Interview with Senior Security Engineer and Cybersecurity Expert Greg Witte of Palydin
About Greg Witte
As a Senior Security Engineer for Palydin, Greg Witte supports federal and commercial clients, primarily within the National Institute of Standards and Technology (NIST) IT Laboratory and U.S. Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation Program (CDM). In more than 30 years in the Information Security arena, he has helped to build and improve multiple enterprise frameworks, including the NIST Cybersecurity, Privacy, and Workforce frameworks; ISACA’s COBIT model; and the Baldrige Cybersecurity Excellence builder. Drawing upon that expertise, he helps organizations to better integrate cybersecurity risk considerations into enterprise risk management activities.
Helpful Links:
TRANSCRIPT OF DISCUSSION:
KURT: Good afternoon. Greg, How are you?
GREG: : I’m doing great, Kurt, other than a minor thunderstorm passing by. But things are good here.
KURT: All right. Well, glad you are safe. I heard there was a little bit of, hail. I understand that you’re a little bit south of the, Annapolis area, just outside of Washington, D.C.. Thanks for joining me today.
GREG: : Oh, thanks for having me. Awesome.
KURT: So, for anybody who might not know me, my name is Kurt Greening. I work for a company called Securis, and we are in the business of helping government agencies, government contractors, also regulated industries like banks and health care, remove data from end of life electronics and then recycle them in an environmentally responsible way. So, I’m glad that I have GREG: Witte here, joining me. He works for a company called Palydin, and Greg supports, a bunch of federal clients, but also has some commercial clients. Most people who have listened to us in the past would know about, National Institute of Standards and Technology or NIST. In the past, I’ve talked about standards like NIST 800-88. GREG: has also worked with, DHS, a program called Continuous Diagnostics and Mitigation, or CDM, and actually been an information security for more than 30 years. Been a part of tons of cool projects. He’s, built some models and frameworks. We may talk a little bit more later about his work with a security organization, known as, ISACA. But, I will at the end of the show, maybe let people know how they can, reach out to you, Greg . Because yourself and your company, you know, you help people, at least my understanding is better integrate cybersecurity risk considerations, into enterprise risk management activities, which for me, I understand that, you know, the opportunities or the threats are growing and so it’s super important to have, people like you, keeping our way of life, safe and protecting us from cyber adversaries. So, Greg , again, thanks for joining us.
GREG: Thank you. Yeah. Ready to help? Anytime.
KURT: Awesome. So, you and I. GREG: , we originally met, out in Las Vegas at a conference, known as ACE, which is the yearly conference from the International Association of IT Asset Managers. And I understand that you’re pretty active in that, organization. I think you may even, teach some classes besides, volunteering at their conference. Tell me what interested, you about that organization.
GREG: Oh, thanks. Yes. Usually what’s what happens in Vegas stays there. But we’ve met in Henderson, so it’s a little bit outside the strip. We can talk about it. Yes, exactly. Now, I’ve been really fortunate to work with ITAM for going on a decade now. If you look at security controls, if you download any of the controls frameworks, you’ll see that they always start with asset management, and that’s for good reason. You know, we all know you can’t secure or even really manage your asset. The resources that companies depend on so heavily, unless you know what you have and where it is and what is being used for. So for that reason, IT asset management really is the hub, or at least from an IT and a OT perspective for the whole organization. So good security begins with good asset management.
So I got to know, Dr. Barb and the team at ITAM long ago. And yes, as we talk more and more about security, and as I got to know their certification programs, particularly their camp C program that focuses on asset management, security. It really helps us to understand, you know, exactly where that asset management piece fits. And they also do a really good job of thinking about the total cost of ownership better than most organizations I’ve seen. If you think about, for example, you know, think about what you were saying Kurt, about Securis.
You know, we know even when we first purchase a laptop, that there’s going to come a day when I’m going to need your team to help me to basically decommission that device and maybe even, do some work to make sure that you’ve disposition the drives correctly. We know there’s going to be a cost. So we should be thinking about that cost even when we first requisition it or when we, you know, have our moves and adds and changes.
So we should be thinking about that in advance. And you should be thinking about the patching and the updates and the licenses and the training. You know, there’s a total cost to that, and ITAM does a good job of helping us to think about that, to make sure that, you know, both from a good business standpoint and from a risk management standpoint. We need to be thinking about, really, the total lifecycle of that ownership, including, of course, good disposition. So that’s that was how we got involved. And it’s, really exciting to be kind of looking at where that those circles of the security and IT Asset management really overlap quite heavily.
KURT: Yeah. So International Association of I.T. Asset Managers is, I think, a wonderful organization. Anybody that gets involved in asset management, I would recommend that they join. I’ll try to post a link in the in the show notes. But GREG: , you know, I talked about you being a cyber guy and being in cybersecurity for 30 years. We talked about IT asset management being one component of cybersecurity. But tell me, how did you get into cybersecurity?
GREG: Yeah, it’s true. The gray beard is real. Yeah. I started out, even just straight out of high school, working in factories, building computer equipment and networking equipment. I’d always played with networks and, you know, amateur radio as a kid. So for a while I was working in factories, building networking equipment. And one of my customers in the federal government, they had one of our, you know, one of the early internet working routers. They called us up and said, hey, your router is broken.
So we went out with our tool kit, and I went out there with my packet sniffer and said, my router is fine, your network’s broken. No, my networks on your routers broke, went back and forth a little bit, and it turned out to be one of the very early federal security bugs, on the the brand new, you know, shiny new thing called the internet. I think they were in the process of moving from Arpanet to internet. But at the time, the networking company that I was supporting was starting to go out of business.
This little upstart company called Cisco was starting to come out, and, and they were obviously Ethernet was growing. And, you know, this security thing seemed kind of interesting. So I said, maybe I’ll try that for a while. Of course, that was 1993. And we’re we’re still going. But it was a good intersection of my networking and the Unix side of things. One of the things I love about security and cyber in general is that, you know, you can, you know, the things that we do, the things that you and I do, goes all the way back to George Washington.
You know, you think about the Revolutionary War and some of the biggest battles were lost because somebody didn’t properly secure their their resources, and they didn’t have Securis at the time to shred their plans, their war plans. But, you know, you can have that solid foundation, and yet it’s always changing.
I was at a meeting with, with Securis just yesterday talking about innovations in AI and how we can be doing that, you know, the next steps. We were talking, you know, about how do we better secure AI in our asset resources that are based on artificial intelligence. So it’s it’s always changing. And yet you’ve got that solid foundation. So it’s it’s always exciting. It’s not always. Well, it’s not always exciting, but it’s never boring. Let me put it that way.
KURT: Yeah. No, I mean, we’re seeing AI, drive a faster refresh cycle around hardware assets. Most agencies and a lot of, health care organizations that I work with are scrambling to get rid of devices that aren’t going to support Windows 11 and the AI resources. So that’s, you know, AI’s a big thing and all aspects. It’s a big thing for, you know, for businesses, for improving, citizen services and government. But also causes some challenges around, IT asset management.
So I when I made the intro to you, I talked about this organization, called NIST, and, not everybody knows what NIST does, but, we’re not going to maybe share everything that they do because what they do is pretty broad. But yeah, focus a little bit on, you know, maybe you can tell, you know, generally what they do. But really, how does NIST help improve cyber security. And I understand it’s not just for government agencies but, you know, even you know, banks and hospitals look at NIST and say, hey, what is the best practice for securing my organization?
GREG: : Oh, yeah, it’s a wonderful organization and I’m fortunate I’m a contractor there. So I can’t you know, I’m not a government employee, but I can speak about them since I’ve been working with them going on 15 years, which is a great place for me to be. NIST was actually born in 1901 as the National Bureau of Standards. It was their job to help kind of make sure that, you know, when you buy a pound of something that it actually was a pound and that same thing, lengths and measures, all kinds of things.
But, the great example where they are today, you can go back to 1904. There is a large fire, just not far from where you and I are sitting up in Baltimore. There was a huge fire in downtown, and they had fire companies came from all over the East Coast to help put out the fire, but they found out that the hoses didn’t couple the hydrants, you know, didn’t work together. They had all the equipment, but it didn’t work together. And it ended up, you know, I think, you know, something like a thousand buildings burned down because they couldn’t respond quickly enough.
So that kind of opened their eyes to the notion that in addition to making sure that we have consistent weights and measures, we absolutely had to better support interconnectivity. The stuff’s got to work together. And that’s where NIST really shines. Today they’re the National Institute of Standards and Technology, as you said, and much of their work has to do with making sure stuff works together. They’re not going to tell us what to do with, each second of our day, but you know that you can tune your clock to the National Bureau of Standards and the NIST clock, and you know what time it is. It’s the same way for information security.
You know, the conversation we’re having now is encrypted through encryption methodologies that NIST has reviewed and approved. And that way, we know that our tools can talk together. It’s the same thing with networking, and of course, that’s true with other elements of security. They don’t tell us what the security plan should do, but they’ll give us a catalog of security and privacy controls so that we can agree together on how we’re going to interoperate from a security standpoint.
And that’s really what we do. The main part of what I love working on is on the frameworks, as you said earlier, and the one that I’m mostly focused on is called the Cybersecurity Framework, which basically is just based on five simple functions. If you can identify what matters, then you can do what we need to do to protect it from the known knowns, hopefully very quickly detect what we need to detect in our monitoring role and then respond and recover quickly. So we released that framework in 2014 and in 2024, we just updated that to version 2.0.
We added a whole governance function to kind of go around that, because we found that, you know, we can do all the protection and detection we want to, but we need a governance aspect of it to really drive our strategy to understand, you know, what do our stakeholders expect from a risk management perspective? How do we instantiate that through policies and oversight? And we also added a great deal of information there about supply chain. Your listeners, I’m sure are focusing heavily on supply chain risk management, especially for information and operational technology.
You know, we depend more than ever on external apps. The conversation we’re having is using, you know, something as a service everywhere. We’re depending on these external apps and partners. So we need to do even more than ever to manage the risk to and from those partners to make sure we’re doing the right things the right way. And again, that’s back to that interoperability.
So, you know, you know from your work, Kurt, in the in the things that you’re doing, you know, some of the data that you can all you have to do is just format the drive and go on about your day. And there’s other data that’s stored like health care or other, you know, sensitive data where, you know, you want somebody to erase that drive and that’s smashing into pieces, and then toss those pieces into the volcano and Mordor. You know, there’s some information that’s just absolutely got to be well protected.
And part of our job in risk management is to understand, you know, which are the crown jewels, and how do we make sure the right things are well protected. So that kind of goes back to what we do at NIST, where we can’t tell you what to do. Much of what we, you know, would want to build into our plan kind of depends on different context and different factors. But we do provide a ton of frameworks and guidelines to help, you know, like the AI we were talking about, you know, our recent work in the AI risk management framework, combined with the cyber framework, that type of thing that that really helps us to work together with our colleagues to see, you know, how do we categorize it? What should we be doing next? How should that work?
One last piece I really love about the work at NIST is the Workforce Framework. So many of the controls and you go through the international standards, and they’d say that, you know, somebody should do these following activities, but they didn’t really focus on the who. And that meant it’s difficult to teach people to hire people to promote people, to understand where we may have some skills gaps. We weren’t so focused on workforce. And I know as a parent, if I say, hey, somebody should lock the door, who’s going to lock the door? Well, nobody, if it’s not actually assigned to a particular role. So, we’ve been working now for, I guess going on ten years about how do we better describe the workforce, the work roles and the tasks and the skills and the knowledge that the people have. And that’s turned out to be really helpful for helping people understand, you know, what they should learn, how they should apply it, and what tasks need to be done. So it’s been really exciting.
KURT: Yeah, right. That’s helpful. In my house, my wife says somebody should do the dishes, and I think she’s just decided that somebody should be me. So I’m very helpful in making sure the right people will take care of.
GREG: So that role has been defined and assigned and it’s overseen, I’m sure.
KURT: Awesome. So we learned a little bit about NIST, which is great. I knew about the Baltimore Fire. But I didn’t know the history behind, why it was so bad. So that was, super helpful. So let’s talk a little bit more about a federal agency. The Department of Homeland Security, parts of Department of Homeland Security have been in the news, recently, more around, like Border Patrol and ICE that, you know, that’s been. But but other people might not be aware that, you know, besides securing our borders and, making sure that, we’re tracking who’s, in our country, DHS does a lot to secure, critical infrastructure. And I also understand that, they have a role through, the Congress and OMB to report back to Congress on how federal agencies are doing from a cybersecurity posture management perspective. So, yeah, I understand that this this CDM program or continuous diagnostics mitigation program helps with some of those things. Can can you tell me a little bit more about that?
GREG: Sure. And that takes us right back to asset management. Yeah. As you said, in particular, I support the CISA, which is the Cybersecurity and Infrastructure Security Agency, which, as you said, is a component of DHS, the US Department of Homeland Security. It’s, you know, if you think about so much of our nation depends on critical infrastructure. You know, we saw just what happened in Europe just a few weeks ago, where whole sections of the country went down. Now, in that case, you know, you never know which is a cyber attack and which is just the nature of the the flexible power grid. But, you know, so much of our nation is very dependent on that critical infrastructure, our water sector, power, you know, making sure that, like you said, our health care and financial systems are sound and reliable.
So CISA’s job is to help monitor those infrastructure components, including the government side, state, local and federal government agencies can get help from CISA. And CISA is there to help to provide advisories on new types of risks that are happening. They put out, lists of key vulnerabilities that the bad guys are exploiting. And part of our program there that that I support is the continuous continuous diagnostics and mitigation program CDM, which started out as an asset management program.
Really… as you know from your work in ITAM, first thing you need to know is what’s on the network, right? So it started out as an opportunity for federal civilian agencies at least to be able to load agents and understand, you know, what are the devices, including IOT, operational technology, other cyber physical systems. What exactly is on the network? And they they’ve built a huge database that they use to do asset management, including, you know, they use with with new assets coming in as those, those move and add and change within the organization.
And in fact, we do track the disposition of those resources once they reach their end of life. And then, you know, besides just knowing what’s there, we also keep track of what vulnerabilities the vulnerability scanners have found. They’ve got a threat hunt team that keep track of what they see. You know, just provides a visibility capability for the federal government so that they can see what’s happening. They can inform, you know, the agencies have their dashboard, the ECS cyber team that I support, provides agency level dashboards, federal level dashboards, maybe someday even state and local dashboards for, for those entities. But we provide visibility into that IT asset management so that organizations can see what’s on the network, who’s on the network, what’s happening that supports continuous monitoring for any threats and vulnerabilities that seem to be emerging, and then it helps them to have a better understanding of that, that bigger picture.
You mentioned one of my loves as enterprise risk management. You know, a lot of organizations focus at the system level, and that’s vital. But we also sometimes need to take a step back and see, what does this mean about our whole organization. So, you know, this way we can do both. We can go all the way down to a device, we can look at it as a system, as an agency, and as an entire, federal civilian, executive branch, for example.
KURT: Yeah. I mean, interesting. I think, Greg, you and I have a mutual friend, GREG: Crabb, who you may have worked with, at CISA and, and other places. I have Greg , on and interviewed him around third party risk, a few months ago and IT asset disposal companies. He talked about, what has gone wrong in the past and the results and the fines, but he also talked about some of the best practices. And then, his company developed a risk assessment for vendors, like Securis in the IT asset disposition space, because it turns out, a lot of them could do better. When it comes to, following, best practices. So if anybody wants to check that out, they can.
GREG: Yes, I in fact, I just saw Greg a few days ago. He and I first worked together. He and I were reminiscing that our first work together was at the Postal Service back in the late 90s. So. Yeah, it’s, like I said, it’s it’s exciting and in, in many ways, you know, in some ways it’s the same. And in some ways it’s always changing. We hadn’t even dreamed about what AI could be doing these days, but yeah, that’s part of the fun. It’s a very small town. And, he and his son, I enjoyed the interview that you did with them not long ago.
KURT: Yeah. That’s great. So, Greg, what’s something you’re passionate about in terms of improving cybersecurity posture of government or even, you know, critical infrastructure that might be run by local governments or even, you know, power companies or, or financial institutions. What are some of the things if somebody, you know, executive team brings you in and say, hey, Greg, we’re worried about cybersecurity. You know, and talking to our CISO,, the the list is long. Well, what are things that you tend to look for early on and you’re passionate about trying to help people improve?
GREG: Well, one of the things that I’ve been doing a lot of work on, which is, risk measurement has been really challenging. One of my early mentors was a fellow named Jack Jones, who went on to create, for a methodology called FAIR, which many of your listeners may have seen. It, you know, we currently see in many of the places I go, even today, you know, I’ll ask to see, you know, do you have a risk chart?
Do you have a register of your risks that you use to figure out what scenarios might happen and how likely they are, and for many of them, they still just rank their risk as low, moderate or high or red, yellow, green, or they use some sort of measure like that. That’s very qualitative and it’s really hard to not only is it hard to sort your risks just for cyber, but it makes it even harder when you’re trying to compare cyber risk with market risk and labor risk. And one of my customers is even, you know, dealing with Brexit risk.
You know, there’s there’s so many different risks in the risk universe that an organization has to deal with. And it’s it’s not really always helpful when all you have to go on is low moderate, high at best. So what we’ve really been pressing is the fact that we can do a better job of quantifying the risk. You can come up with a range. We can say that I know, I know what it costs to go down for a minute or an hour or a day. You know, you can go back and calculate for a particular business system or application.
This is what it would cost us if we didn’t have access to that. Or better yet, this is what we have to make sure we continue to have access to. This is what must go right, so you can figure out the value of your different resources and assets. And based on that, now we can go back and think about what are the threat sources that might jeopardize those. We can think about the factors. It’s not just, you know, threat or not threat. It’s not binary. But we can say, you know, just like we would with our house as well.
You know, we’ve got a fence and that helps. We put up a sign in the front that might deter an adversary. We can think about, you know what? We have of value. That’s there within that house. So we can start to think about not just we have a threat or we don’t have a threat, but what’s the likelihood that a threat would occur? What would be the things that we could do to decrease the frequency of access by that threat actor?
We can think about the vulnerabilities that they might exploit or the preexisting conditions. You know, right now with this thunderstorm, I’m about a block off the Chesapeake Bay. So I’m thinking about the flooding and the warnings that they’re giving me about the floods that may occur. You know, we can think about, a true range. We can start to think about percentages and I can say, all right, looks like there’s a 43% likelihood.
Based on the past five years experience, we can actually calculate the likelihood that a flood would occur in my neighborhood. And based on that, I can think about what IT resources might be jeopardized by that flood. And we can actually start to go from, you know, red, yellow, green to an actual exposure, even a dollar sign exposure cost to say, all right, if this went down for an hour, it would cost me a million bucks. There’s a 13% chance it would happen. So now we can start to calculate real dollars and they can use that for a trade off.
So really all I’m getting at is there’s so much more data that’s already available to us to do a better job of estimating and modeling the, the actual potential risk exposure that we have and the impact that would happen if a scenario were to take, take hold. And I think, you know, enterprises have an opportunity to kind of go from, yeah, it feels like moderate to me, to actually thinking about, a range of cost exposure that they have that will help them to do better for planning and executing a cybersecurity program for both their critical resources and in overall enterprise risk.
KURT: Yeah. That’s great. Greg, so if somebody is listening out there and has heard, okay, great. So yeah I would like to better quantify my either cyber or my enterprise risk. And I’m thinking about these assets that, that, that I have, these IT assets and, and potential threats or vulnerabilities and they feel like, hey, I want help, Greg. Sounds like, he he knows what he’s doing. What are ways people can can reach out to you? Would you recommend, you know, do you answer LinkedIn messages from people or your website? Or what can I put in the show notes if somebody says, hey, you know, I might benefit from talking to Greg and his company.
GREG: Yeah, we’d love to help, and either one is great. I love meeting new people on LinkedIn. I’m getting new, new friends every day. Yes. Feel free to reach out at the site. It’s just www.palydin.com, and we’ll we’ll put that in the show notes or reach out through LinkedIn. And, of course, you know, love to talk to anybody about ITAM or security or, you know, any, any other topic. I’ve been around quite a bit. So happy to just share. We were having fun the other day, just kind of remembering some of the some of the old, good old days. One of the folks, you know, broke out an old RIP tech report from a long time ago. We were having fun flipping through that just it’s it’s a fun industry and it’s a very small town. So happy to make new acquaintances any time.
KURT: Awesome. Great. Well, hey, thank you again for, joining us. I know I learned some things and, I think, the rest of our listeners sort of learn some things and hopefully a bunch of new people will reach out to you and and benefit from your help.
GREG: Oh, I really appreciate you having me, Kurt. And thanks for having me here.
Why Degaussing Is Still Relevant
Securis 
1. Secure Data Destruction Is Non-Negotiable when Decommissioning a Data Center
Significant fines
Even the most technically sound projects can falter without realistic timelines. Data center decommissioning is resource-intensive, often requiring:
Sarbanes-Oxley Act (SOX)
Federal Financial Institutions Examination Council (FFIEC) Guidelines
Why Proper IT Asset Disposal Matters in Healthcare
HIPAA
Sustainable ITAD: Good for Compliance, Great for the Planet
3. JCBE Business Solutions
4. Compu Dynamics
5. Synetic Technologies
6. Park Place Technologies
7. ERI Direct
8. exIT Technologies
9. CompuCycle
10. Wesco
The 
Capabilities: