Game Changer: John Davis, Vice President, Public Sector, Palo Alto Networks
John Davis is our latest Game Changer. He is Vice President of Public Sector at Palo Alto Networks and brings over four decades of unparalleled experience in defence and security to the forefront. Starting as an Infantry officer after graduating from the U.S. Military Academy, John excelled in Information Warfare, directing cyber operations for Joint Special Operations Command and U.S. Special Operations Command. His military journey included leading the Army’s Information Warfare brigade and overseeing global network defence.
Promoted to Major General, John became the first Senior Military Cyber Advisor at the Pentagon, concurrently serving as the acting Deputy Assistant Secretary of Defense for Cyber Policy. Since joining Palo Alto Networks in 2015, he continues to influence the cybersecurity landscape, leveraging his extensive background to aid clients in enhancing their cybersecurity posture. Through trusted advisory relationships, John imparts lessons learned from both military and industry perspectives, solidifying his legacy as a bridge between military expertise and cybersecurity leadership.
1. How did you start out in this industry and how has it brought you to where you are today?
I began my military career as an Infantry officer, following my graduation from the U.S. Military Academy at West Point in 1980. In the mid 90s, I became involved in Information Warfare and led those efforts for the Joint Special Operations Command (JSOC) and U.S. Special Operations Command (SOCOM) from 1998-2006. As part of that role, I was involved in cyber operations, but mostly on the offensive side.
In 2006, I returned to the traditional U.S. Army and assumed command of the Army’s only active duty Information Warfare brigade. One of my battalions defended the Army’s networks around the world and I was responsible for 6 regional Computer Emergency Response Teams (CERTs) covering the continental U.S., Europe, Southwest Asia, Korea, the rest of the Pacific region, the Central and South American region, and the Army’s global CERT that operated near Washington, D.C. Therefore, I got a healthy dose of cyber defense in that role.
Following my promotion to Brigadier General in 2008, I led a Joint Task Force that was responsible for directing the operations and defense of all the Department of Defense’s (DoD’s) networks around the world. In 2010, I became the first Director of Current Operations at U.S. Cyber Command as it was established in May of that year and I was responsible for not only directing the day-to-day operations and defense of DoD’s global networks, but also for directing offensive cyber operations when authorized by the President of the United States.
In 2012, I was promoted to Major General and became the first Senior Military Cyber Advisor at the Pentagon. In 2014 I was simultaneously appointed the acting Deputy Assistant Secretary of Defense for Cyber Policy and was responsible for DoD cyber policy, strategy, interagency cyber coordination, international cyber cooperation activities and interaction with the U.S. Defense Industrial Base on cybersecurity issues. After retiring from the military in 2015, I joined Palo Alto Networks and have been here ever since.
2. What is your role at your organization today?
I help our clients improve their cybersecurity posture by creating and maintaining trusted advisory relationships with their executives and security leaders, sharing the cybersecurity lessons learned and best practices from both my military and industry experiences, and generally helping them solve their cybersecurity related challenges.
3. What was your most challenging moment?
Shortly after I was promoted to Brigadier General and assigned as the leader of a Joint Task Force responsible for directing the operations and defense of DoD’s networks worldwide, our intelligence community discovered a very serious cyber “infection” in some of the department’s most sensitive networks, including those supporting our operational combat units in Iraq and Afghanistan. The infection was spreading across all of DoD’s networks.
This particular malicious software was assessed as putting the integrity of our most sensitive networks at risk, and the entire DoD began an operation to find it by examining every piece of hardware and software related to military networks around the world, eliminate it from all networks and equipment wherever it was discovered, and verify that no sensitive information from our sensitive networks was exposed to the internet.
It was a near catastrophic event for DoD and as a result of the seriousness of the operation to regain control, daily video-teleconferences were conducted to report the status of the operation to the senior most levels of our military, combat operations were sometimes put on hold in order to examine equipment that might have had the infection, and a decision was made that in order to ensure this could never happen again the department would establish U.S. Cyber Command in order to put the defense of DoD networks under a chain of command with clear responsibilities and that would accountable for effective results.
As you might imagine, this was the most enormously challenging and consequential cyber related moment of my life…a moment that lasted for many months, years and the result is still reverberating to this day for the U.S. military in the evolution of U.S. Cyber Command and all its Service and Joint Component Cyber Commands and Agencies.
4. What was your A-HA moment or epiphany that you think will resonate most with our reader, tell us that story.
When I first became involved in the cyber realm, most of the cyber threats were characterized as either criminal related or because of our adversaries’ espionage efforts to steal information from government, military, industry, and even people in order to gain an advantage of some type.
This evolved over time and what started in the 90s as mostly criminal activity and spying began to change. Activities such as distributed denial of service (called DDoS) and other disruptive actions began to become one of the tools of choice generally around the turn of the century for criminal and government cyber actors as well as hacktivists in general. About a decade later, we began to see another disturbing outcome added as an arrow in the cyber actor’s quiver. Destruction became a motivation, with dire consequences in some cases. The North Korean attack on Sony is a good example of the serious consequences of this type of activity.
Adversary cyber activity has been a serious concern for the U.S. government and many of our partners and allies around the world, including Canada, for the entire time of my involvement in the cyber arena. However, the trend over the years from concerns about protecting the confidentiality of important information against cyber activities associated with the stealing for profit or to gain intelligence, to concerns about the availability of information and services from disruptive and destructive cyber activities, became especially alarming in the context of the potential for significant consequences to national and international critical infrastructure and even military response capabilities.
5. What is the one thing that has you most fired up today?
As I left the military and joined industry, the cyber threat evolution that I just described continued. What really worries me in current times are two more alarming trends in addition to the espionage, disruptive and destructive trends just mentioned, as well as a blurring of lines between state and non-state cyber entities.
The first trend deals with a particular type of cyber threat called ransomware, where the motivation is to break into your government, private sector or even personal network, lock up your important information, demand a ransom (usually in cryptocurrency to evade detection), and/or use extortion by threatening to expose the information publicly unless the target pays up. This trend has exploded in the last few years, impacting schools, police stations, local government functions, hospitals, and perhaps the most publicized event when this happened to the gas company Colonial Pipeline and there was panic along the entire U.S. eastern seaboard because of gas shortages.
The second trend has been our adversaries’ increasing use of cyber activities blended with other aspects of information warfare, such as mis and disinformation to flood social and traditional media, to sow discord, inflame angers, create political and cultural divisions, accelerate chaos with conspiracy theories, cause widespread doubt in the effectiveness of technological innovation or stimulating resistance from the tech industry’s younger generation to support for government/military R&D (including in the medical, economic, manufacturing, AI and other fields). Whereas the espionage, disruptive and destructive trends that I mentioned previously caused negative impact to the confidentiality and availability of information important to us as a society, this latest trend attacks the integrity of the information we receive and is intended to shape our behavior in ways that undermine the societal and institutional fabric of western democracies, and help our adversaries gain an advantage over their competition without ever having to cross the traditional line that would constitute armed aggression or hostile force in response.
These two evolutionary trends in cyber threat activity have crossed a threshold in my view and now have the potential to cause significant impact to national and international security, national and global economic stability and even public health and safety on a massive scale.
Finally, the blurring of state and non-state actors and organizations is also an alarming trend to me. Adversary states are increasingly doing this to hide their involvement and avoid accountability. They are using surrogates of all types, such as front companies, criminal entities, moonlighting intelligence and military personnel and even patriotic hackers to do their bidding when the actions are consistent with state interests. Using the ransomware gangs as an example, states like Russia look the other way, inspire, and sometimes even covertly direct and resource these criminal entities when it suits state interests.
6. What is the best advice you received?
I think the best advice was probably one of the first pieces of advice I ever received. It was from my grandmother when I was around 5 years old, and it involved the Golden Rule. She told me that what she was about to tell me would serve me well for the rest of my life and that I was to do my very best to follow the rule that you must treat others as you would want them to treat you.
Everyone knows this rule and as simple as it is, its impact has had a profound impact on my life as I have tried my best to follow it. The times I failed to do so represent some of the biggest regrets of my life.
Even though this piece of advice isn’t necessarily something you might think I would share with a technology related audience, I would submit that it serves us all well no matter what we do in our professional or personal lives.
7. What is a habit that contributes to your success?
For me, building strong relationships is the most important thing that I try to do, and I believe that it’s the secret to many of the successes I’ve enjoyed. I learned in the military that the higher the level of responsibility you were given, the more that building relationships would be a key to success. I tell people that in my last three and a half years as the Senior Military Cyber Advisor at the Pentagon, I spent about 75% of my time building strong relationships with other leaders across the complex and broad expanse of component organizations that make up the military. And not only across the military, but cyber is one of those functions that the military cannot do on its own. Success requires partners across the rest of the government, across the international order, and especially across industry.
Besides the fact that success in the cyber function requires teamwork across a lot of organizations, one of the other reasons that relationships are so important is because the cyber function cuts across many organizations that are in many ways competing for resources of all types, including people, skill sets, equipment, money, and others. Inevitably, I found that organizations would clash in this competition. However, I also found that by building trusted relationships with the leaders of these diverse organizations we could often find some common ground and make decisions that, although may not have been the very best for any individual organization from a purely parochial perspective, the decisions would reflect what was in the best common interest of all the organizations involved from an overall perspective. So, for me success has been best defined as a result of building and maintaining these types of relationships.
8. What is your parting piece of advice?
In my experience, the really big decisions in life are not made by the head or the heart. They may be informed by intellect (or the head) and shaped by emotion (or the heart), but the really big decisions in my experiences such as life and death decisions, choosing your mate and closest friends, risking your fortune, serious decisions that impact your family, etc., are based on the gut.
This comes from intuition, inspiration, imagination, and instinct that is shaped by not only the sum of one’s own life experiences, but I personally believe by hundreds of thousands of years of an evolution in the genetic fabric that has molded humanity over time. It’s that inner voice that tells you what’s right, even if it’s not what you would rather do. It’s a mother’s instinct or when the “fight or flight response” occurs, or maybe that weird feeling you get when the hair stands up on the back of your neck and you just know that you’re in danger. And that’s about trusting your gut… your intuition, the inspiration you feel deep down inside, the imagination that suddenly springs into your mind, and those instincts that kick in and demand your attention and decision to act.
No matter whether it has to do with cybersecurity or any other type of work in the tech industry, being effective requires teamwork across many different functional communities of the technology profession. To be successful you must be seen as a trusted and credible professional who can be counted on to deliver real outcomes. Nothing is more important to your success.
9. What people or organizations do you believe best embody the innovation mindset? (Does not have to relate to the defence & security industry. Can be related to your every day life.)
I believe that the innovation mindset involves constantly thinking “what’s next, or how can we do something better, faster, with more ease and more accurately?” Of course, for people to be truly innovative there’s some good news and some bad news. The good news is that these types of people change the world. The bad news is that they are rarely satisfied, always wanting something new or what’s next. It can be the opposite of a peaceful mindset and can sometimes result in a personality that can be difficult to deal with. Therefore, my word of caution to those with the innovative mindset would be to strive for some balance as well.
For successful organizations, innovation must be incorporated into the individual values and resulting organizational culture in a very real way that is best driven from the bottom up while inspired and reinforced from the top down. It can’t just be words on a banner but must be integral to the fabric of the organization itself and routinely celebrated and rewarded in meaningful ways.
Questions regarding the ORGANIZATION
1. How is your organization changing the game within your industry sector?
I am absolutely convinced that Palo Alto Networks is leading the way when it comes to three trends that are changing the way the cybersecurity industry can better prevent successful cyber attacks and make each day safer and more secure than the day before. So, settle in as I tell you the Palo Alto Networks story.
The three game changing trends we employ are related to one another, and consist of automation, advanced software-based analytics, and the consolidation and native integration of previously disaggregated visibility and security enforcement technologies. Palo Alto Networks is the gold standard when it comes to achieving success using each of the three trends for not only our customers and partners, but within our own enterprise environment because we use our own cybersecurity technologies.
The adoption of automation has enabled cyber defense to operate at greater speed and scale. Cybersecurity operations cannot keep pace with today’s modern cyber threats if they are based mostly, or even in some cases solely, on human decision making and manual response. This legacy method of cyber defense results in an increasing advantage for cyber attackers over cyber defenders. However, defensive cyber operations that leverage automation have been able to close the gap and, in some cases, achieve parity with or sometimes even an advantage over cyber attacks. Cyber defenders must leverage the automation that is available today to defend against what has become a highly automated, sophisticated threat. In other words, to achieve a successful defense, you must fight machines with machines and better leverage the human aspects of cyber defense for things that humans can do better and faster than machines. This would include deep forensics, data science, Tier 2 and 3 cyber analytics (Tier 1 analytics can be automated today), software and hardware engineering, code developers, incident response functions that cannot be automated (which is decreasing), and other deeply human related functions in cyber defense.
The second trend we employ is the use of advanced software-based analytics, and it is changing the game in today’s world of cybersecurity. I use this term to cover big data analytics, behavior analytics, structured (supervised) and unstructured (unsupervised) machine learning, including deep learning and neural networking. It also includes the umbrella term artificial intelligence (AI), which has recently added generative AI (consisting of Large Language Models) to the technology trend. The key to success in leveraging these advanced analytics is to have immense amounts of the right kind of data, which is based on the cyber threat telemetry of indicators of compromise and the contextual information that makes these indicators relevant for cybersecurity purposes.
The last technology trend is having an enormous impact on cybersecurity, and in this case the impact is positive for the defense and negative for the cyber threats. This trend is about consolidating and natively integrating the previously disaggregated visibility and security enforcement technologies of the past.
Organizations’ security leaders today are demanding that the cybersecurity industry bring them these integrated technologies that make their security team move faster, with more ease, and do their security functions more accurately. It is possible because a consolidated approach, using machines to fight machines and software to fight software-enabled threats with a natively integrated package of capabilities allows you to effectively place visibility and automated security enforcement controls in each part of the complex enterprise environment.
Today’s complex enterprise environment includes all aspects of network security, cloud security, security operations center activities, and cyber threat intelligence. Palo Alto Networks covers this entire spectrum with best-in-class capabilities within each category. Network security includes traditional physical next generation firewalls, virtual next generation firewalls and secure access service edge (SASE) capabilities. Cloud security includes every aspect of security from code to cloud and involves the various aspects of security to facilitate code development, the security of everything about the cloud environment, to the operations of the clouds (sometimes referred collectively as DEVSECOPS). Security Operations Center operations include extended detection and response (XDR), attack surface management, and security orchestration, automation and response (SOAR) capabilities. Cyber threat intelligence includes deep intelligence assessments, proactive advisory services, and incident response. Taken together as a package or as a set of platforms, these capabilities provide multiple opportunities to see and stop a threat at the various points along the attack process steps before it is successful.
To me, this is what the Zero Trust concept is all about…understanding that while you’re not likely to keep all cyber threats out of your enterprise environment (and most likely your users are going to “invite them in” by making mistakes or being careless), by eliminating implicit trust and continuously verifying every digital transaction that is occurring within your environment you can automatically see and stop threats before they are successful. This can change the adage about the defender having to be right everywhere and all the time, while the attacker only has to be right once to be successful. Now, the cyber attacker must be right during all of the attack process steps and the defender only has to be right at one of multiple places in the process to stop successful attacks using automation, advance software-based analytics, and a consolidated and natively integrated package of security capabilities.
2. What are some of the biggest impediments to innovation in your industry sector?
In my experience, the legacy mindset continues to be the biggest impediment to cybersecurity innovation. This is what I described previously as a mostly manual response to threats based largely on human decision making and using dozens to hundreds of security technology “soda straws” to try to see and stop threats that are operating at a speed and scale that make it an impossible fight. However, things are changing, and that mindset is slowly being torn down as the three trends I mentioned previously are demonstrating success against modern cyber threats.
3. How has innovation become engrained in your organization’s culture and how is it being
I believe that the innovative spirit is embedded within the individual values and organizational culture at Palo Alto Networks. It has been built from the bottom up and inspired from the top down. Our teammates regularly and reward the innovative spirit, as well as the other individual values that make up our corporate culture such as execution, integrity, collaboration, customer first, and disruption, through a democratic process where any employee can send congratulatory “points” to anyone else that has demonstrated a particularly noteworthy value. At our regular “All Hands” meetings, our leadership always recognizes those who have risen to the top in demonstrating these values and the innovative spirit is always one of the most coveted call outs. So, as I mentioned before, strong individual values and the resulting organizational culture at Palo Alto Networks are lived daily and not simply a slogan on a sign somewhere that collects dust,
4. What technologies, business models, and trends will drive the biggest changes in your industry over the next two years?
AI has been driving enormous changes within the cybersecurity industry for some time and that’s not going to change. Generative AI and Large Language Models are going to make important contributions to improving the cybersecurity posture of organizations that leverage them. I believe that these capabilities will drive enormous improvements in the way humans interface with machines and software and I think some very exciting times are in store.
Another technology that will critically impact not only the cybersecurity world, but just about every public or private function that you can think of, is quantum computing. Regarding the impact on the cybersecurity industry, this technology will destroy every semblance of modern-day encryption. It won’t happen all at once, but in stages as the number of logical qubits increases. Estimates are that the various stages will occur between the next five and fifteen years. However, the threat is already here as both state adversaries and criminal entities are harvesting encrypted data now so that they can decrypt it as the quantum computing power becomes available in the various stages of advancement.
The race is on between the quantum computing capacities and post quantum capabilities (things such as quantum random number generators, quantum key distribution and post quantum ciphers) are developed. Palo Alto Networks is part of the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) efforts to help ensure that we win that race when it comes to cybersecurity.