In this episode of Zero Trusts Given, host Tom Tittermary speaks with retired General Robert Skinner about the evolving role of Zero Trust across the Department of Defense. Drawing on decades of experience, Skinner emphasizes that Zero Trust is an ongoing journey—not a fixed endpoint—centered on resilience, identity, and continuous improvement against adversaries. The conversation explores key trends like the growing importance of identity, the balance between standardized solutions such as Thunderdome and flexible architectures, and the expanding role of AI in both cyber defense and attack. They also highlight persistent challenges around data visibility, logging, and cultural barriers, underscoring that achieving true Zero Trust requires both technological advancement and a shift in mindset across the organization.
General Skinner
[Tom Tittermary]
So hey everybody, welcome to another episode of Zero Trusts Given. As always, it is your host Tom Tittermary coming here to have a conversation on the topic of zero trust in the Department of War. Unfortunately, once again, you may guess I recorded both these episodes on the same day.
Episode number two that we are without my incredible co-host Tom Giannellis. I promise he's going to be back tomorrow and for a couple of other episodes are going to be recording to have some more conversations with some other industry partners. However, today I have one of the most interesting guests I've ever had on the show.
I've got with us General Robert Skinner, which is kind of amazing and I'm kind of in awe that you're able to join us here today. But General Skinner, thank you so much for coming and I'll leave your introduction largely to yourself on who you are, where you came from, and what we're hoping to talk about today.
[Robert Skinner]
Awesome, Tom, and thanks for having me. It's always an honor to spend some time with you, no matter what the forum, no matter what the media is. I'll tell you, long story short, I'm a Midwesterner.
I'm from Indiana. I joined the Navy straight out of high school. I spent 40 years in the military, five years Navy, 35 years in the Air Force, and now I've started Skinner Strategic Solutions.
I'm just really consulting from a leadership, from information technology, from a cyber, you name it. It runs the gamut of organizational design. And so just really trying to help organizations, and whether that is the industrial base, whether that's a commercial company, or whether that is a federal agency, right, or the federal government.
Just really trying to help them stay ahead of the adversary and make sure that we are in a position of advantage, no matter what we are doing in relation to the United States of America.
[Tom Tittermary]
I'm going to steal something you just said. You very specifically said the industrial base, because I'm having a very interesting time figuring out now if it's still the DIB or if it's the WIB, because the Defense Industrial Base means it's the Department of Defense. Well, it's not the Department of Defense anymore.
It's the Department of War. I don't like how WIB sounds for the War Industrial Base, so I am also going to pivot to just saying industrial base for conversations going forward. So providing value, like, right out the door.
But one of the big topics I want to bring into this podcast specifically, and there's so much to talk about in this area, we talk about zero trust relative to the Department of War. And we've, I think we've got 16 or 17 episodes in the bucket. I see no end in sight.
But I just wanted to see from where you get to look at things, you've got to have, from my perspective, some interesting perspective on what does this evolution to you look like over the last three years? What are the big trends you're seeing? How do you think things are going?
I'll just open the discussion right there.
[Robert Skinner]
Awesome, Tom. And I would tell you, just based on that opening, we could be here for hours, talking about the evolution. Here's my big point with all of this.
You know, there are many nations and there are many administrative defenses and stuff like that, who don't even have a date on the wall, you know, a marker on the wall of when they want to be truly, I'll say mature in zero trust, right? Anyone who says that we are going to be zero trusted by X date, I caution, because you're, to me, you're never zero trusted. It is a continual journey of continually making sure that your cybersecurity posture is the best that it can be in relation to, you know, criminals, adversaries, whatever the case may be.
And so when I look at what the DoD, DoW is doing right now, it's really, it's about, let's have a plan, whatever that plan is. And let's identify key attributes, key activities, and key capabilities that are necessary to continually improve our posture, our cyber posture. And I'll just, I'll leave it at that.
And we can go into a whole bunch of different areas of that. And now it's, okay, we have these 153 items, I forget what they're called, they're Adam's activities, whatever the case may be, that says here is, you know, for you to be kind of compliant. I would say ready, I don't like the word compliant, because to me, it's all about readiness and resiliency.
[Tom Tittermary]
If you're, the moment you start talking about compliance, the more people look for the checkmark more than the individual result underneath, I think.
[Robert Skinner]
Exactly, because this is, you know, we've got to be outcome based, we can't be compliance based. And so, you know, the more of those that you have, the better posture that you are. And really, it's about, okay, let's lay this out.
And every organization should be, and many of them are going through and going, okay, where do we stand? Right? Because the biggest issue with zero trust, to me is understanding.
In fact, I would say in anything that we do, the biggest thing is understanding, because if you don't understand, then you can't really put a plan in place, or make progress along that journey. And then let's have that plan in place. And then let's prioritize.
Let's figure out and working with industry and working with others, let's figure out what's the most important next thing of these remaining actions and activities that we have to do. And then let's get after that. And that's really where the department is right now.
It's every organization has either gone through or continues to go through that assessment of where we are at. And I would say we are better than what we thought, but we're not where we need to be.
[Tom Tittermary]
Yeah, I think it's been really interesting to watch. From the very, very beginning of this, I think that there's been such a massive focus on getting really granular and specific and good from individual mill depths and co coms a focus, not necessarily a target goal, but a focus on identity specifically. I think posture has been I mean, since HBSS, right, like posture has been an important component relative to where people would look and say, Hey, what is the health of this individual asset out on the network?
All the going all the way back to comply to connect, right. So, you know, back in the day, the health of the asset based on HBSS would determine or for Scout would determine if it would if it was compliant to connect to a network, right? That evolution that I'm seeing now is all right, we need to be more concerned about identity.
And it's not necessarily that I need to comply to a network, I need to be able to provide enough policy decision point data on the health of the asset, the geolocation, the identity, to determine if this as if this individual if this user should have access to this individual piece of data. And sometimes just like at the level of the application, but then in the application, it'll say, Alright, now that you're in the application, you get this individual piece of data. I'm watching that evolution happen.
It's it's, I don't want to say it's a crawl, right? Because I think things are moving at an appropriate pace. But the problem area just in terms of total users, total amounts of data, total applications is so huge.
I'm watching it move in the right direction.
[Robert Skinner]
Yeah, I agree hardly, right. And I do think it's we're at the walk stage, right? We're past the crawl.
I'll tell you, you know, going back to even comply to connect, right? That's something that is, in my eyes, very simple. It can be implemented, it can be instituted.
But I'll tell you, we haven't done a great job of that throughout the years, right? Because it's easy to put something on a device or see what a device is. The harder part is the control piece.
And how are you controlling you that asset, that identity, that individual, the non personality, personality, to me, that's kind of where the next phase is. And so to me, some of it is just a little, let's get the groundwork done, right, the baseline, base blocking, tackling, and then really get at two, which is the heart of the adversary, the heart of the threat today, right, which is identity. Yeah, I would offer today, identity is the center of gravity, and the critical piece of terrain, from the department standpoint, and from moving forward.
And that's both person and non person entities.
[Tom Tittermary]
Yeah, I think one of the big things that I've seen like in so kudos to you in your time at at DISA, right, the I think still my favorite, it's I'm such a nerd, I have a favorite technical document in the in the context of DoD zero trust. And I still use this. And I show it to people all the time when people say, Hey, you go to a conference, and there's like 88 vendors on the floor.
And every single one of them is like, I'm the zero trust. So these these poor individual, you know, folks out in the environments, they go, What do you what do you how do you do the zero trust thing? And every, every, I feel like most of the booth.
No, we're the most important part. And so there was in the difference in the DISA zero trust reference architecture v1, I think it was page 12. There's an OV one diagram of this is zero trust.
I still use that. And when I'm when I'm baselining conversations with customers, I don't think it's been done better, just in terms of a, hey, the identity has got to be straight, I got to validate the user or non user identity, I've got to validate the posture of the asset, I'm going to utilize that predominantly to determine if they have access to DAS data applications, assets or services. And then all of that data is going to go to a logging system, that data, I'm going to leverage either really smart people or some level of AI ML to reiterate relative to policy, and then that is going to determine.
So kudos, that was like, so number one, and how I've kind of baseline the conversation for a long time. Next, I believe came to this a zero trust reference architecture v2. I've had the pleasure and the honor of having Mr. Fried or Mr. Brinker in here to have that conversation. But that was like, hey, you thought number one was good. Now, you know, and then the concept of software defined perimeter came out. And instead of, you know, so assume no implicit or explicit trusted networks, software defined perimeter inside out is the way to go.
But then what was really interesting was so I saw a lot of commonality between the distant documents, Randy Resnick's 152 controls, amazing. And I talked about them. And I talked with them customers all the time was the first place where Randy will talk about the disa zero trust reference architecture v2 document as being like, that's the best text document still.
But what I was seeing was disa was very much on the side of no implicit or explicit trusted networks SDP. But in the controls, the activities, zero trust activities, I see software defined networking, acronyms, and methodologies and references through a lot of the documents. And I couldn't, I've never really been able to figure out is that an opportunity for folks to get there quicker, bring the old the old into the new or what is it, but that becomes a really interesting second point in some of these conversations.
Like how should this? Do I solve this at layer three with software defined networking? Do I solve this at layer seven with like an application set like something like software defined perimeter?
[Robert Skinner]
Right. And I think, you know, from my perspective, and again, I think, you know, the reference architecture, you know, great work by, by the team. Right.
And I would offer the 152 controls and reference architecture that really shows where disa and the CIO team working together is very powerful. Yeah. And so, you know, kudos to the team and Randy and, you know, Roger Greenwell and everyone else that we know within the, the, this team, to me, your reference architecture has to have some flexibility in it.
Because if it's too prescriptive, then it becomes too expensive. And then B, it's hard to get to a very prescriptive environment from from where you're at. And so to me, what it what it offered was, hey, let's have some flexibility, so that no matter where you are at, you can get some quick wins.
Before getting to the layer seven, right, you know, there's some things that you can do in layer three that can help you and support you while you while you continually to transition. Because, you know, the other issue that we have within the department continues to be legacy. Right?
You know, there, there, there hasn't been a an organization or the CIO has not done and I'm not disparaging. But you know, putting a marker on the wall that says for the entire department, we're going to be a little more draconian from a technology standpoint. That's just very hard, hard to do.
So you have a significantly complex and interspersed environment that's not homogenous. And therefore, organizations are in different stages and different maturity levels and different technologies. And so we've got to give them an opportunity to get to a standard baseline, or at least a standard capability.
And then you and then you build from there.
[Tom Tittermary]
Yeah.
[Robert Skinner]
So I think that that's really what it's about. It's providing that flexibility.
[Tom Tittermary]
I'm not seeing an ocean of like coalescing around individual technologies as we're looking as this thing moves forward. But the benefit to me is I do see, you know, Randy and this all at the beginning was like, hey, there's a big cultural shift that needs to happen here that I see happening. I do see people changing the way they're talking about zero trust, right?
Like you made a really good point earlier where zero trust is not a solution. It's a practice, like you get up every morning and you make the environment more zero trust. I meditate every day, right?
So it's not like there's going to be a day I wake up and I'll be like, I'm all meditated. So it's like, because now the day is going to hit me and now I need to meditate again. It's your I look at zero trust the same way is right when you think you're there, then then something changes and you're you got to get there again.
Right, right. But it's that that evolution, that process, that part of it that I've seen is like, I think the two big public hits, I say hits, not as in like somebody takes a hit, but like top 40 hits that have kind of made their way through and gotten press, because they've made it through. And there's, there's the public announcement from Randy's group.
So one Thunderdome has made it through all 152 activities, zero trust activities, and then Flank Speed, which is predominantly a Microsoft offering that I've seen Randy talk about on stage at in Baltimore is the the other one that I know is through, I believe there's a third one called Fort Zero. That was a Dell offering that was really more focused on isolated environments. What I've seen out of those, those three, and we were, we're, you know, to give a look behind the kimono, you know, there's a talk about what we're going to talk about before the show, we were talking about those are very kind of like static prescriptive architectures that depend on specific tools per category is you use all of these individual things, and you hit 152.
And I think that's, I think right now, that is a great place to start, right? It's the rabbit on the dog track that everybody else gets to chase. What I have noticed is I've been talking to I have some friends working on Everest at GDIT, I have some folks working at some other places, where I see some of this going is, is more, as you were talking about more granular, flexible methodology based rather than tool based architectures where, you know, there's a lot of data assessment at the beginning, a lot of gap analysis, and then a series of tools that can be picked per category to get to 152 individual to an end user. I don't know if you're seeing the same thing.
[Robert Skinner]
Yes. And so, you know, to me, we were talking about the reference architecture, right, and having some flexibility in there. To me, what what Thunderdome really brings, in my eyes is, hey, that this is a, a, I'll say tried and true, some people would disagree.
This is a tried and true way that for organizations who have either been directed or who want to be part of this ecosystem, that we have the solution for you that there is a solution, you don't have to worry about a lot of it. What we have to do is understand kind of where you are at, right? So we do the understanding of the gap analysis.
And then we figure out, okay, from that gap analysis, how do we bring you on to this environment? Because this standard environment, the standard ecosystem allows DISA to be able to provide better capability, better service at a good price point, right? So it's a best value versus cheapest or most technically capable.
But to me, this provides the best value. For organizations who are not going to be coming to Thunderdome and DoDnet, I bring those together. Those who aren't, there is some some flexibility within the department that says you don't necessarily have to go with, with what DISA has provided or with what FlankSpeed has identified.
There is some flexibility there. What I would always caution organizations is the more you divert from what we what I would call a tried and true, then that brings a lot more lifecycle cost to your organization. So there's a lot of training, a lot of education that's already being taken care of, or that can be amortized across the environment.
Now, when I say amortized, I'm not just talking about cost, because at the end of the day, this is about resilience, and it's about readiness. And that's really what this is providing is it's a ready environment for the future and the current state.
[Tom Tittermary]
Yeah, it's, I think it's interesting where a lot of the individual customers that I'm talking to, they're trying to figure out, they're trying to consolidate and really land on exactly what their specific path to zero trust by the 2027 goal is going to be right now. So they're making choices. And they're making the exact choice that you were just talking about.
They're making the choice of, well, I already have a pre-existing relationship with Microsoft. So it'd be crazy for me not to look at the opportunity of FlankSpeed in my environment. They're having the conversation, especially the DOD agencies in the fourth state, hey, it behooves me to look specifically at Thunderdome.
But one of the, I think a lot of the confusion in those areas is, once I, when I'm making that decision, what is the compliance path, not compliance path, but how do I get checked by DOD to make sure I'm in a good spot? And I think one of the biggest things that I've run into is that if Thunderdome and FlankSpeed specifically have been validated through Randy Resnick's office, but if there's some pivot, like in any of the 152 activities, from what those reference architectures are, there is a notion of there being basically like a new Purple Team test out of Randy Resnick's office. And I think most of the customers I've talked to, I don't think I've run into one where there didn't have to be, just mechanically, some kind of pivot off of the standard architecture.
But just, I don't know if you've run into any of that, thoughts around that.
[Robert Skinner]
Yeah, that, you know, to me, it's, you know, because at the end of the day, what does the Purple Team really do? Right? I mean, it's really, at the end of the day, it's supposed to ensure compliance, it's to ensure readiness of the solutions and or the capabilities.
There's multiple ways that you can do that. I would say, unfortunately, Randy and his team don't have enough capacity or capability to look at all this. Yeah.
Right? So what are some other options and some other alternatives that ensures the validation of the capability within the Zero Trust architecture, but also enables Randy and his team to be more capable? Right?
And so I think there's other alternatives that can be used. And to me, you know, the other thing about Thunderdome is, it is flexible enough, in my eyes, that if there is a newer technology or a greater technology, then that can be incorporated into. And so, you know, it's not just stuck on the initial offerings, which to me is the beauty of it, that it still enables, you know, because what you don't want to do is start with a technology, that company organization, for whatever reasons, doesn't innovate, doesn't modernize, doesn't ensure that they're keeping up with what the technology is, even on the commercial side, then that's not a partnership. And so you want the ability to bring in newer technologies and better technologies that offer even greater readiness.
[Tom Tittermary]
Yeah, I totally get that. So thinking about where I want the conversation to go, right, when we're looking at that individual gap analysis, and looking at some of these individual gap analysis areas, I think the main categories that a lot of people roll to, I think most people are doing a fine job with logging, right? On the, you know, in terms of the, it's funny.
Mentally, I always go back to that Obi-Wan diagram. Logging's on the bottom right. Look, I can close my eyes and see the diagram.
I think most people are doing a great job, a fine job with logging. I see some people... So I'll push back a little bit on that.
Okay.
[Robert Skinner]
I don't think they are.
[Tom Tittermary]
Okay.
[Robert Skinner]
Because think of logging and how long they keep that logging. Tracking. Right.
Because I mean, it's, you know, storage isn't cheap. You think it is, but it's not necessarily cheap, especially when you start talking about cloud. Right?
And ingress, egress fees. I mean, this can be expensive in one sense. While logging may be occurring, it's not at the point where I think it needs to be, because A, I don't think all the assets are logging.
And B, I don't think the logs are kept long enough to enable the true analytics superiority that we need to understand. Because even today, the amount of time it takes to find an adversary in your network, it's not instantaneous, right? And so you have to have that forensic ability going back longer than what many logs are showing.
[Tom Tittermary]
So this is not where I expected this conversation to go. And I don't think you were expecting me to say this next thing, but this is... So I was in another...
I wasn't born as a Zscanler employee. I had another position before this one where this was actually kind of like my specialty at that company. It was a flash storage company.
I'll call them out. The Pure Storage. They're great guys.
But I had an opportunity in an individual spot where the conversation became, hey, the typical adversary in the environment today is running low and slow, right? So most of the log environments that I would run into would be... Rattle off your SIM vendor in your head, right?
They always talk about hot, and then cold, and then archive, right? The adversary, if they're doing their homework, knows where that line is from a day perspective, right? And I think the average hot that I'd run into in environments was two weeks.
It depends on ingest and budget, et cetera, right? So the adversary literally will pivot their plan based upon where the hot to cold line is, because they know if they break the cold line, then if a bunch of analysts go in and they start firing all-time queries on wide area searches across network diagnostics, none of them are going to come back, because they'd time out against the individual disk storage, right? So here's me starting the conversation.
Yeah, everybody's doing great. And then being like, because the way I'm thinking about it is, well, they're getting all of the logging. Where I do see this going, there's two places I see this going, absolutely, is the box right above logging in the OV1 says AI or policy iteration tools.
And when you wrote it, that wasn't a thing. Right, exactly. But today, that's a perfectly viable part of the conversation, is how can I have an individual AI look through my notes and then provide me much cleaner and more granular and basically like reference-based associations to take all these, I always talk about log entries as red, yellow, green, right?
How do I get all those yellows and cleanly pocket them into either glaring red or green, so don't worry about? So that's the big one that I see there. The other interesting part of this conversation that involves AI is I think the standard adversary up to March of 2026 has been the low and slow.
And we all know that the big flash where they do something big, you're never going to see that. With agentic AI agents, I think it flips the other way, right? I think it's a blitzkrieg, if I'm just going to give it like another military reference.
I think it's an overwhelming application of microsecond force against a series of front doors and then a blitz. And I think that like the standard methodology for most of those cases, from a standard SIM perspectives, not necessarily efficient. There's going to need to be AI receivers that have playbooks to act on criteria.
It's going to have to happen at wire speed in that case. I agree. So thank you so much for disagreeing with me on, we're all set for logging because that probably might be one of like the more interesting parts of the conversation today.
Are you tracking like on any of those things that I'm seeing out there?
[Robert Skinner]
Yes, I agree. Well, and I like the blitzkrieg approach. What I would say is the smart adversaries will do both, right?
Because you can hide within a blitzkrieg too. It's true. Right.
And so I think that those who want to be more successful, not that I'm giving a playbook for adversaries, please don't. Defenders, let's go. You got to be able to do both.
And you have to be able to defend both. Because I'm with you, right? Agentic is going to bring the capability to bring more mass at a faster pace than what the defenses can do, right?
But I also think if done right, agentic can bring faster defenses.
[Tom Tittermary]
Agreed.
[Robert Skinner]
Against that blitzkrieg and against those things. So I think there's a notion that I think that they both will become a lot more capable.
[Tom Tittermary]
Yeah. I think that people who, the three of you that regularly listen to the show, will appreciate that I very infrequently will say, hey, Zscaler and why, I'm just trying to give industry perspective. You've landed on pretty much like why, one of the main reasons I landed at Zscaler though, and it's kind of, it's come to fruition with this whole AI adversary component of things is, I think that if you look at the adversary in 2026, by and large, the playbooks that they are still running is find front doors, find publicly accessible front doors.
Because it's easiest. Find vulnerabilities for those front doors, exploits for the front doors, land on a network, find a soft host, pwn that soft host, and then utilize that individual host for privilege escalation or data discovery, destruction or exfiltration. Like that's the playbook.
It's the playbook that every adversary AI has been taught on in the last two and a half years, because that's the playbook. So to the credit of DISA for saying, hey, proxy inside out, SDP, if I can take the front doors out of that equation, right, I literally have to make, the adversary now needs to rewrite their playbook. Right?
It's an English longbow opportunity in the world of cybersecurity where if I can make these front doors go away, they could have as much agentic adversary control as they want. If those agentic adversaries are going to, at the speed of light, look for all the front doors, if there are none, they have to go through the exercise of retraining AI, rewriting playbook and working through that whole angle on that side. So there's also the angle of, I think of, I end up having a lot of conversations about packet capture, right?
Petabytes and petabytes of data. And I used to say that there wasn't a lot of value to it because there's just too much data for humans to be able to parse effectively.
[Robert Skinner]
For humans.
[Tom Tittermary]
Right? And then I start having interesting conversations with my buddies from Vector AI. We did a show with those guys.
So those oceans of data become valuable again, right? And literally that, hey, just the AI will go, no, here's the needles, right? But I think that when we get back to the software-defined network, software-defined perimeter piece of this, when we go from I'm managing this from individual network segments to I'm inside out and I'm SDP, I think it just shrinks the attack surface so much that it simplifies, even if both sides are operating at the speed of silicon, it simplifies the operating environment on the defensive side where I can make it about people and assets, not necessarily mind all the individual network segments.
[Robert Skinner]
I agree. And I'm a firm believer that simplification is the most important thing a defender can do and within their architecture, right? Now, some people say, well, if your environment is too simple, then as an adversary, it gives me opportunity to be better.
But I think that's where the advantage is on the defender. If it's simpler, because then they understand it better at the end of the day. The other thing I was thinking through as you were talking is, you know, as you think through identities today, right?
And, you know, all these agents are going to have an identity of sorts. So as a defender, and even from an offensive perspective, understanding the identity of those agents and what they can and can't do is something that we are falling woefully short of. And I think this is across the board.
I think this is a global issue, not necessarily a DOW issue. And so those organizations who can master that first will definitely be on the high ground when it comes to defense and even offense. Because that to me is, because there's going to be, I mean, a factor of, you know, 30 at least on the number of identities that are going to be coming over the next few years than what we're dealing with today.
[Tom Tittermary]
Yeah, I think the, like, if I take three steps back from that, and I think about the problem, not, I don't want to say the problem, the opportunity of identity and agentic AI, it just gets really interesting because I don't, there's like a fundamental category shift between a human and an individual AI with regards to what type of access I would give them to. And I would probably be much more strict on the AI side and conservative about the sensitivity and classification and breadth of data I would give them access to than a human, strangely enough, simply because of the amount of damage they can do as a function of time. Right?
Like an individual human, I might go a little wider because by the time they find the individual sensitive data that they could individually exploit or leverage, they're slow enough that I can catch them, or an AI would catch them in that case. But I would think that you would want to be much more conservative relative to AI, specifically because in, you know, milliseconds, the damage could be, it can compound, right?
[Robert Skinner]
So the question becomes is how confident are you, or how confident is the organization that that can be done, that you are limiting it to where you think you're limiting it, right? Because, I mean, the rush to AI without the appropriate safeguards is a recipe for disaster for you as an organization in my eyes, right? And I'm not saying slow down, but I'm saying, you know, running with scissors isn't always the best thing.
And to me, you know, we want to make the most effective use, we want to empower our force and our organizations to leverage this technology to the best extent possible. Sometimes those who are leveraging it don't quite understand fully, and therefore, they're putting themselves at more risk. And as you said, right, there's a time value of the agentic AI environment, the time value has significantly increased more than what it was even two weeks ago, right?
And so that's one thing that we've got to make sure that you as an organization, how are you managing and then validating the management of that to make sure that you're not opening yourself up for agentic AI issues?
[Tom Tittermary]
Yeah, so the agentic AI issue is the one piece. The other side, though, I have conversations with folks all the time about, I need to be able to allow the warfighter the ability to leverage agentic AI in their daily tasks and operations. But there's concerns about how do I do that effectively?
And the way that I always baseline the conversation was, do you remember when everybody had to do their weekly bullets for Doge? Right?
[Robert Skinner]
I'm glad I wasn't in.
[Tom Tittermary]
And then I immediately, following up, asked the question, I go, how many of those do you think got written in commercial chat GPT? And the answer is not zero. Like, you can't defend the answer of zero, right?
So there's the opportunity for some adversary to swing behind and be like, hey, tell me everything interesting that happened in Norfolk, Virginia, relative to dot, dot, dot. And they would probably get some level of response out. So how do I manage that process?
Like, how do I say, hey, from the host out to individual service, like, waitlist, blacklist is one thing. But how do I manage that really granular policy perspective on, hey, IL5, Copilot, Microsoft, all day, go use it. This service, go use it.
This service over on this other side, either blacklist completely, or maybe I want to browser isolate the session. Or maybe I want to do very granular DLP. I definitely want to probably pull all the prompts that are going over to the other side so that I have them for intelligence.
And I want to have some granularity of operation. But that is a way that I see people coming at it, thinking about it more and more. Right?
Because the tool sets are, one, they're playing leapfrog like crazy. So you're going to, like, Tuesday, everybody's going to be on Claude. And Friday, everybody's going to be on Gemini.
And then Copilot's going to have a big bump. They're going to swing this way. Like, to do that for a big organization and manage those is, it's, I totally understand it's daunting.
But that is a large part of the conversations I'm having right now, in terms of how do we do that.
[Robert Skinner]
Correct. And you have to be done. And to me, that's where, you know, we were talking earlier about data, right?
And data being a center of gravity and, you know, and all the challenges, but also the opportunities of that. To me, that goes to, do you understand what your data flows are? Right?
Whether it's an application going out, whether it's an individual going out, right? I mean, to me, understanding the data flows is just as important as understanding the data. Because then you know who's going out, right?
And there are tools out there today, right? That organizations can use that will show them, hey, here is the number of users, the number of systems that are going out to leverage, you know, a Gen AI. Here's things that are going out to leverage other parts of this AI ecosystem.
And it's daunting, first and foremost. But also, it's pretty surprising to the senior leaders to go, wow, we didn't know that there are this many people, this much, using this number of things. And so to me, you have to understand the data flows.
And leveraging the technologies out there today will help you.
[Tom Tittermary]
Yeah. Well, that brings us around to the data conversation. I could bring you in for a whole other day and have this conversation.
We do quite a bit on here. I've had my buddies from Veronis in here. And this is a topic near and dear from my old days, back when I was at Symantec.
But the data piece of it specifically, I'm going to lay out what I think is like the fundamental, like baseline issue, concern, opportunity here is to do this job effectively. You've got to tag effectively and comprehensively and cumulatively with a common framework across the data set that you want to control, one. Two, you've got to grant whatever tool set you're using to manage full access at a granular level to all of the data, one to tag and two to enforce.
And three, you've got to watch all of your data at rest to figure out what data is in the right place. And then you've got to do it in flight to make sure, exactly as you said. So I'm managing those individual data flows on the way out, right?
So all of those individual things happen at the same time. I don't believe in 2026 with the amount of data that's getting made on a daily basis, that there's a reasonable argument that you could utilize humans to do that work, right? And we talked about this a little bit.
[Robert Skinner]
There is a reasonable argument?
[Tom Tittermary]
I don't think there's a reasonable argument, right? I don't either. So we're going to have to bring AI into this individual concern to handle it effectively, from the tagging perspective, from the data at rest, from the data in flight perspective.
And everybody's brain immediately and almost correctly goes Terminator, right, relative to the individual data sets that we're talking about. So I think about this a lot. I don't see another way to come at this data task that we're coming about.
Part of me wonders if that's why, if I was going to pick an individual category as zero trust that I'm seeing having the hardest time making progress, it's this one. And I can't tell if it's that fundamental concern about these are the things we need to use to fix this test, or if there are other things to sort out and figure out there first.
[Robert Skinner]
Well, to me, I think, you know, even within the zero trust pillars, right, there is a level of maturity. There's some things that are much easier to do than others. From my perspective, I think it is the data piece is harder than some of those, right?
You know, if you want to do comply to connect, as an example, you know, it may be painful, but it's kind of pretty easy to do. And it's been around for a while. To me, the data piece and the analytics, right, whether you understand the data flows or the data itself, there is so much unstructured data, for example, across the environment that to even try and sift through that and understand where the needle is in the haystack, it's just, it's too daunting of a task.
So what do people do? Too daunting? Okay, I'm going to go on to something else, right?
Just because of the environment that they are in, that, especially from a government standpoint, you don't have the same level of resources as you used to have from people's standpoint, right? All we have to do is look at what happened during the DOJ day. I'll say the DOJ days.
I know DOJ is kind of still around, but so there's a lot less people doing the tasks that they were supposed to. And so that's leaving a lot more workload on those who are still around.
[Tom Tittermary]
I'll, I'm going to, I will qualify that I'm talking about scenarios and things that really happened. And I'm, that's the most I'm going to say on that to properly obfuscate that. But I've been involved in pilots over the course of my career where there was a concern about data regulation, data authorization, et cetera.
And, you know, me or friends of mine came into this non-described entity. There's multiple cases of this. And we did a pilot where we demonstrated that we could very accurately tag and qualify data and that we could show data in places that it didn't belong.
And some of these were small pilots. Some of these were larger pilots. The outcome is 100% consistent across every one of these pilots I did.
We would demonstrate and show the results. And the person that we were, that asked us to come in would reply with, we never talked, this never happened, and we will stop talking now. Right?
And it goes to exactly what you're talking about where nobody has the tools or the process to, I think that the single biggest like human component of this is the, I believe that in most of these cases, it's a cultural issue we need to fix. It's like we need to understand cumulatively that everybody has this problem. Right?
But I think every single scenario like that that I was in, the person in charge was like, oh, I'm going to get blamed for how did you let this happen? When it never happened, it's just the course of how we've gone about the mission for 40 years. So no, it wasn't your fault.
There needs to be this notion that the problem is pervasive and consistent, and we need each individual leader to talk about how bad it is in their organization and how much help they need. But I think that's a clean pivot off of like nobody wants to, especially in the DoD, nobody wants to say, I'm mishandling data. But that's a really tough cultural pivot to make.
I think it's one we almost have to make, though.
[Robert Skinner]
Well, and as you were talking, right, it is all about culture. Right? And there are mistakes, right?
And then there's, I'll say non-mistakes. There's more legal type of intent. Right?
We'll push that to the side. You know, the environment is where it is. So as a senior leader and a mid-level managers and whoever the case may be, the best thing to do is know.
You know, it goes back to the situation awareness and understanding. I'd rather know. And then, you know, so we're red on a chart going up to the senior leaders.
Right? As long as you have, A, red is, I'll say red is good because you know. Because I'll tell you, a lot of greens out there aren't really green.
Yeah. Right? And so, you know, as you think about the red, but as long as you have a plan or a, here's what I need, I mean, that's what the senior leaders are asking even today.
Right? And this is tried and true. Senior leaders continually ask their force and their teams, what do you need from me?
What can we do? Now, you know, sometimes a senior leader can't get them that for a variety of reasons within the department. But they're actually looking for, hey, where can I help you?
And to me, this is a perfect place. Is okay, you know, because your data is data center gravity. And so to me, it's a, as you mentioned, it's a culture change that we've got to continue through the department that says, you know, yeah, it's not as rosy as you think it is, but it's not as bad as you think it is.
So let's get after it. Let's understand it. And then let's fix it.
Because I'd rather fix something in peacetime than I realize, you know, Iran is going on, right? And so there is a war going on or in military incursion. But I'd rather, you know, a big war is, it's much different.
And I'd rather get things done now in preparation for a potential, which we hope never happens, but it could.
[Tom Tittermary]
Yeah, agreed. It's funny, something you said, I think I've mentioned this on the podcast before, but it's like, there's a phrase that I think Donald Rumsfeld was like very publicly made fun of for making, but it's one of the smarter things that I've heard. And he talked about no knowns, known unknowns, unknown knowns and unknown unknowns, right?
And I think this data authorization category falls for a lot of people squarely in that known unknowns. It's that I'm actively going to have some level of lack of knowledge on this topic, because I, prior to investigation of it, I know there's nothing I could do. Like, I don't have the materials or the sourcing to staff it right now.
But I think culturally, like, that would be the pivot there. The other one that the other.
[Robert Skinner]
Which is bad, right? Because to me, an unknown unknown is really bad, right? But a known unknown, right?
Or, you know, if you know something, but you're not doing something about it, that's a bigger issue. And so that to me goes back to the accountability, right? Every individual should be accountable for their duties.
And if you see something that is not right, or see something that is not where it needs to be, then you need to address it. And I think we need to do more of that.
[Tom Tittermary]
Agreed. One of the other topics right in this area we were chatting about before we started recording, sort of a universal taxonomy for data for DOD. For my perspective, right?
So let's say that we've identified the tool sets that can look over these zettabytes of data and tag them appropriately. And one of the things that I'm a massive advocate for is sort of a universal data taxonomy for DOD. But it becomes a very interesting thought exercise when you're like, yeah, but how do you do it?
And I always go back to, everybody knows, kingdom, phylum, class, order, family, genus, species. If you made it through sophomore year high school, where we talk about, you know, there's nothing that walks, crawls, swims, et cetera, that you can't. There's no living thing you can't fit into that.
But just a structure for data for DOD where it would fit under an existing category or if, you know, if AI is a brand new thing. So we need to create a new category, but it fits in this structure somewhere. But a really interesting thing happens for me when I go, great, what is the kingdom, right?
Like, what is that top level organizational breakout of data? And my brain goes a bunch of different places. Is it AOR?
Is it MILDEP? Is it classification? Is it, it could be any one of those things, right?
But it's got to be something. But yeah, just your thoughts. Have you ever gotten to have that conversation in service or is that something that you've had any exposure to or just something we really need to press for?
[Robert Skinner]
Well, A, not a lot of exposure to that. I do think it's something that we need to work through. We were at, you know, just the basics of, you know, what are enterprise attributes versus non-enterprise attributes.
Got it. Right? That's kind of the discussion point, which was very hard.
And so to me, the department really, as you, again, it's a building block maturity level, making sure we understand what are the enterprise attributes and then non-enterprise attributes. And then we can go to your, I'll say, 201, 301 level discussions of, okay, so what's the next level from a universal taxonomy across the board? Because I think it's hard even to do with what we want to do, even just on the enterprise attributes and everybody agreeing to that.
The issue becomes is who has primacy and which one has primacy? You know, we were talking earlier.
[Tom Tittermary]
That's not an issue with the DOW. I mean, everybody.
[Robert Skinner]
If you have a tactical issue, right, and you change, you know, the data dictionary, for example, and, you know, that goes up to the enterprise, which then there's a difference between the enterprise and what you're in a tactical, then you don't want to affect the tactical operation. And so there's probably a time component of that also. And then a validation concept or construct that allows you to address those type of situations.
Because at the end of day, the tactical operation has to be successful and needs to be successful. So maybe there's an opportunity there.
[Tom Tittermary]
So I have a lot of, as somebody who works for a company that like predominantly does enterprise solutions for large companies, as well as the DOD and a lot of the civilian space in the FSI community. I spend a lot of my time, and it's some of the most interesting conversations I have, figuring out how to, in the context of that enterprise solution, provide capable tactical capability. So DDO was the first one.
Zscaler knocked that off. That's great. So we can operate in a comms restricted environment.
Great.
[Robert Skinner]
Which is very important.
[Tom Tittermary]
Yeah. Exactly the problem set that you were talking about in, hey, when comms come back up, who wins the race condition? And in what context?
So for data dictionaries, for identity, for I think the majority of the folks that I'm talking to, I don't want to speak out loud. There's three different companies I'm working with, that tactical identity component integration with Zscaler right now. I think the general understanding is that local is source of authority with enterprise oversight.
But what gets interesting is, when you start talking to a lot of the forward operators, there's this context of silence, violence, silence. So there's this, or I'm sorry. Yeah, well, so if you're leaving Base Camp Poster Station, you're going to go comms dark purposefully.
And then on site, when things move kinetic, you're going to open comms back up to have your full reach capabilities, right? Right. So the DDO window that happens in between, let's say you make a couple of changes to allow the Aussie mission partner in, do they get kicked off the network when I go live on site?
Well, it's like, no, we've got to work through those. There's some very granular, mechanical, meaningful, like, they're not hard things to work through. It's just you've got to really do the, walk the exercise mentally on how these systems are going to work.
But that's a super fun thing that I get to work through.
[Robert Skinner]
But that's not a technology issue, right? That's a policy and a guidance type issue of how you want it to be done, because the technology can do it either way.
[Tom Tittermary]
Correct. Well, it's what is, so what's conducive for the mission should be one. And then what is effective and relevant for the enterprise should be two, right?
One of the other, I just had Dr. Mark Taylor in here, we were talking about that. You know, for an individual warfighter, I probably want different tightness of constraints about what I would do to restrict their access on base than I would forward. Right?
It would take less. If I see some very suspicious behavior and I can go tap somebody on the shoulder because they're two buildings over, that's a different policy set than I would have for, I'm going to cut access for a warfighter in a kinetic situation. Like, the bar needs to be so high on that side.
[Speaker 3]
Oh, yeah.
[Tom Tittermary]
But then the really interesting question becomes, like, I keep hearing the argument for, it doesn't make sense to have enterprise systems as the tactical edge because they're two different things and they need to be separate. That's like the strongest argument I hear for that is because, like, how do I manage that policy set for the user based on the context of are they in harm's way or not? But that's something that we work through on the policy side and back into.
[Robert Skinner]
Right. And when I talk policy, it doesn't actually have to be an enterprise policy, right? It can be a local policy, right?
By the commander. I'm always cautious when someone says, well, we need to put tactical over here and enterprise over here because I think the environment has to be hybrid and the environment has to be connected and integrated to get the full effect of it. Again, I think at the end of the day, if there's a firefight going on or something like that, then tactical, you know, do what you need to do because rarely is there an event or an incident or something that happens to where you can't recover or you can't go back and go, hey, you know, next time do it this way.
We will make the appropriate adjustments to the enterprise and or the tactical after the bulls stop.
[Tom Tittermary]
Yeah, totally agree. I know one of the other topics we wanted to get into. It's interesting.
We've had an AI. It's so funny how many categories AI hops across from a conversational perspective. It's like back in the day.
I remember if I go back 15 years, somebody would be like, hey, we want to have a meeting with you guys at Symantec. And I would say, what topic? And they go, cloud.
And I would go, decline. And they would be like, why did you decline the meeting? I'm like, because you didn't tell me what we're going to talk about, right?
I don't take, like, I just want to say hi, but you got to tell me where, like, cloud could be anything. It could be IaaS, it could be SaaS, it could be messaging, it could be this, it could be that, it could be the other thing. AI is starting to get a little, zero trust was that way for a minute, but it's gotten very granular.
But it's like the number of categories that AI hops across. It's like, what do you want to talk about? AI, decline.
Like, what do you want to talk about it doing or presenting or reading or writing or analyzing? But here's an interesting one, right? It's like outside of the area of technology.
We were talking about, you know, young people coming into the workforce, specifically in the area of internships, right? So there are, yeah, I'm very sensitive to this. I have a second year in college, sophomore in college right now.
And I got to, I'm going to be an empty nester in the fall with my other daughter heading off to college. So the notion that a lot of the work that companies or middle depths or military are doing that could have been sourced by interns can now be outsourced to AI, right? So in law firms, they talk about like the big brain drain of, if there's no paralegals, then roll the clock forward 30 years, there's no senior legal representatives of the firm, right?
But I just wanted to open that, like, are you seeing, do you have concerns about that, like relative to DOD or anything like that from that side?
[Robert Skinner]
Oh, yes. And, you know, it's funny when you talk about, you know, AI and, you know, it's gone, you know, you can talk so many different subsections of that. You know, when I was out at RSA a couple weeks ago, and you're walking along the booths and the vendors, right?
Which I still have a hard time doing that. Everyone had AI in it. And it was just, it was fascinating that, you know, but then to your point.
[Tom Tittermary]
Zero trust in AI. Yes.
[Robert Skinner]
Zero trust is now the smaller letters than the AI is the, yeah, yeah, yeah. It's almost like the small print at the end of the paraphrasing or quote. But it's interesting.
And so, you know, to me, though, what we're not really talking a lot about is the impact to the workforce, impact to our children, right? Impact to the college graduates and the folks who are just entering the job market. You know, everyone will say, well, you know, in two years, AI is gonna, you know, get rid of the entire entry part of the work environment.
I think that's a big mistake. Because I will still offer that diversity of thought is very important. And if you don't have individuals coming out of college or trade school or whatever the case may be into the workforce, then you're losing a lot of the diversity of thought that you would have with them coming in.
Do I think it's going to change the entry-level workforce? By all means. But I think if I had one thing to say to any student or to any person entering the workforce, be an operational technologist.
What do I mean by that? It's you've got to have a good understanding of technology, right? And most of them are using it today, right?
In some form or fashion, right? Whether you're using it on your smartphone, whether you're using it in some application, whatever the case may be. In fact, you know, the kids and I have all kinds of conversations about Cloud and ChatGPT and how to better leverage it even within your day-to-day personal lives.
So understand the technology, but then understand the operations, understand the mission, understand the organization, understand. And so when you're going into interviews, then you can relate, you can show them your value above just coming in and doing, you know, a very basic task of understanding how to be an operational technologist. So you understand how you bring technology to their operation to be value.
Because at the end of the day, companies and organizations want value, right? And I think that's how people can bring value. So I'm not a believer that it's going to fundamentally get rid of the initial entry workforce, but I do think it's going to change.
[Tom Tittermary]
I look at it in a lot of ways like, you know, Adobe Acrobat, right? It's like there were artists that didn't know how to leverage Acrobat and digital editing for a period of time, but it was this massive new tool set that could drastically change outcomes and reduce time to delivery relative to. So, you know, a year and a half, two years, three years in, there were people that did not have those skills and people that had those skills.
And the latter was much more employed because they knew how to apply the tools relative to the task, to the mission relative to. And the point where suddenly you would start seeing resumes out there that said, hey, you need to have these individual certifications, no different than like a Cisco CCNA or something like that. But it's like, if you don't have this bare level of knowledge, you're not going to be able to bring the appropriate tool set to the mission set that we need to operate at the pace that we want to operate at.
That's a lot of the conversation I have with my kids now is, and here's the thing is like, if I think AI is going to reduce the total number of internships, the weird assumption that I'm making is that all of the older, more established people in my company that have kind of a mental marriage to the way that things have always run are going to be the ones that utilize AI to innovate my operations, which sounds ridiculous because it probably is in that case.
But in that case, it's like, so one, if you are trying to enter the job market, know your tools, know what they can do. And to exactly what you said is like, if I know what the mission is and what the problem sets are, and then I can kind of in an interview process, talk about my ability with a set of tools that fix that process. The interview process at that point is really the same, right?
It's just, if you don't want to get replaced by AI, be the one that understands how to make AI effective relative to mission set.
[Robert Skinner]
Yeah, and resources is always a big topic within any company, within any organization. And there's multiple components to that, right? There's the dollar value, right?
The dollars, right? And that's always important. Time, to me, is always the most important one.
And being able to show value by showing how leveraging the technology, we can reduce the time commitment of individuals. And this isn't to reduce the workforce. This is to reduce the time to do X, Y, and Z to enable that workforce to really focus on the higher, a higher end type of capability or outcome, right?
I think it's about outcome and how is the time value decreased to enable that outcome, which then automatically brings in less resource, less dollars required to do that.
[Tom Tittermary]
I've always talked about, too, just from a generic technology perspective, taking eight steps back from even categories of technology, but pretty much every individual technology that you've run into has an innate level of capability, power. And what you'll notice is, if we're throwing our, you're going back in history a little bit, right? A lot of the more complex and difficult to manage systems, like Solaris was more powerful than Windows.
There's a trade there of complexity for total capability. And it wasn't, sometimes it was 10%, sometimes it was 20%, but it was like, there's a trade off. In the upper echelons, it mattered a lot.
So all of these people could make careers based off of managing that individual complexity. Because you have to take the power of the tool and divide it by the complexity of the tool to figure out what the actual individual mission impact of the technology is. AI drops that floor to zero, right?
Where I think that this notion of, well, no, I'm the cobalt developer at this Fortune 500 company because nobody does that anymore. Bye-bye. Like, there's this notion of the tool set, like, I can basically flatline the complexity of the tool sets by introducing a separate technology in a lot of categories.
I agree. Yeah. Well, John O'Skinner, thank you so much for your time.
I know it's super valuable. And thank you for coming in. I think it's just been an incredible conversation.
I'd love to have you back another time if you need to get that.
[Robert Skinner]
I enjoyed the conversation.
[Tom Tittermary]
Great.
[Robert Skinner]
We could probably keep talking for an hour.
[Tom Tittermary]
I totally hear you. So everybody, once again, I know you missed Tommy G today. He's going to be back for the next set of episodes we have.
For everybody here, please don't forget, we have an email address for the show at zerotrustsgiven at gmail.com. Trusts with an S, zerotrustsgiven at gmail.com. I would love to hear any comments you have about the show there.
But be kind. Also, if you have any questions that you think could be germane to topics that we talk about on the show, if we read it on the show, we'll do a grab bag episode, probably. I would love to work with my marketing folks in the back end to get you out a zerotrustgiven care package.
I've seen stickers, which scare me, because they've got me and Tommy's faces on them. There's t-shirts, maybe. I've told them no t-shirts, but I'm pretty sure they're still going to make t-shirts.
There will be fun stuff in there. So please, if you could interact there, we would love to go through your content. But that said, General Skinner, thank you so much for the time today.
Thanks, Tom. And we'll see you next time. Thank you.
My pleasure.