when the company was one office of 40 people is vastly different than what you oversee today. How have you personally been able to grow and develop along with the company's growth and development?
Jerry Perullo:
I was on this really entrepreneurial track but I don't feel like I got derailed because being at ICE, I've had all of the benefits of that and in particular, the constant change. And that's something that personally, I was joking with a friend recently and I said it's been really serendipitous that I get to thrive in an environment where my desire for constant change and questioning anything, to me the idea of well, that's the way it's always been is an indictment. That's not a reason to keep it at all. Because in cybersecurity, if you don't understand how something's working, it's about to get owned tomorrow so you might as well understand it. So the actual timeline though when you look through ICE, when I look through, there were three different events where the company more than doubled in size overnight out of the many acquisitions we've done over the years and they're evenly spaced out, which is pretty interesting.
Jerry Perullo:
So in 2001, shortly after I arrived, we acquired the International Petroleum Exchange in London and I was on a plane in short order. And part of that was it's a small company. There's no department charged with determining who needs to go to the UK and that sort of thing. And that's always been in my DNA to just look for opportunities and jump on them. So I knew we needed to get out there. I knew from a security perspective we needed to immediately find out what's going on out there. And we were trying to find the markets at the end of the day. So it was kind of a green field in a way. And if it was done without any input from information security, it could really be a big problem. And it could be a huge jeopardy to the electronification to the business strategy. If the minute we went live, we had some kind of breach, that could set us back years.
Jerry Perullo:
So I get out there and I remember we had the International Petroleum Exchange was an open outcry exchange. And I remember strolling in there and I was 24 years old at the time. I don't realize that till I do the math. I remember strolling in there and the guys, many of whom are still with us today from that acquisition throw an IPE jacket on me. And so there's this room full of screaming loud rockus traders and then there's, in the center of each pit, there's an IPE pit supervisor who's wearing a little headset and all these guys are just screaming at him as the loud as they could. So what they do is they throw the jacket on me and they march me right down in the middle of the Brent Crude pit and I am absolutely petrified to anyone who's going to look at me, talk to me or do anything. And they basically put this big blazing the jacket on me that says I know what I'm talking about, come look for me.
Jerry Perullo:
So I stood there for a while and one of the things that I really recognize now when I look back is they were able to do that, those guys who were working in the pit, the supervisors without any threat of the members saying how could you do this? You put us in jeopardy by bringing someone that didn't know what they were doing. They were all in on the joke. The rapport was massive back then. And Jeff still talks now about the number one thing being staying close to the customers and listening to them and hearing what they want. And we really saw that in action on the floor at the IP. It was such a tight knit group between the customers and the supervisors. So they strolled me on there and everybody's in on the joke. And I sweat for a while and I remember walking out and someone sure enough approached me in a panic like everybody in a trading floor always seems to be and they hand me some documents, I thought it's all over now and they said, mate, can you make a copy of this for me?
Jerry Perullo:
I thought, yes, I can. I sure can. I can actually contribute here. And when I look back now, it took us three or four years before we not only electronified the markets, but on the backend, on the infrastructure, on the IT, on the things that were really close to home for cybersecurity, it took three or four years because there was such a petrification about don't touch this, we might break something. And for a good reason, we had to get educated. So that's what we did. Now, you fast forward a bit and the company's gone public in 2005 and in 2007, similar story. New York Board of Trade right down the street from here. Coffee, cotton, sugar, cocoa and on. So here we stroll in to an even bigger trading floor with even more pits. And we walk in here and the same personalities, right? Except that they had New York accents instead of British accents but the same exact personalities. And they're going to eat everybody alive and hear these kids from Atlanta stroll in and same story again, we're going to electronify.
Jerry Perullo:
If I remember correctly, I believe we went live on the screen with those product on the day we closed the deal. I mean, to think about the difference, the swagger almost that we had, the confidence that we had, because we had lived through so much of oh, don't touch that or oh, you can't do this and oh, you can't do that and oh, that's impossible. By the time we walked into New York Board of Trade, we were and it wasn't just about being brash or hubris. We instilled that confidence with the existing staff and we spoke their language now. And we actually brought over folks from London in market supervision to sit in the market supervision team at NYBOT hand in hand and say look, I used to be a pit observer as well, now I'm working a computer. This is how it works. It's going to be okay.
Jerry Perullo:
So we actually set up a training center and a trading center so that people that came off the floor and it was right next to the gap, just across the street from the old NYBOT building. And we actually built out an environment where people could come in there and get handheld a bit and get trained up and we knew it would be short lived and it was, but just to help people get over that transition and we were so much better prepared and we were able to do things so much more quickly and so efficiently.
Jerry Perullo:
And then you jump ahead another six years exactly into 2013 and by then we had built a clearing house in Europe and we had taken on Creditex and the YellowJacket. And at each of those steps, I had personally gotten very involved. All of a sudden we're buying NYSC Euronext and it was the same type of external reaction that we had with the IPE and NYBOT, which was who are these people who have the nerve to fly up here? After having gone through IPE and NYBOT, both more than doubled the size by any meaningful metric of the company. Then by the time that we walked in, we had to check our bravado. I'll tell you that, because you still have to be very respectful or things can get go south really fast.
Jerry Perullo:
But it wasn't insane to us and we were working internationally so much as well that the Euronext side of it wasn't insane to us. And we had colleagues on the continent in Europe and in the UK who could work with our new colleagues at Euronext live which became over as part of the acquisition was almost a cousin company of the IPE. I remember in earlier years, going to the life building and getting a full tour of how they did all of market supervision because the rapport was so strong and we actually had business continuity desk set up at each other's exchanges so we could work from there. There was just such a collegial rapport among all those bodies. So when we went into NYSE Euronext, which now people look back and say wow, how could that have happened? There was a lot that got us prepared for that.
Jerry Perullo:
And sure enough, when you look forward now, you'll see a lot of realized synergies and cybersecurity is the paramount example there. And it's not just about cost savings at all. I mean, it takes what you mentioned earlier, which I then called information sharing. So external information sharing, comparing notes with our peers, that happens internally as well. And so when you have a centralized function like cybersecurity, we're able to look at what's going on at ICE benchmark administration or NYSE or the trading floor in San Francisco that we have or any of the entities in the Netherlands that we have and on and on. And we're able to correlate. When internally, we have an ecosystem now. So we get a lot of value out of that besides just classic synergies.
Josh King:
I've told you many times that my favorite place in all of ICE is your own information security headquarters in Atlanta because it looks like you imagine a futuristic command should look, but I think as you would say, it's really just the tip of the iceberg. I mean, how has automation of processes helped you scale the department and you use the board and you see what you're looking to reveal sort of so much more behind those numbers and those flashing lights.
Jerry Perullo:
Yeah. So we built a new headquarters in Atlanta of four or five years ago now. And so we had really a green field opportunity. And having operated at the time, 15 years or so out of the existing headquarters, it was really a chance to decide what we didn't like about it and get it right. And so like at many companies and many departments, the actual physical team was a bit balkanized, right? So you had a few people and then maybe threatened vulnerability management team were the end of the hall on the right, if you knock three times. And then maybe the strategy group was on the other side of the building or whatever it may be. And we've seen that playbook so many times as people who grow organically, but here we had a chance to consolidate.
Jerry Perullo:
So we did. And Jeff was kind enough to see the need for that straight away and we created what the SOC or security operation center. And then we had the wall screens. And so part of cybersecurity everywhere is the flashing lights. And so you have these screens behind you. And I have this tension that I wrestle with in that for some audiences, for the layperson, flashing lights are kind of enough, sadly enough. It needs eye candy and it just says something high tech is going on here and then we can go on to whatever you came to talk about. And it's almost a tick box. But I don't like that because being a technologist myself, I dread someone competent coming in there and saying come on, Jerry, I mean, these aren't even your IP addresses here and this network traffic isn't even new. This commodity stuff and it's six month old data, what are you doing? You're not fooling anyone.
Jerry Perullo:
So I dread that. So I remember that mantra at the time was given that we need to have eye candy anyway, we may as well actually get value out of it. I know it's somewhat tongue and cheek, but I really meant it. And so what you see on that screen in particular, I actually went to market and I asked a few people if there was a tool out there and a set of tools that would visualize data the way I wanted it to and there wasn't. So then I went a little further and I wrote up this really detailed requirement stock that I started fishing around and we got all the big vendors, including the Defense Industrial Base to talk to us about building out these tools. And it wasn't just raw expense. There was also long timelines and, oh, that'd be are impossible.
Jerry Perullo:
And then ultimately, someone in one of the trust communities said oh, well, you should look at this other tool. It's not exactly what you want, but it's an open source tool. And so we did that and it was a pretty good start and then we got a hold of the developer who created, a guy in New Zealand actually and he built a custom mapping tool that you still see there today. And you see array of mix of open source and bespoke tools that were built for us, but it's all real data. And there's nothing on there that's oh, well, that's someone else's, Jerry. So what we're able to visualize is a lot of kind of the pulse of the network. We talked earlier about knowing your network and actually knowing what's going on and I wanted to really capture that viscerally and have people, especially the more junior staff, have this kind of pulse that when things got hot, there would be something that would kind of move the barometer in the room.
Jerry Perullo:
And so that's where we were able to build. And so we actually monitor all of our external network traffic in a way that it has OpenGL video game type graphics that actually flash bigger as the traffic increases and during denial of service attack attempts, we're able to go back and look at those screens and capture them and actually have a visual way to show up through levels like the board what an attack actually looks like which is pretty rare to have that kind of data. But the thing that was challenging about the whole, the eye candy conundrum is that you can't live and die by screens or anything like that. And that's kind of gets into the automation discussion a little bit too because you can't live and die by things of screens because people aren't staring at them all the time and they might blink and can miss something. It's almost like a security guard watching a camera. That's not really tenable in the long run.
Jerry Perullo:
But what we found through creating this visualization is that it really just gives inspiration. So more times than you would think and where my office is situated, I can see a glimpse of this board and I always see it when I walk in. So I'll walk up there and then will start popping up and saying hey Jerry, what are you looking at? I say, oh yeah, what is this? And then half the time, they'll say, oh yeah, yeah, we looked at that earlier. Here's what it is. And it's a phenomenon that's interesting. And then what that'll turn into is this use case engineering where we say, oh man, if that happens, we want to know we can't rely on staring at the screen. What if that happens after hours, wherever it's going to be? So we will architect and engineer some kind of detection based on what the visualization keyed us into. And it compresses that timeline down so much of all the regression testing and figuring out what we'd have to build in.
Josh King:
At one point, Jerry, I attended one of your director briefings, which you conduct for directors of all the various ICE subsidiaries around the world and you talk pretty straight in these rooms. How important is it to have an informed workforce about what's really going on in the big world and the threats that are arrayed against us or any company?
Jerry Perullo:
Yeah Josh. So in addition to security awareness, that also touches on governance, right? And of course, it's a director level and and that's... We have both going on at the same time. So one of patterns that we recognize over the years of operating cybersecurity for so many disparate subsidiaries globally within the ICE family was that I ended up flying around a lot and giving these director briefings and it started with the kind of organic curiosity of hey, we're responsible for example a risk committee of either a parent or subsidiary board and we, cyber risk, that's a big deal. How are we doing here? So that makes sense, of course.
Jerry Perullo:
But the other half that you may not have of guessed was really just cyber security education. These directors are being asked about cyber security everywhere in their daily life and they're all curious about what their responsibility is and how much accountability they have and they just want to get educated. So I was getting a lot of questions like hey Jerry, do you have any good books I should read? Do you have any courses that you think I should go to? And we were running a lot of governance programs at the time as well.
Jerry Perullo:
And so we started running these regional briefings, two hours long in London and in New York. And this year, we're actually going out to Singapore with it. And we did a couple a year at first to kind of catch up the backlog. And we would run them for two hours and this is not mandatory. To get board directors to fly eye to something for two hours straight and something as niche as cybersecurity that's not mandatory would seem like a real long shot, but we really did it because it was driven by demand and the attendance is phenomenal over and over again.
Jerry Perullo:
And so I've brought in the CISOs from other financial services organizations generally because they'd hit close to home, they'd be customers of ours or vendor of ours, usually both. And we had a very Chatham House Rule discussion where we can hit them with different questions and just get other points of view on what we're doing. I felt that we'd done enough information sharing because I know we weren't totally off the wall so if one of these guests were to kind of throw me under the bus and come up with something I never thought of, that was totally fine with me. Either, it's a good idea and we should be doing it or it's not and we shouldn't. So we brought in a lot of these third party CISOs and we continue to do so and that's been really valuable.
Josh King:
So Jerry, as ICE grows, so do your staff needs. With negative unemployment reported in cybersecurity, are employers having to adapt to satisfy hiring needs and do those concessions create risk in the type of talent that you can bring in?
Jerry Perullo:
Well, I should note that staffing, you'll hear over the last few years has really grown into one of the top, if not the top challenge. You'll hear chief information security officers mention globally and financial services is certainly no exception to that. So yes, that is top of mind and it's something that we work at concertedly. As a matter of fact, we now introduce a metric around staff retention and recruiting just within cybersecurity alone just to make sure we stay ahead of any potential issues. But you're right. What you end up seeing is a lot of adaptation. So you see a lot more work from home, you see a lot more perks and that sort of thing, But there's also some really altruistic outcomes from that too. I mean, I think that the push for diversity couldn't be better timed with the need to find skilled people in new and unusual places. So that's been a real opportunity and we've definitely been able to drive some success in that area.
Jerry Perullo:
And then one area that you see that that is a bit contentious is educational requirements. So you see a lightning of that and you just saw a big four accounting firm recently remove a degree requirement. And there's a lot of contention around that and I'm a bit opinionated about it too because I entered ICE without having a university degree since I left school early. But what I think when I look back about it because I hear people argue and then some people get to the point where they're even telling kids that you don't need a university degree and that's a waste of time and that sort of thing. And I don't think we could even have the debate unless we have a university degree. So I certainly saw that when I came to ICE. I went to school at nights and I finished up my undergraduate degree and then I later went on to get an MBA as well so that I can have a lucid conversation about how important it is and how valuable.
Jerry Perullo:
And when it comes to hiring, I'm sympathetic to the fact that not every one has to have a degree, not everyone has to have the same degree certainly. And some kind of diversity and educational background is actually very important too. I mean the school of hard knocks is really important. It's good to get some of those folks in the team as well. But when it comes to the hard education, I touched on early on about the importance of kind of unplugging and just being focused to really learn something. And when I look back at my computer engineering schooling in particular in the mid '90s at Clemson, the things that I learned there were not only arduous enough that I never would've unplugged long enough to figure them out on my own, but they're very relevant and I use them today.
Jerry Perullo:
The computer architecture, just studying how an actual registers in a computer chip work and the whole process, super relevant now. I mean, you'd think that it wasn't, it was just purely academic but it's very relevant to how malware works today and being able to look at a news report on a piece of malware and quickly translate that into fire drill or let's just let the normal course run and we'll just catch up on this one later. So I'm really impressed with how much I got out of that. I mean, even the math side of it and now we're in cryptography with things like backed and having to really figuratively speak and go back to school and really understand cryptography at a core level. That is essential. That's not just weekend reading. Having advanced cryptography courses in college was really critical to that.
Jerry Perullo:
So I have a lot of time for formal education without a doubt. It doesn't have to be applied in formal ways. So in addition to formal education though, I think that practical knowledge in technology in particular is really important and I've identified three pillars. So in addition to networking systems, I think coding is something everyone has to do. So whether it's taught formally in school or even in grade school now, to me coding is the new carpentry. 100 years ago, you didn't necessarily have to be a carpenter, but it sure was helpful if you could fix a dining room table. And that's what coding has become now to just stitching things back together.
Josh King:
But if there aren't enough people or if there's a replacement for people, I mean, artificial intelligence is all the rage with some feeling threatened by its potential impact on the job market. You said coders are the new carpenters and you've talked about the critic of automation. Is AI a viable solution to fill the personnel gap in the InfoSec space?
Jerry Perullo:
I think automation is really key to killing what I like to call mindless work as opposed to really cerebral work. And if you look at the cycle and we are in this cycle of red team determines something's bad, we want to get it fixed and then we want to get it automated so that humans don't have to deal with it anymore. You find two real areas in that whole chain where the human element is more valuable than ever. And at the same time, you definitely see some scaling and the ability to mitigate the need for an increasing headcount through AI and automation. So to make that a little more practical, I always say to my direct reports that I'm trying to work myself out of a job. I invite anyone to pick up anything and I even push them and I dump stuff in their laps and say all right, this is great. I'm all these board materials and things like that that I mentioned earlier. I'm not doing any of those anymore. And I'm in a race to stop doing everything that I'm doing today because I knew new things are coming tomorrow and I need free at my cycles.
Jerry Perullo:
And likewise, the people that I'm delegating work to, what I expect out of them in addition to delegating things in kind, what I expect out of them is the automation bits. And I say if you're doing the same thing over and over and over again, it's time to automate that. Again, it's not so you can get laid off. It's so that you can free up your mind to work on this problem solving, the leaning back in your chair moments as I like to say. So that's what we really want to be freed to do and I think that that has a lot of legs left in it, of humans coming up with a problem statement, working through manually a few times to figure out what wish they had the power to do 1,000 times a second instead of one time in 1,000 seconds and then coding that up and automating that. And so they can move on to the next use case.
Jerry Perullo:
And that's really the path that we go down. And we have hundreds, perhaps even thousands of atomic automated use cases that are just running around the clock all the time. And I can tell you no one is sitting on their hands as a result of that. They're all staying plenty busy coming up with the next use cases.
Josh King:
There's an old saying that locks only keep out honest people. I mean, in the end, does that hold true for the digital safes as well or is there a technology coming that, in your view, with all your experience, will be 100% secure?
Jerry Perullo:
So for one, locks only keep out honest people. I think that totally applies to cybersecurity. And the way I always put it and there's a school of thought about endpoint security. So dumping a lot of security software on your PC or your laptop or your Mac versus centralized security, that'd be more transparent to the end users. And traditionally, I was more on the latter side of that argument. And I would say that endpoint security is like issuing ankle monitors to everybody in the town. Who's going to show up to put one on? Not the criminals. And then on top of that, you're going to slow business to a pace. So for years, I always always the network security guide and let's see what we can thwart without getting in anybody's way. So then then taking the second half of that, so not just about whether or not security controls can be damaging, which I do think they can, but is there a silver bullet coming down the road?
Jerry Perullo:
And so here I'm going to get a little bit of theory so bear with me a touch, but I do think about this sort of thing, where are we headed, right? And will it always be an opportunity for someone who's very change minded and challenging things all the time or will we get to some kind of equilibrium where we need more of a traditional risk manager that's just about not changing anything at all because everything is fine just the way it is? I think about that a lot. I do think, so I talked about computer architecture for a moment. I talked about my schooling and one pattern that I've noticed is that as we try to build computers, which are really just little tiny brains, we learn more and more about the human brain.
Jerry Perullo:
And some of that, very little I'd say, is studying the brain, figuring that out first and I'm saying okay, I should build this computer in that model. I think more of that is there's only really one way to do it with the resources that we have. And I'm not thinking about things like memory and long term memory versus short term memory and we have all these analogs in computing. Things like co-processor. I had this epiphany a year ago and I told my friend who's a biomedical engineering professor at Georgia Tech. I said hey, I just thought we had these co-processor and computers and I bet there's something like that in the human nervous system where things could be actuated before you have to get back to the brain. He said yeah, Jerry, we all knew that for a long time. So there's definitely this pattern where we learn.
Jerry Perullo:
So I take that same construct and try to apply it forward and say is there something in the biological space that we might discover? It would be an invention that could change the game. And if you think about all of the real challenges that we have today around identity, that's it. I mean, half the people are clamoring for privacy and the other half wish that those criminals would stop having so much privacy. It's really a double edged sword. Identity is really king. Figuring out who someone is when we want to know that. And I've wrestled like many people with the thought of should every packet on the internet have an accountable owner to it and do we get into that almost police type state of the whole world's internet? And that really just destroys the democratization of information that was brought on by the internet. So I don't think that's the answer.
Jerry Perullo:
But what I think will happen is there's an algorithm called a trap door algorithm mathematical content. That function's really easy to do one way and really hard to reverse. And that's how we protect our passwords and protect a lot of things online. And I, just a guess, I predict we may discover an analog to that in biology and what I would call a biological trap door algorithm where some kind of attribute from your body, something from DNA and maybe it's the way you look at something or the way you smell something or whatever it may be could be used to encrypt data and only you could decode it. And if that bore out where something about you when you enroll in given service could be used to encrypt any data and from then on, they could say oh, okay, Josh is logging in. I'm going to use this little publicly available sample that Josh registered when he logged on to encrypt the number 410 and send it back to him and then only you can see it. You see 410, nobody else does. Then that would be a watershed moment.
Jerry Perullo:
And it sounds pretty sci-fi right now, but it's the only thing that's really not just another piece of software. So I think something has to happen in identity. I think it has to be biological at the end of the day because that is our identity. Everything else can be faked at some point or another. And I think something like that could really make a difference both in privacy and data security.
Josh King:
So Jerry Perullo, now and in the future, from 15 character passwords today to some future biometric marker that we haven't yet seized upon, identity is king. Thank you so much for joining us in the ICE House.
Jerry Perullo:
Thanks Josh.
Josh King:
And that's our conversation for this week. Our guest was Jerry Perullo, chief information security officer of Intercontinental Exchange. If you like what you heard, please rate us on iTunes so other folks know where to find us and if you've got a comment or a question you'd like one of our experts to tackle on a future show, email us at [email protected] or tweet us at ICE House podcast. Our show is produced by Pete Ash and Theresa DeLuca with production assistance from Ian Wolf and Steven [inaudible 01:07:34]. I'm Josh King, your host signing off from the library of the New York Stock Exchange. Thanks for listening. Talk to you next week.
Speaker 5:
Information contained in this podcast was obtained in part from publicly sources and not independently verified. Neither ICE nor is affiliates make any representations or warranties, express or implied as to the accuracy or completeness of the information and do not sponsor, approve or endorse any of the content herein, all of which is presented solely for informational and educational purposes. Nothing here in constitution offered to sell a solicitation of an offer to buy any security or recommendation of any security or trading practice. Some portions of the proceeding conversation may have been edited for the purpose of [inaudible 01:08:13] clarity.
