Join Security Barista, John Martinez, and Cyber Sherpa, Michele Thomas, for a coffee chat as they discuss the evolution of cybersecurity and the trust challenges surrounding this ever-growing field. Michele shares insights from her extensive career in the tech industry, detailing how she broke into the field and the significant changes she’s witnessed over the years. Listen in for some valuable advice on navigating the world of cybersecurity.
-OUT TAKE-
I don’t believe there are single solutions that can boil the ocean, so to speak. I’d rather people give me the information - the data or whatever I need - and I usually specify what I’m looking for so my team and I can make our own conclusions and choose what’s best for us. That way, I feel more invested. It used to bother me so much that after some meetings, I’d have to walk the halls just to clear my head.
Well, if a vendor offers to make you sandwiches, as a public servant you can’t accept that kind of gift in most cases. I’d politely say thank you, but no thank you. A cup of coffee is fine.
-INTRO-
Hey everybody.
Welcome to another episode of John Has Trust Issues, where we talk about issues in zero trust and cybersecurity in just a few minutes.
Today, I’m very honored to have Michelle Thomas, also known as the Cyber Sherpa. Michelle, welcome to the show.
One of our traditions here is talking about a trust issue. Michelle, what’s yours?
One of my trust issues, especially when I was a CISO or CTO, was with vendors who think they know it all. Organizations need the truth and sometimes just a clear explanation, but instead you get people who claim their product solves everything. I don’t believe that. I’d rather get the information and decide for myself.
So tell us a bit more about your background.
I’ve had 27 years in public service and 11 in the private sector. I’ve been in cybersecurity since before it was called cybersecurity - it used to be information security or information assurance.
My interest started in the late ’80s when I was asked to write a program to encrypt financial data being transmitted globally. Nobody had done it successfully before. After some failures, I figured it out and created an algorithm that took five years to break. That’s how I got into security.
That’s amazing. And it’s true - security has always been part of the job, even before it had a name.
Exactly. Even as a CTO, cybersecurity had to be built into emerging technologies. It’s often overlooked, but today you can’t afford to ignore it. Your job - and your organization - depends on it. You’re always one headline away from being in the news.
And now it’s not just organizations - regular people are affected by breaches all the time.
That’s right. Everyone’s data is out there. It’s all about the data now.
Given your experience, what does zero trust mean to you?
It’s evolved. It used to be “trust but verify.” Now it’s “never trust, always verify,” but it’s more than that. It’s about risk management - balancing security with business needs.
At the end of the day, it comes down to value. Does a solution help me operate more securely? Does it reduce risk and improve resilience?
We’re flooded with zero trust marketing, and definitions vary. But I don’t believe in a single solution that does everything. What works for a global enterprise won’t necessarily work for a small business.
That’s a great point.
There’s also a gap in how zero trust is communicated. Too much focus is on technical audiences, while executives are often left wanting clearer guidance. And then there’s technical debt - especially in the public sector, where legacy systems are everywhere. Any solution has to account for that.
Gartner has even predicted that many organizations will overinvest in zero trust due to hype and misalignment.
Exactly. I’ve had leaders ask for one product that does everything. That doesn’t exist. You can get close, but not all the way.
And that’s where thoughtful solutions come in - focusing on specific problems and doing them well.
Right. Vendors need to align with real business needs, not just sell a broad promise.
So how do you see the difference between public and private sector approaches?
In the private sector, revenue is a primary driver. In the public sector, it’s about mission and stewardship of taxpayer money. But in both cases, it’s about enabling the business or mission securely.
The difference is often how action is triggered. In government, mandates drive change. In the private sector, it might take a breach to create urgency.
We’re also seeing increased accountability. The Department of Justice is going after companies that fail to meet cybersecurity standards, even among third- and fourth-party vendors.
And the reality is, these ecosystems are huge and complex.
Exactly. And the consequences are real. Whether it’s regulatory action or losing access to critical systems, failure to follow good security practices has impact.
At the end of the day, it comes down to fundamentals. Protect data. Follow best practices. Use common sense.
You don’t store sensitive data unencrypted. At least show that you’re trying.
That’s another episode of John Has Trust Issues.
Thanks for joining us.
