Hacktivism, Quantum Threats, and the Future of OT Security with Forescout CEO Barry Mainz

Show Notes

Forescout CEO Barry Mainz joins host Frank Cilluffo to unpack the evolving cybersecurity threat landscape—from nation-state hacktivism to post-quantum vulnerabilities. Mainz highlights how adversaries are leveraging crowdsourced expertise and agentic AI to target critical infrastructure, especially operational technology (OT) systems in sectors like water, energy, and healthcare. The conversation explores Forescout’s research on hacktivist proxy groups, the growing danger posed by embedded and aging devices, and the urgency of preparing for post-quantum cryptographic threats. Mainz emphasizes the need for visibility, containment, and cultural alignment between IT and OT security teams to build genuine resilience in both the public and private sectors.

Main Topics Covered:
• Hacktivist proxy campaigns and nation-state coordination
• Vulnerabilities in critical infrastructure, especially water and energy
• Embedded devices and the rise of OT-targeted malware
• The looming impact of quantum computing and agentic AI on encryption
• Cultural and structural barriers between IT and OT security teams
• Practical steps toward building resilience and post-quantum readiness

Key Quotes:
“Nation state bad actors were using multiple hacktivism groups like an open source… crowdsourced to solve problems… It’s not 10 people sitting in a room somewhere, it could be up to several thousand.” – Barry Mainz
“You can’t secure stuff you don’t see. So it’s really about… asset visibility.” – Barry Mainz
“If your cyber vendor doesn’t have quantum-safe technology built in, it’s a problem.” – Barry Mainz
“The culture is ‘Hey, I’m in OT, stay out of my business. I’m in IT, stay out of my business.’ And I think this lack of ‘Hey, let’s go and take an approach together’ is missing.” – Barry Mainz
“Every one of the times we’ve engaged with a large corporation and they had an issue, it was costing them way more than if they would have just bought the [necessary technology protections] up front.” – Barry Mainz

Relevant Links and Resources:

• Forescout’s Vedere Labs
• The Rise of State-Sponsored Hacktivism 
• Forescout Quantum-Safe Solutions

Guest Bio:
Barry Mainz is the Chief Executive Officer of Forescout Technologies, where he leads the company’s mission to secure the world’s most critical assets across IT, OT, IoT, and medical device environments. Appointed CEO in early 2023, Mainz brought more than 25 years of executive leadership experience across infrastructure software and cybersecurity, including roles as CEO of MobileIron and President of Wind River Systems, a division of Intel.

Transcript

1
00:00:00,000 –> 00:00:01,000
Barry Mainz [00:00:00]:
Very interesting to us, we saw this about 10 months ago where nation state bad actors were using multiple hacktivism groups like an open source, you know, kind of crowdsourced to solve problems. Getting thousands of engineers, thousands of people in these nation states to help figure out how do you breach it. And that’s scary because, you know, just think about the velocity to be able to go do something. It’s not 10 people sitting in a room somewhere, it could be up to several thousand.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:31]:
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Barry Mainz. Barry is CEO of Forescout Technologies, a leader in securing IT, OT and IoT devices. Barry comes to the job with tons of experience in the cybersecurity, IT and software environment. 25 plus years. Most recently, prior to joining Forescout, was COO at Malwarebytes and has been running tech companies for a long time. Joined Forescout in 2023 and really excited to sit down with Barry today. Barry, thanks for joining us.

3
00:00:02,000 –> 00:00:03,000
Barry Mainz [00:01:13]:
Thank you. Thanks for having me.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:15]:
So I thought we’d start from the start. I mean, you’re two and a half years into the job and I’d be curious what you thought you were coming into as to where you are, what excites you, what maybe keeps you up at night. I thought we’d start there.

5
00:00:04,000 –> 00:00:05,000
Barry Mainz [00:01:28]:
Good question. Because I think anytime you start, there’s always the things that are probably way better than you thought they were, and there’s probably stuff that is not as you thought they were. Just a little bit of context, I worked at Crosspoint Capital, private equity firm that was part owner of and still is Forecout, and worked there for a while, and then all of a sudden, hey, Barry, you’d be a great fit for CEO of Forescout. And you asked me, like, what, why I started. What excited me about it? What excited me about it was that they were the only company that I knew in cyber that had a really good perspective. And we didn’t call this zero trust back then, but this whole notion of a zero trust platform for both IoT OT and IT devices. And being able to do that in this sort of network security operations perspective. And I love the customer list. It was, you know, museum quality customers, largest customers in the world, both public and private.

6
00:00:05,000 –> 00:00:06,000
Barry Mainz [00:02:27]:
And the notion that when I talked to customers before I joined, they said, you’re really not only helping us protect patients in a hospital, you’re protecting dollars and whether it’s insurance companies or it was financial institutions and you know what, I talked to some of the federal government customers and they were like you’re really making a difference. And so it was really good for me to get behind a company that not only was doing things interesting but also helping us.

7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:56]:
Awesome. Awesome. And there have been some news. Wall Street Journal had a piece not too long ago about a potential of Forescout Technologies going public again. Anything you want to share on that?

8
00:00:07,000 –> 00:00:08,000
Barry Mainz [00:03:08]:
Well you know what I will share is probably shouldn’t let the facts get in the way with a good story cause that’s what was communicated. But look, I think we did a momentum release around our success. We made some very large, large customer wins. We had some brilliant deals in the last year and a half. And I think profitability, terrific P&L. One could make the connection that might happen. Now I didn’t say it, it wasn’t there but our goal is to make a world class solution and continue to solve you know, really tough business problems, delight our customers partners and help our prospects become customers. And you know, I think what happens happens.

9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:03:50]:
Awesome. And, and exciting and, and it’s trending in the right direction. That’s the bottom line. However it ends.

10
00:00:09,000 –> 00:00:10,000
Barry Mainz [00:03:56]:
That’s exactly right.

11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:03:57]:
And good for you. I thought we’d start with, you guys came out with a report recently on hacktivism and lots of interesting, not just anecdotal but, but actual empirically based evidence around that. And I thought we’d start with A, what your initial thoughts around the findings were and then B, sort of given events in the Middle East and given events between Iran and Israel and elsewhere, Iran fit in and IRGC enabled proxies fit into this report. Let’s start the report itself. What should our audience and viewers and listeners know?

12
00:00:11,000 –> 00:00:12,000
Barry Mainz [00:04:40]:
That’s a really interesting question. It really is a good example of sort of cyber being the new battlefield. And you can sort of see nation states taking advantage of critical infrastructure. That’s dated and you can pick a whole host of things that have happened. Many people know about the, you know, Salt typhoon or Volt Typhoon or any of the things that happened in the colonial pipeline. These are great examples of the same exploits that we read in the report. And we see also something that’s very interesting to us. We saw this about 10 months ago where nation state bad actors were using multiple hacktivism groups like, like an open source, you know, kind of crowdsourced to solve problems, yeah, like, and simple things that we would maybe not think about, but, you know, a PLC, for example, a programmable logic controller, which you would use to hack into, control something, right?

13
00:00:12,000 –> 00:00:13,000
Barry Mainz [00:05:37]:
Well, here it is. Here’s the manufacturer. Here’s the situation that we’re looking at and getting thousands of engineers, thousands of people in these nation states to help figure out how do you breach it. And that’s scary because, you know, just think about the velocity to be able to go do something. It’s not 10 people sitting in a room somewhere. It’s could be up to, you know, several thousand and using it to go and do bad, bad things to infrastructure.

14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:06:02]:
And some plausible deniability. Right?

15
00:00:14,000 –> 00:00:15,000
Barry Mainz [00:06:04]:
Exactly right.

16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:06:05]:
So if you get caught with your hand in the cookie jar, you can say it’s not me.

17
00:00:16,000 –> 00:00:17,000
Barry Mainz [00:06:08]:
Yeah, exactly right. Hey, you know what? We, we don’t control those folks. Hey, that, you know, that just happened.

18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:06:12]:
I may be dated on this, but when you looked at Russia, for example, they would turn to criminal enterprises to do their bidding. And in return, they basically let them have free rein when they’re not doing their bidding. China, it’s a little bit of moonlighting. You had some of the PLA officers who were also trying to moonlight and make some money. So they don’t all look the same, right?

19
00:00:18,000 –> 00:00:19,000
Barry Mainz [00:06:37]:
No, they don’t. And I think some people have better marketing than others. Certain of the nation states are, you know, whatever you call them, I think it’s the same. You can see, you know, Iran didn’t try and protect it because I think they said, hey, we may be wrong, but we’re not confused. This is what we’re doing. So it’s, I think it’s a little less. But you, you see the marketing happening, whether it’s, you know, Russia talking about, hey, those are people that we don’t know and they’re going after financial gain or China saying, hey, it’s not really, but, you know, I think if you go look, I think it’s all the same.

20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:07:07]:
And the potential for escalation makes that also a little frightening. Right?

21
00:00:20,000 –> 00:00:21,000
Barry Mainz [00:07:13]:
It does.

22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:07:13]:
I mean cause it’s hard to discern who’s the puppet, who’s the master.

23
00:00:22,000 –> 00:00:23,000
Barry Mainz [00:07:16]:
That’s right. Now the good news is we can actually stop a lot of those breaches.

24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:07:22]:
Boom.

25
00:00:24,000 –> 00:00:25,000
Barry Mainz [00:07:23]:
And, you know, I think our cyber community of software companies and companies like Forescout, we can actually protect critical infrastructure from this happening. And so I don’t want it to all be doom and gloom like, oh, there’s nothing to, but we can. And I think it’s just making sure we recognize, hey, let’s take a look at these studies. Let’s make sure we understand where they’re coming from, what sort of devices, hey, the coordination behind it. And then we can go say, okay, great, what are we going to go do about it?

26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:07:50]:
And what I like about it is it’s not only descriptive, but it is prescriptive. And we’ll jump to some of those solution sets in a second. But one of the things that surprised me is just the emphasis on water systems, for example. And OT. And I have to underscore Forescout’s always been in the forefront of operational technology, which has sort of been the stepchild or the Rodney Dangerfield of the cyber community for too long, but not anymore. That’s where life, death, actually real consequences are, are focused on that. But I’d be curious in terms of the targets that you were able to glean from, from your most recent study. Water seemed very high on the list.

27
00:00:26,000 –> 00:00:27,000
Barry Mainz [00:08:34]:
Yeah. So water and water processing plants, energy, tend to have the oldest or dated infrastructure. And they also have technology where they said, hey, I’ve got a particular system and I’m going to go make it smart. And maybe they made it smart by connecting it to the Internet, say 10 years ago and maybe didn’t have any of the protocols that we have. IPv4, IPv6, none of those. And I know for a fact some of the systems in the report there, they were IPv0. So it makes it very easy for them to be breached. You mentioned something earlier about the difference between IT and OT.

28
00:00:27,000 –> 00:00:28,000
Barry Mainz [00:09:16]:
The people involved. I mean, those systems are locked down systems. In many cases, the people that are running them, they don’t know how to change them. There’s no patch and vulnerability built in. Meaning like, hey, I can automatically update and change something. There just isn’t in those systems.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:09:30]:
I mean they’ve been around for 30 plus years.

30
00:00:29,000 –> 00:00:30,000
Barry Mainz [00:09:32]:
This is exactly right. And I’ll tell you a little bit, I don’t know, we didn’t talk about the background, but I was at Wind River Systems and we did embedded, when we, when I first started there, it was embedded, then it was smart embedded and then it was Iot. And we, we were 2,000 employees, half a billion in revenue. And we basically worked in mostly regulated industries providing software to control those systems. And I can tell you that given how fractured the ecosystem is to create a device or a SCADA and, or a manufacturing system or a power system, very, very decentralized and what ends up happening is, put stuff together and it’s going to work. We’re thinking about, oh, this thing’s here today. We’re not thinking about hacktivism 20 years ago. We’re not talking about, you know, kind of crowdsourcing, a PLC breach.

31
00:00:30,000 –> 00:00:31,000
Barry Mainz [00:10:24]:
We’re not thinking about any of that. I was there. And now to fast forward when I started at Forescout, so going Wind River, probably 10 years.

32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:10:32]:
Which was an Intel company, right?

33
00:00:32,000 –> 00:00:33,000
Barry Mainz [00:10:33]:
That’s right. We got bought by Intel.

34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:10:35]:
Yep.

35
00:00:34,000 –> 00:00:35,000
Barry Mainz [00:10:36]:
Fast forward the, the Wind River, you know, to now I’m at Forescout, we saw about a year ago, a year and a half ago, and we have a Vedere Labs which does all the research that, that article you’re talking about was published from. If you go look about the, the breaches and we have a whole set of reports around what sort of devices, what’s the operating system, etc. About a year ago was the first time in nine years an embedded operating system was number one.

36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:11:03]:
Wow.

37
00:00:36,000 –> 00:00:37,000
Barry Mainz [00:11:03]:
And this is where we realized, hey, this is a trend. And we can see where those breaches were coming from. The same, you know, bad actors in these particular nation states. And we could start to see the devices and guess where they started. Water, energy, you know, kind of the old systems that were been there 15 to 20 years and it’s only gotten worse over time in the last year or so.

38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:11:27]:
And, and really good point and, and, and good historical sort of background. But on top of all that, you’re starting to see malware that’s specifically targeting OT systems, right?

39
00:00:38,000 –> 00:00:39,000
Barry Mainz [00:11:38]:
Absolutely.

40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:11:39]:
And, and that does change the game a little bit as well, so.

41
00:00:40,000 –> 00:00:41,000
Barry Mainz [00:11:44]:
Yep, exactly. And malware written for a particular PLC.

42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:11:49]:
For, and a particular device.

43
00:00:42,000 –> 00:00:43,000
Barry Mainz [00:11:52]:
And a particular system, right, you know, or device. And you go look at it and you’re like, somebody had to go, and, because if you look at how those devices are made, many of them are custom and we used to say semi custom, right, because nothing was, was out of box, everything was custom or semi custom. And so you go look at it and they have to spend time knowing that system, that device really well to write the malware. Because a malware typically, you know, is not going to be applicable to every single one of the similar type systems.

44
00:00:43,000 –> 00:00:44,000
Barry Mainz [00:12:19]:
They’re going to have to tweak it. So this is where it gets scary in that someone’s actually paying attention to that.

45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:12:24]:
And, and if I’m not mistaken, Forescout also does some interesting work around medical devices. Right? So we think of the IT systems and the infrastructure around it, but the devices themselves, that’s, that’s, if you start thinking about it, it’s a little, it’s a little concerning, no?

46
00:00:45,000 –> 00:00:46,000
Barry Mainz [00:12:39]:
Yeah, it is. And we go look at, we have multiple vertical markets that we solve and primarily around regulated industries. So it would be, you know, banking, brokerage insurance, you know, kind of public sector we talked about earlier, health care, energy. Right? And you go look at these vertical markets and health care is one area and we’ve seen in the news, you know, lots of breaches. And why? To your point, lots of systems there, they were made smart after the fact, you know, they weren’t secure by design. And there, many of them are PC based, running Windows 95 or Windows 10 with very, very old middleware. And you know, the hackers can go, wait a second here. We hack those systems, that kidney dialysis machine, that’s the same process we used nine years ago.

47
00:00:46,000 –> 00:00:47,000
Barry Mainz [00:13:27]:
Yeah, on something, or 10 years ago, 11 years ago, we just pull out that, dust it off, and boom. I’m going to use this particular, you know, attack.

48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:13:36]:
What do you think cyber defenders should take out of the recent conflict in the Gulf between Israel and Iran? And Iran has always been a pretty active actor, both in terms of IRGC themselves but also proxies. And good thing that Lebanese Hezbollah is not the, the, the, the force it once was. And that was also a pretty interesting cyber, I don’t know if you call it cyber, but physical cyber enabled attack. Yeah, yeah, but, but what, what, what should defenders be thinking right now? And, and, and I like to say, and I don’t want to put words in your mouth but I, things that pop over there, wherever over there is, often are previews of a movie coming to a theater near you here. So it’s not just that it’s our, in our interests in the region that’s sort of a canary in the coal mine. Anything we should be thinking? Water concerns me in the United States, if I’m being very blunt.

49
00:00:48,000 –> 00:00:49,000
Barry Mainz [00:14:33]:
So I would, I would zoom out a little bit and say, okay, before we go into the vertical markets, I would say that just the mindset, I mean I think we have to be thinking about, hey, you can’t secure stuff you don’t see. So it’s really about, let’s start with asset visibility. Most places we go…

50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:14:47]:
And that’s where you started. Right? That was Forescout initially would light up your system.

51
00:00:50,000 –> 00:00:51,000
Barry Mainz [00:14:51]:
That’s exactly right. Let’s look at like what, what do you have out there? And then the second thing is give me a risk profile. Like we have information, we know that certain behavior should not happen, and if that particular device is acting a certain way, we know there’s a risk associated with that. So once that happens, get those two checkboxes, then containment and have policy around containment. Because it’s not necessarily the fact that you’re going to be able to go in and change and completely secure everything 100% of the time. What you want to do is limit the blast radius if it does happen.

52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:15:28]:
And the consequences.

53
00:00:52,000 –> 00:00:53,000
Barry Mainz [00:15:29]:
And the consequences. So you start first, let’s take a look what’s out there. Hey, give me a risk score. Give me some ability to do containment based on what I see on risk. And the other piece is control. Right, so maybe the last thing you know, you would go do is say, hey, we want to know once you contain something, hey, is there ability to do something else like fire off a trouble ticket to go check everything else that looks like this? Or hey, maybe what we should do is update the software on this particular IT device because it’ll prevent this from happening on these OT devices. I mean, there’s a lot of that stuff that can happen. We do it in a practical way.

54
00:00:53,000 –> 00:00:54,000
Barry Mainz [00:16:03]:
I think we need to take that as an exemplar and apply that step and repeat to places like, you know, the power grid and, or, you know, water processing plants, because oftentimes they take, they’re the last ones to, for tech to be deployed, whether it’s, you know, run private or public, and yet they’re the ones that could potentially cause the most damage, to be fair.

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:16:21]:
Unequivocally, and I sometimes am a little critical that it’s become a buzzword, but resiliency is the name of the game.

56
00:00:55,000 –> 00:00:56,000
Barry Mainz [00:16:29]:
Yeah, I didn’t use that just because everybody uses it.

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:16:32]:
No, it’s the, but it’s the truth. You’re never going to be in a position. It’s like the old counterterrorism. You’re not going to protect everything, everywhere, all the time from every perpetrator and every modality of attack.

58
00:00:57,000 –> 00:00:58,000
Barry Mainz [00:16:41]:
And that’s the containment. Right? And then that’ll help you with being, you know, resilient because, hey, if you can contain it, then, you know, that’s okay, great, terrific. I can solve that littler problem. Those devices, that thing, whatever it is. And then what I can do is to say now that I know that I can be way more resilient because I can apply that to other attack vectors.

59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:17:00]:
And, and I would imagine before we step off, sort of the, the, the good work you did around hacktivism and proxies, they also are sort of that, they’re the first in seeking out vulnerabilities. If they get burnt, they get burnt. No, no skin off the, the, the ultimate puppets back, right? And, and I think the better ones are probably pretty stealthy from beginning to end. Yes, no? Is that something that any research…

60
00:00:59,000 –> 00:01:00,000
Barry Mainz [00:17:31]:
Yes. Because the best ones deposit their stuff and come back later.

61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:17:35]:
Exactly.

62
00:01:01,000 –> 00:01:02,000
Barry Mainz [00:17:36]:
And you know, then it’s like Volt Typhoon and Salt Typhoon, right, you think that, right? Where there’s a big late, you know, latency between when the, you know, bad actor came and did his or her stuff and when it was actually ignited.

63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:17:51]:
Exactly.

64
00:01:03,000 –> 00:01:04,000
Barry Mainz [00:17:51]:
And so I don’t disagree with you on that. I think the other piece too is that I just think if we are logic, logical on, hey, what do we know now, what works, and step and repeat, we can, we can do serious, serious, you know, progress on taking the majority off the table.

65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:18:08]:
I agree with that. And that’s, that’s the best we can do. And, and the reality is, is we don’t do enough of that. I hope we, we see more of that. Most people genuinely don’t really pay attention until they’ve paid a price.

66
00:01:05,000 –> 00:01:06,000
Barry Mainz [00:18:22]:
Yeah, I know it’s sort of like, and I always tell CISOs and CEOs, I go talk to, I said, I say, look, yes, you may, it may cost you money to go do this, but you got to think about it as, as an investment.

67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:18:35]:
Exactly.

68
00:01:07,000 –> 00:01:08,000
Barry Mainz [00:18:36]:
Because every one of the times we’ve engaged with a large corporation and they had an issue, it was costing him way more than if they would have just bought the stuff up front.

69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:18:46]:
Not to mention reputation management. It’s sort of like health, isn’t it? I mean, the truth is, is to be healthy in your 80s, you got to be working on it when you’re in your 50s, right?

70
00:01:09,000 –> 00:01:10,000
Barry Mainz [00:18:54]:
Yeah, exactly. Don’t start running marathons at 79.

71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:18:56]:
Exactly.

72
00:01:11,000 –> 00:01:12,000
Barry Mainz [00:18:57]:
That’s not going to help you.

73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:18:58]:
And, and I do feel like there is a bit of a psychological argument that needs to be made. And I’m not sure we’ve made it yet, but I think it’s starting to resonate because everyone’s a target. And I think ransomware democratized that. And I think this was in your study. But you’re starting to see actors, they’re not just focused on one tactic technique. You’re seeing DDoS combined with ransomware combined with all sorts of brute force types of attacks and the like. So you’re starting to see organizations bundle capabilities.

74
00:01:13,000 –> 00:01:14,000
Barry Mainz [00:19:33]:
That’s right. Take a, take a traditional IT attack, phishing or something. Get your IT organization distracted with that. Focus on something that, it may make a difference which really doesn’t matter and attack them over here on something else. Because it’s typically the same people that are managing that.

75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:19:49]:
Exactly.

76
00:01:15,000 –> 00:01:16,000
Barry Mainz [00:19:49]:
And you know, they get distracted to your point. So we do see that happening as a tactic for sure.

77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:19:53]:
And limited time. I want to go to another sort of, I’m reminded of Wayne Gretzky, you don’t want to skate to where the puck is but to where it will be. And there’s a reason he was the highest, well now second highest. Ovi, I guess broke that record. But I’d be curious, quantum and post quantum, you’ve got some fascinating work in that space. Anything to start to sort of share with our viewers and listeners.

78
00:01:17,000 –> 00:01:18,000
Barry Mainz [00:20:22]:
Yeah. So the good news is if I zoom out, I go look at the secular trends that I know the federal government’s focusing on it. I know that large companies are, regulated companies are, focusing on that are these vectors. One is quantum computing. And what that does for the bad actors in terms to be combining that with agentic AI and saying now I’ve got bad actors on steroids because that agentic AI can learn and I’ve got a super powerful engine behind it to go do bad things fast and very, you know, kind of call it, you know, it’s like an elephant that can tap dance because you got all this horsepower behind it and pulling. But you’ve got the ability to go do all that stuff with agentic AI and what that does for or against encryption, because we’re talking about, you know, quantum, you know, computing and quantum, you know, what happens to the crypto.

79
00:01:18,000 –> 00:01:19,000
Barry Mainz [00:21:13]:
We are actually launching here shortly. Maybe by the time this gets aired you’ll, it will already be launched, I’m sure, which is all Quantum-Safe Forescout. And we can go and I, and if, if I say one thing and I don’t say this as a, you know, kind of a sales pitch, but if your vendor, your working with cyber vendor doesn’t have quantum safe technology built in…

80
00:01:19,000 –> 00:01:20,000
Frank Cilluffo [00:21:34]:
Game over.

81
00:01:20,000 –> 00:01:21,000
Barry Mainz [00:21:35]:
Yeah, it’s a problem. So we have quantum safe at the, at the device level. So we can say, hey, that device, OT, IoT, etc. Or IT device. And most IT devices are going to be protected. So you’re going to worry about a device like we talked about earlier that’s sitting out in the field for 20 years and we can say, hey, what version of crypto is it running? Is it quantum safe? And if it isn’t, tell people. So you can have a strategy for that and we can tell when it’s flipped back. So sometimes, you know, we’re going to see bad actors and we didn’t say it in this report. We’re starting to see playing with crypto and flipping it back and forth from, you know, quantum proof and then putting it back to old crypto that you can hack. And coming back later to your point, so you can actually monitor that with some policy. So that’s the other piece. The other thing is it dovetails into, and we talk about critical infrastructure.

82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:22:21]:
Absolutely.

83
00:01:22,000 –> 00:01:23,000
Barry Mainz [00:22:22]:
Because if you have agentic AI, quantum computing, you know, you’ve got a crypto, you know, gap or, you know, opportunity, and then you’ve got your, you know, critical infrastructure that’s ripe for hacking.

84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo [00:22:38]:
Which is a huge, I mean, in many ways and again, I love looking, history may not repeat itself, but it tends to rhyme. And in some ways, and that’s Mark Twain, allegedly, not me. But, but, but you think back to World War II and, and whether it was Enigma, ultimately it was cryptographers and cryptologists that won the war. And if you think about it in terms of, if you have the ability to keep all of your data secret and exploit anyone else’s, that has huge implications, not only from a national security standpoint, but from an economic competitiveness standpoint, from a public safety standpoint. This isn’t a race we can afford to lose. Is it?

85
00:01:24,000 –> 00:01:25,000
Barry Mainz [00:23:20]:
That’s right. That’s right.

86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:23:21]:
And I think you’ve done some research around quantum safe, and if I’m not mistaken, some scary findings. And I just want to make sure I get this right. Secure shell servers, 6% are quantum safe, and that’s a pretty big deal on the SSH side. And then TLS traffic, less than 20%. Why does that matter, firstly? I don’t want to put words in your mouth.

87
00:01:26,000 –> 00:01:27,000
Barry Mainz [00:23:44]:
Well, it matters because it’s slow. Right, I mean, go look at this and say that, at what point do you think that we ought to have 100%? And if you track it now, I think we’re going to run into way more problems before we get done. The other piece, which we didn’t say in that article, was IoT and OT devices, I can guarantee you it’s way less than 1%. And the problem is is that many of these have to be field updated. So I’m pretty sure that people aren’t going out there with a USB stick, you know, coming out to, you know, a manufacturing plant and, you know, updating a Kuka robotic, you know, robot that’s sitting out there or the SCADA system that’s, you know, plugged in there. I just, I’m pretty sure that’s not happening right now. And it’s happening at a very, very, very slow pace.

88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo [00:24:22]:
And to go back to history, it was sort of where the utilities were, the grid in particular and SCADA about 20 years ago. Because to actually address and change the default passwords alone, which were often “password”.

89
00:01:28,000 –> 00:01:29,000
Barry Mainz [00:24:35]:
Yeah. Or 1234.

90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo [00:24:37]:
Would’ve caused brownouts. Right? So in a weird way, is there a way to scale that?

91
00:01:30,000 –> 00:01:31,000
Barry Mainz [00:24:42]:
Well, I think there is, right? And so I think there’s, once recognized, first recognizing the problem. And the good news is, you know, I’ve been meeting with a lot of CISOs and CEOs, been at the Aspen sort of security summit there, you know, by Aspen Digital, was meeting here around D.C. area with a lot of executives. And then, you know, I spend 50, 60% of my time with executives and they get it. Now, I think sometimes we have a problem moving from insight to execution. So I think the insight, we understand there’s a problem.

92
00:01:31,000 –> 00:01:32,000
Barry Mainz [00:25:17]:
But you know, I want to make sure, and I tell everyone, hey, we have an opportunity to give you a path to the execution.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:25:23]:
Awesome.

94
00:01:33,000 –> 00:01:34,000
Barry Mainz [00:25:23]:
And that, you know, part of it is just knowing what you don’t know. And then I can tell them that, you know, we’ll be thought partners and help you to the execution piece so that you’re not vulnerable to these issues.

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:25:34]:
And the gap between noun and verbs is high, so, but that said, I also see in some companies and sort of the operational side, the CISOs, the CSOs, they all get it. But general counsels, government affairs, operations, they may have a different perspective or different priorities. And understandably because they’re serving customers and clients. How do we square that circle?

96
00:01:35,000 –> 00:01:36,000
Barry Mainz [00:26:02]:
Well, you know, part of it, the Disclosure Act came out in ’23 and it was basically if you were a company, and most of the companies you’d be in the definition, I think is regulated industry, certainly publicly traded, right, etc., dealt with the government, there were some qualifications, yet if you were breach, you had to disclose not only IT devices, but you also have to disclose IoT or IO medical devices and OT devices. And so that’s driven, I know the conversations to say, hey, where are we exposed? And I think the most aggressive and intelligent companies are starting to think about that and their, you know, C suites behind it.

97
00:01:36,000 –> 00:01:37,000
Barry Mainz [00:26:40]:
And like I said before, when I get to talk to, you know, any of, it’s, sometimes I’m brought into the audit committee, which is usually not what you want to be brought into because usually they had a hack. It’s like, it’s an investment, as I mentioned before. And oh, by the way, you know, get out ahead of it, you know, don’t, don’t sit and wait to see are they coming back? Because they are. And there’s a very, very public issue with one of our healthcare organizations. I don’t need to mention it, but they were nailed three times before they solved the problem.

98
00:01:37,000 –> 00:01:38,000
Frank Cilluffo [00:27:09]:
Wow. Wow. Yeah. And again, it’s sort of the prevention, it’s the ER versus health prevention model. Right? And we’re still in ER mode and hopefully that begins to change a little bit. I’d be curious in terms of misconceptions or blind spots security teams have when it comes to preparing for the quantum world.

99
00:01:38,000 –> 00:01:39,000
Barry Mainz [00:27:34]:
You know, I think a little of that happens to be sometimes cultural lock in, meaning that, you know, you’ve got, in situations where they have OT applications and systems and IT, say manufacturing or you talked about, you know, water treatment plants or power, power plants. They have very different folks on each side, very different mindset. And so it’s sort of like the culture is hey, I’m in OT, stay out of my business. I’m in IT, stay out of my business. And I think this lack of hey, let’s go and take a approach together is missing. So I see that as, as, as an issue where, you know, culturally they just never did that.

100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo [00:28:17]:
And one is preventing three mile aisles the other, so there’s understanding, one’s more public safety, at least culturally, historically. But you can’t have that, it’s all merged.

101
00:01:40,000 –> 00:01:41,000
Barry Mainz [00:28:26]:
And if I have an issue, what’s it going to cost me?

102
00:01:41,000 –> 00:01:42,000
Frank Cilluffo [00:28:30]:
Exactly.

103
00:01:42,000 –> 00:01:43,000
Barry Mainz [00:28:31]:
And so maybe I don’t do anything because it’s cheaper for me to let it happen and then I can go fix it afterwards. Which, you know, I’m not so sure that’s the best solution or best strategy. That would not be mine.

104
00:01:43,000 –> 00:01:44,000
Frank Cilluffo [00:28:39]:
Certainly not from a public safety standpoint.

105
00:01:44,000 –> 00:01:45,000
Barry Mainz [00:28:41]:
Would not be mine. But that’s sort of the mindset unfortunately. So I see that and I do see the more progressive companies. There’s a very large chemical company in Germany that they’ve promoted their CISO, and he runs both IT and OT and has people underneath them and they have, it’s funny, so Germany, they go out to beers, they spend time with one another, they talk. I mean they are forced into culture together. And I go look at that and say okay, you can kind of laugh and say, oh there, you know, it’s beers and you know, pretzels. Ha. But it’s…

106
00:01:45,000 –> 00:01:46,000
Frank Cilluffo [00:29:16]:
It’s good beer and good pretzels.

107
00:01:46,000 –> 00:01:47,000
Barry Mainz [00:29:18]:
Yeah, that’s true. He said we’re trying to change the culture here.

108
00:01:47,000 –> 00:01:48,000
Frank Cilluffo [00:29:21]:
Yeah.

109
00:01:48,000 –> 00:01:49,000
Barry Mainz [00:29:21]:
And this is the way you do it. And he’s doing also, having some of the, you know, systems people do, you know, small stints in IT and vice versa so that they can change it. And that’s actually really changed the velocity of them moving towards different systems and acquiring and, and thinking about how do they provide a cyber strategy that’s going to work for both.

110
00:01:49,000 –> 00:01:50,000
Frank Cilluffo [00:29:43]:
You know, that’s actually very insightful because I like to say technology changes, human nature remains consistent. I do think there are some game changers like quantum, but at the end of the day, you don’t want to be exchanging business cards when the bomb goes off, right? I mean, you have to know one another. You have to walk a little bit in their shoes to understand their pain point.

111
00:01:50,000 –> 00:01:51,000
Barry Mainz [00:30:07]:
Right.

112
00:01:51,000 –> 00:01:52,000
Frank Cilluffo [00:30:08]:
And there are some companies that are combining their IT and OT SOCs slowly. In the utilities space, I’m familiar with a couple, but they’re the exception. By no means the rule.

113
00:01:52,000 –> 00:01:53,000
Barry Mainz [00:30:20]:
Yeah.

114
00:01:53,000 –> 00:01:54,000
Frank Cilluffo [00:30:20]:
Ten years from now, how do you delineate the difference? They’re all converging, right?

115
00:01:54,000 –> 00:01:55,000
Barry Mainz [00:30:26]:
Yeah, I think they are. I mean, I think Gartner’s been saying for the last 20 years they’d be, you know, they’ll merge.

116
00:01:55,000 –> 00:01:56,000
Frank Cilluffo [00:30:30]:
Do they have a new quadrant actually? Because they blended all their studies into one. That would hurt their business. Maybe not, but…

117
00:01:56,000 –> 00:01:57,000
Barry Mainz [00:30:37]:
But I do feel like we are seeing some momentum there. I do think that people are realizing that they have to change. Companies are saying we have to change, agencies are saying we have to change, we have to go talk about both. I do feel like the other piece that I think is good to see is that, you know, just at least admit you have a problem and funding the right resources. We just launched an MSP for OT, and the reason why we did that was to say, hey, you know, we’re trying to help out and, you know, it’s solving a set of business problems that, you know, maybe there are certain companies that are trying to make the transition or agencies that are trying to make the transition to say, hey, at some point we got to change our IT organization to help with OT. But in the meantime, hey, Forescout can help them with, you know, OT in terms of an MSP and make sure that they can protect their OT environment, the devices, et cetera.

118
00:01:57,000 –> 00:01:58,000
Frank Cilluffo [00:31:31]:
Not to embarrass her, but anytime I have an OT question, I speak to one of your colleagues, Ali King. She’s going to know everything about what’s going on, both policy wise and technology wise. And I think in all sincerity, OT is a big set of issues and fundamental from a security standpoint going forward. Barry, we’re almost at the end of our time. What questions didn’t I ask that I should have? And actually before I do that, I’m going to break my own rule. Agentic AI, we touched on it. Are you seeing that even from hacktivists or is that still more APT type actors?

119
00:01:58,000 –> 00:01:59,000
Barry Mainz [00:32:11]:
Yeah, exactly. APT stuff for sure. We just know because in the lab when we go look at it and we have a, we have a consortium that we work with several other…

120
00:01:59,000 –> 00:02:00,000
Frank Cilluffo [00:32:19]:
And Vedere Labs does good work.

121
00:02:00,000 –> 00:02:01,000
Barry Mainz [00:32:20]:
Yeah. Vedere Labs does really good work. But we also work with other tech companies, you know, Nvidia, Broadcomp, et cetera, that we’re all in the same boat together. And the stuff we test, we’re worried about agentic AI. And you can go look at the studies they’ve done, the government’s done studies we’re saying, hey, do you have a, is a pilot better than a agentic AI driven pilot? And it’s not quite as good, but getting better. And part of it has to do with the CPU processing that they don’t have. So hey, you can have CPUs and agentic AI to think like a human, which is awfully scary because…

122
00:02:01,000 –> 00:02:02,000
Frank Cilluffo [00:32:55]:
Yeah, smarter than me, that’s for sure.

123
00:02:02,000 –> 00:02:03,000
Barry Mainz [00:32:57]:
Yeah. And good lord, some of the behavior that humans have, that’s the other thing. But you know, we worry about it.

124
00:02:03,000 –> 00:02:04,000
Frank Cilluffo [00:33:04]:
And, and you know, I ask almost all of my national security folks and I know it’s not as simple as red, blue, who benefits from AI or agentic AI, but if you had to answer, and I think part of it is it’s always going to benefit the adversary, but it can also benefit more of the defenders. But I’d be curious what your thoughts are. Who, who’s the big, big winner in that? Or is it truly a double edged sword?

125
00:02:04,000 –> 00:02:05,000
Barry Mainz [00:33:29]:
It’s a double edged sword because I think that, you know, if we move from insight to execution, meaning we think about it and then we say, okay, what are we going to go do to defend it? You know, I think there’s no reason why we shouldn’t, you know, be able to be way ahead of the bad actors. Way ahead. Now if we don’t, it’s going to be, we already know that they’re going to start with this. Just we know for a fact, given, you know, the, the information that we know and certainly the federal government knows that it’s already starting to happen. But I do think we can prevent it. And not a hundred percent, but like I said, containment. You mentioned the word resiliency.

126
00:02:05,000 –> 00:02:06,000
Frank Cilluffo [00:34:02]:
Even if you get to that 66, 80% solution, whatever it is, at least then you can focus on the hard, hard problems, right?

127
00:02:06,000 –> 00:02:07,000
Barry Mainz [00:34:09]:
Exactly.

128
00:02:07,000 –> 00:02:08,000
Frank Cilluffo [00:34:10]:
And now I will ask, what questions didn’t I ask that I should have?

129
00:02:08,000 –> 00:02:09,000
Barry Mainz [00:34:14]:
Am I optimistic or pessimistic?

130
00:02:09,000 –> 00:02:10,000
Frank Cilluffo [00:34:17]:
Good question. What is the answer? I’ve been told a pessimist is an optimist with experience.

131
00:02:10,000 –> 00:02:11,000
Barry Mainz [00:34:24]:
I will say this. I’m happy, not satisfied. I think we’ve done a lot of great things as an industry. I think if I look at it, I don’t think, and I think we can do better together. And you know, what makes me not satisfied is that until we don’t see these bad actors breaching us, we’re not there yet. And so, again, I see a lot of the right, you know, sort of activity, but good lord, you know, if we don’t continue that with some level of momentum, you know, it could be pretty bad.

132
00:02:11,000 –> 00:02:12,000
Frank Cilluffo [00:34:55]:
Really well said. That was one of the, the best closings we’ve had. So, Barry, really appreciate all your hard work. We’re in this together, so let’s, let’s continue to fight the good fight and onward and upward. So thank you for joining us today.

133
00:02:12,000 –> 00:02:13,000
Barry Mainz [00:35:09]:
Thanks for having me.

134
00:02:13,000 –> 00:02:14,000
Frank Cilluffo [00:35:11]:
Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.