In this episode of Exploited: The Cyber Truth, Paul Ducklin sits down with RunSafe Security CEO Joseph M. Saunders and Lt. Gen. (Ret.) Bill Bender, former Chief Information Officer of the U.S. Air Force, to explore what it means to build cyber resilience across complex defense and critical infrastructure environments.
Drawing on his experience leading a global IT organization with hundreds of thousands of endpoints, Bender explains why security leaders must move beyond checklist-driven approaches and focus on mission assurance. Success depends on understanding the environment, prioritizing critical systems, and making strategic investments that reduce risk over time.
The conversation explores:
- Why compliance-based security falls short in complex environments
- Building cybersecurity culture, accountability, and leadership structures
- The creation of the first CISO and CDO offices within the Department of Defense
- How public-private collaboration accelerates innovation and modernization
- The role of Zero Trust in securing large-scale mission environments
- How SBOMs and software supply chain visibility support risk management
- Why AI is accelerating both innovation and cyber risk
The key takeaway is that resilience is not achieved through compliance alone. Organizations that understand their missions, prioritize their most critical systems, and integrate security into modernization efforts are better positioned to withstand disruption and adapt to evolving threats.
Speakers:
Paul Ducklin: Paul Ducklin is a computer scientist who has been in cybersecurity since the early days of computer viruses, always at the pointy end, variously working as a specialist programmer, malware reverse-engineer, threat researcher, public speaker, and community educator.
His special skill is explaining even the most complex technical matters in plain English, blasting through the smoke-and-mirror hype that often surrounds cybersecurity topics, and helping all of us to raise the bar collectively against cyberattackers.
Joseph M. Saunders: Joseph M. Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.
Guest Speaker – Lt. Gen. (Ret) Bill Bender, Former CIO, U.S. Air Force
William Bender is a seasoned board member, tech industry executive, former USAF CIO, and retired three-star general with extensive expertise in IT, cybersecurity, and governance. As CIO, he oversaw a $17B IT spend and a 54,000-person workforce. At Leidos, he supported growth from $10B to $15B. An innovation driver, Bender is also an experienced board member, advisor to startups, and a published writer and speaker.
As a prominent technology leader currently, Bender has served on multiple boards including Tangram Flex, Smartsheet, and AFCEA International, where he serves on the Cybersecurity committee and formerly was chair. He is a strategic growth advisor with Keeper Technology, focused on data management and storage solutions. With Deep Water Point & Associates, he serves as Principal, providing consulting services and thought leadership.
He held a distinguished career in defense and technology. As SVP at Leidos, he led customer-facing business development, supporting defense, intelligence, civilian, and health sectors. His leadership supported the growth of Leidos' revenue from under $10B to over $15B. He implemented the Leidos Technology Exchange, enhancing customer engagement.
Watch the Full Episode
Episode Transcript
Exploited: The Cyber Truth, a podcast by RunSafe Security.
Paul Ducklin (00:06)
Welcome back everybody to Exploited: The Cyber Truth. I am Paul Ducklin. I’m joined as usual by Joe Saunders, CEO and founder of RunSafe Security. Hello, Joe.
Joe Saunders (00:19)
Hey Paul, excited for today’s conversation.
Paul Ducklin (00:22)
Me too, because we have an extremely distinguished guest indeed, and that is Lieutenant General retired Bill Bender, US Air Force. Bill, I’m going to call you Bill from now on. I hope you don’t mind.
Bill Bender (00:36)
I would love it if you’d do that. That’s great, Paul. And thanks for having me and Joe, nice to meet you.
Paul Ducklin (00:41)
Bill, our title for today is “From Compliance to Resilience: Securing Digital Mission Systems at Military Scale.” Now, Bill, you’ve led both cybersecurity and IT for, let’s be quite frank, one of the biggest organizations in the entire world, the US Air Force. When it comes to matters like compliance, which a lot of people talk about and are required to do, how do pure compliance-based approaches fall short when you try and secure a system as complex as that of the US Air Force?
Bill Bender (01:17)
That’s a fantastic question, and I probably would have been a much more successful chief information officer of the US Air Force if I had all of the right answers here, but certainly, I have some general thoughts. To your point about a large organization, the US Air Force had on any given day seven hundred thousand endpoints.
Paul Ducklin (01:40)
Wow, that is literally anywhere and everywhere.
Bill Bender (01:46)
In the category of the top ten companies in the world. The scale is the issue. And when you start to talk about compliance and the challenges with a compliance-only approach, you start to bring in, well, what are the training regimen? You can imagine that this workforce, similar to most workforces, is a very transitory one.
The training bill associated with a compliance-only oriented approach to securing your enterprise is really a non-starter. And yet training has a significant piece of it. You have to have an all-in approach within your workforce. And so I don’t dismiss that as a requirement, but it’s insufficient solely to do that. It’s compliance plus the use of technology and better methodologies. And so in the case of the US Air Force, we spent a lot of time up front understanding what constitutes our enterprise and what is the current state of our IT broadly. What were the component parts?
In the Air Force, it would be the major commands, then the wings and the squadrons. You just sort of extrapolate that down and get a better understanding of your current state of IT. If you don’t know where you are, you’ll never know where you’re going.
And then trying to break that into relatively bite-sized pieces, primarily around mission priorities, securing your top missions first, and finally satisfying yourself with some of the second and third-order requirements, a smart, prioritized approach to what you’re trying to do.
Paul Ducklin (03:32)
There’s also the complexity compared, say, to a commercial organization that’s selling items online. If something goes down, lives might be at stake, missions might be compromised, rather than just that some customers might not be able to buy the shoes they want for the next thirty or forty minutes.
Bill Bender (03:53)
That is very much the case, and you know, we maybe overuse this term in the military sense, but no fail missions. Yes. There are things that have to get done or lives are at stake. A lot of interplay, a lot of interconnections, a lot of interoperability required, a massive number of systems that have to be secured, and so starting with where I am today, before I know where I want to go, was really critical. And it seems almost fundamental, but very often IT leaders want to jump to the conclusion. They’ve got a new technology, a new widget that’s supposed to save everything, but the problem is it just doesn’t work that way.
Paul Ducklin (04:33)
In a commercial organization, well it might be expensive, it might be complicated, but you can shift from Windows ten to Windows eleven. But military systems typically include such a breadth and depth of different types of computer operating systems, software, and management interfaces that you can’t really do that, can you? There are some things that you have to live with, like in industrial control systems, for five, fifteen, twenty-five years, possibly even longer. How do you build that into both compliance and culture?
Bill Bender (05:10)
You have what you have and there’s not any mechanism by which to get healthy overnight. And so there’s a tremendous amount, I don’t know that you mentioned it, but technical debt. And a very legacy infrastructure. And only so many dollars. The dollars are not getting healthy quick. You have to be really strategic and thoughtful about the approach.
When I stepped into the Air Force role, we were managing our Cisco components, one base, one organization at a time, and we, no kidding, had twenty two hundred different contracts that ran across the Cisco equipment that was part of the global air force. When we thought about it differently and made that a single enterprise contract, we were able to save something on the order of three hundred million dollars in the costs of those contracts over a five-year period. But far more importantly, eliminating gray parts have much better response times. We went from twenty two hundred to one and improved everything about our ability to take best advantage of good technology that Cisco was providing as an industry partner.
Paul Ducklin (06:17)
Yeah.
Bill Bender (06:33)
Part of my challenge was one of being a chief education officer of the people both above me who typically develop those requirements and resources, and weren’t thinking in enterprise terms, and definitely the people below me who felt like, for lack of a better descriptor, money is power. You know, I have the money, I can make all the decisions. And I would be like, Yes, but you don’t get the best solution.
Joe Saunders (06:56)
I suppose there’s always opportunities for even other areas. I think even today, much like your example with Cisco, other providers like Red Hat and folks that provide operating systems and things like that, also may have a significant number of individual contracts for certain projects, programs, missions, and the like. There’s room to both consolidate and modernize. And when you can create $300 million of savings and improve service, I mean, that’s a double win. That’s a great step forward in general and a good example of how to create opportunity at the enterprise level.
Paul Ducklin (07:27)
Ha ha.
Bill Bender (07:34)
And I think Paul, if I could just pull the thread a little further on this, it would not have been possible without the partnership with Cisco. It was a full partnership. They were in from the beginning. They helped us take accountability of what was out there and helped us restructure and frankly had to deliver on the back end because they had made some promises under their service level agreements to provide twenty-four-hour service, seventy-two-hour service, whatever it was. And so it’s definitely a partnership, but I think there’s a lot of room for managing these big complex organizations by taking an enterprise approach, which was my initial point.
Paul Ducklin (08:12)
I was delighted to hear you used the term I suppose almost in jest, but also seriously chief education officer, building a culture where people wanted to do the right thing, and not just wanted to, but felt that they were able to do so.
Bill Bender (08:30)
There were plenty of examples where you had to really drive a mindset shift about how we do this, helping culturally to bring people up to an understanding of what technology provides them. I said it in jest, but it was quite serious. In most cases, my focus was not on the digital natives, the young people who are using it every day, who know very well what’s possible.
And for all the right reasons, we’re walking into work every day for the US Air Force frustrated because they weren’t getting to leverage the best of technology. It was really the decision-makers and the process by which we got to decisions that had to move at the pace of technology. And so a lot of the work that I did was really to help leadership understand that there were great changes taking place in the environment, and that meant that they had to change in their ability to get to quick decisions, to leverage what was happening.
By and large, we’re getting better at that, but I would say it was complacency. We had gotten to the point where we were somewhat complacent and satisfied, and all of a sudden the technology was outpacing us and our processes. So, surprisingly, as I got into a CIO role, talked much more about cultural mindset shift and process change than I ever did about the technology itself.
Paul Ducklin (10:03)
Bill, my understanding is that you were actually the first person in the Department of Defense in the US to introduce the roles of CISO and COO, Chief Information Security Officer and Chief Operating Officer, bringing a sort of industrial or commercial flavor to managing things that I guess traditionally were just considered well, it’s computers, that’s just technology. What was the idea of introducing those roles, and how did they change how you perceived and handled risk?
Bill Bender (10:35)
That is absolutely true. That was we were at an inflection point within the Air Force, just understanding the cybersecurity threat for starters. I came into the building well aware of significant breaches and having enough situational awareness to understand that we should be very concerned about protecting our data, protecting our weapon system, protecting our critical infrastructure, and did not see that as a matter of course on a regular basis and was concerned because all of a sudden I’m in charge of it or responsible for it.
So the first thing I did was stand up a cybersecurity task force. You can’t have anything if it’s not a task force in the military. We had all of the functional Air Force involved, and together with the idea of raising all boats, we raised our awareness of the challenges and to talk to the stand up of a Chief Information Security Officer. It was a first in the Department of Defense, but we also stood up as a Chief Data Officer along the way, stood up the Air Force Innovation Unit that actually was the forerunner to the Defense Innovation Unit. And it was really all premised on the world around us has changed. We have to change too. CISO was very common inside of large corporate organizational structures. And so we very much mimicked what was taking place in the commercial world. And I think that it was validated by the fact that every single service, including the Department of Defense, all have these positions today. They followed in quick suit.
Paul Ducklin (12:22)
So I guess that would be the start of a very different way for the military to do their public-private collaboration. A lot more free flowing of information and ideas than perhaps had been either thought possible or desirable in the past. How do you embrace the private sector without undermining that operational security of something like the Air Force?
Bill Bender (12:47)
I kind of alluded to it in terms of recognizing that the relationship between government and industry had to change. At that time, there was some challenges still to overcome in terms of wanting to be involved with the Department of Defense, for example, because things move really slow. If I’m an innovator and an entrepreneur, I’ll be out of business before I ever get my first contract with the Department of Defense.
So we had some responsibilities internal to the Air Force, in my case, to move those along. And so that was the stand-up of the Air Force Innovation Unit because they had special funding and the ability to move fast. There’s an innovation hub out on the West Coast. I surprisingly spent quite a bit of time out in Silicon Valley just seeing what was possible.
Eventually, what it led to was the ability to look at some of the legacy programs and the way that they were proceeding and have more confidence in canceling those programs and taking a new fresh look at it. In the weapon system of the Air Force that is command and control, they call it the AOC, that had been struggling along and was probably close to a billion dollars and 10 years behind what it was supposed to be. And we ended up canceling that outright and moving to a much more software-defined approach, which the commercial sector had been dealing with for probably 15 years already, but it was new to the Air Force. That led to a proliferation of software development across the Air Force. We have 34 software factories.
The other services are doing the same thing. And so it’s a much more modern defense infrastructure and much more capable today.
Joe Saunders (14:46)
And that acceleration of software development obviously drives further innovation for the warfighter. And interestingly enough, it’s just a few years later, hence, that we face a new major transition with AI.
Bill Bender (15:00)
The takeaway there is that technology’s moving fast. You can never rest on your laurels. You can’t be complacent. You have to stay abreast of us. So let’s think in today’s discussion, one of the conversations I think with every company I intercede with at all is around agentic AI and how are we going to defend against it? We have to have a serious discussion about that, because you can’t build a wall high enough or fast enough to keep up with it.
To your point, Joe, it’s a good thing that we went through this journey not too long ago with software development because now we’ve got AI in front of us and who knows what it’ll be a couple of weeks from now.
Joe Saunders (15:38)
Yeah, and I would just add to your point around AI and Agenic workflows and security, the fact that AI can identify vulnerabilities and even perhaps write exploits faster than organizations can patch it is a serious concern. Serious conversations are taking place to find ways to improve and respond to vulnerabilities and exploits being written at machine speed.
Faster than we can patch, even faster than DevOps pipelines can produce fixes. Correct. Paul, I think we even have some discussions exactly on that point coming up. The ability to accelerate your software development processes through these software pipelines that you alluded to earlier, Bill, only enhances our ability to keep driving on innovation for the warfighter. You said tech debt earlier, Bill. With vulnerabilities, it could be more tech debt, but
Paul Ducklin (16:15)
Yes.
Joe Saunders (16:33)
Finding that way to continue to accelerate and deliver software fast so that the war fighters have the innovation is always a top priority.
Paul Ducklin (16:41)
Joe, we had a discussion a few podcasts ago with someone who had just come back from naval conventions in South Korea, reporting that apparently the South Korean Navy figured we’ve got all these plans to build some new aircraft carriers, which are the way you project your power historically. Let’s scrap all of that. Let’s have lots and lots of autonomous vessels instead. Let’s do things completely differently. So they really did think of throwing out the well, you don’t throw out the water in the navy, I guess. But it’s almost as though they did throw out the baby in the bathwater and say, Let’s start over.
Bill Bender (17:17)
Yeah, yeah. These conversations are taking place on new innovations. And I know there’s a lot of really good people thinking about this and certainly in the defense sector specifically, it’s the defensive side. Like how are we gonna defend against it? And that’s the conversation I tend to be in just defending against determined adversaries who are now using agentic AI for nefarious purposes is a conversation worth having.
And I know it’s taking place and I’m thankful to hear that from somebody like you, Paul. I’m hoping that we get some good solid directions on where to go. There’s just a world of possibilities, but honing in on them and getting started and putting resources against it from a Department of Defense perspective is really important. And so I hope to be a part of that conversation going forward.
Paul Ducklin (18:09)
Bill, do you mind if I just zoom in very briefly on a specific aspect that has become quite an issue, certainly for commercial companies these days, notably after the coronavirus pandemic, as we’ve learned to have people working all over the world, which is something the military has been able to deal with for years and years and years. And that is the issue of zero trust. Mm-hmm. Quite a buzzword these days. How does something like that, where you worry about people identifying themselves or devices identifying themselves in a much more ongoing way than perhaps in the past? How does something like that look in an organization like the US Air Force? Which is just so very big, seven hundred thousand endpoints.
Bill Bender (18:53)
Yeah.
Well, I think it goes back to the first part of the conversation, where first understanding where you are and how it all comes together and then a mission-driven assessment. We called it mission assurance. And that exercise, intellectual as it is, helps you identify the critical nodes. These mission threads had to be determined, and then prioritized inside of that, and the concept of zero trust, to your question, Paul. I don’t think there was ever been an argument. It makes perfect sense. It’s accepting the fact that the enemy’s already in your systems and in your networks. The concept was good, but the larger exercise of trying to make some sense of your enterprise really did portend to more of a cultural discussion around understanding you can’t take anything for granted. The weakest link will be what brings the whole thing down. And so, first a security mindset overall, including your own personal role, and then a good understanding of your infrastructure to the level that you could prioritize it through the lens of how do I get from where I am today to where I want to be.
And all of that has to get wrapped into practical matters like affordability and timing of budgets and things like that. You can imagine it gets pretty difficult. It’s easy to talk about zero trust, really hard to implement it. I took a five-year plan and really looked at it through let’s be confident in our priorities. We won’t get that a hundred percent right, but let’s methodically work our way through from most important to least important and do it over time that budgets could support. I was very, you know, not Pollyannish, but had a good understanding that at the end of the day we’ll be in a much better place. We won’t be perfect, ’cause you never are, but you’ll be in a much better place if you take that approach. So zero trust I think has been a good organizing concept for the US Air Force and for the Department of Defense writ large.
Paul Ducklin (21:17)
Joe, do you want to say something about how commercial organizations that want to provide smaller and smaller, more compact systems into the Department of Defense? So no longer the huge contracts we had, but lots of different suppliers providing smaller projects. How would they go about making sure that they can support that move to zero trust? And where does something like supply chain security and Software Bills of Materials come into that?
Joe Saunders (21:46)
I think the smaller organizations often bring innovation and novel new approaches. There’s always a great relationship between the department and what’s called Silicon Valley or technology startups in general. And of course, leaders like Bill and others spend time in California, spend time in Los Angeles, others spend time in San Francisco and build those bridges. And part of that is to bring a pipeline of great innovation in, and there are a lot of mechanisms for small organizations to get introduced.
We’ve seen the SIBR programs and extensions of the SIBR program to help organizations get in, but at the same time, there are then compliance requirements that even the smaller organizations need to adopt. In some cases, they can partner with large primes. In other cases, they’ll develop their own adoption of, say, things like CMMC and the current standards that are expected with within that.
And along those lines, I agree with your point, Paul, I think organizations that are delivering software then can help enable the missions that Bill speaks of by helping to support organizations with the understanding of what they’re actually delivering in their software. And that’s where the role of Software Bill Materials comes in. In the examples Bill gave was assessing the whole landscape and then developing the priorities.
Paul Ducklin (22:57)
Yes.
Joe Saunders (23:07)
There is a lot of really, really, really good information inside these Software Bill Materials. So thinking about even zero trust, the extension to operational technology networks and things like that, where zero trust, there’s starting to be a focus on O2 networks for zero trust. And they’re in, with all the vendors that are involved in providing operational technology to the military, understanding the Software Bill of Materials is a good enabler to understanding the software risk and therefore understanding the broader threat that an organization might face if there’s a challenge to its critical infrastructure.
Paul Ducklin (23:42)
By all means, appoint a Chief Compliance Officer. But if you’re going to do that, definitely have a chief education officer as well. You’re not just getting the driving license and then never thinking about road safety ever again for the rest of your natural life.
So, gentlemen, I’m conscious of time, so perhaps we can finish up offer either or both of you a chance to say something about where you think we will or should go as more and more of our stuff in our regular lives, in our home lives, in our home automation, in industrial plants, and very definitely in the military. As more and more of our stuff becomes software-driven, so we can sort of change it almost at will, like a web app seven times a day if we really want to. How do we sort out the cybersecurity challenges that that brings, particularly for organizations as important and as broad and as deep as the US Air Force?
Bill Bender (24:47)
I think one of the greatest challenges for the country and for the military today is really around our critical infrastructure, our operational technology. Not too much effort would be expended in researching where does that become critical in challenging our society around some things that we’ve become pretty used to having.
Paul, you mentioned the advances of software and automation in our home and stuff. I would say really thinking through some of the advances in technology, addressing some long-standing shortcomings and maybe even failures to consider the worst outcomes in how we designed the infrastructure that we’re living with today, and turn at least some of the intellectual energy around the tremendous advances taking place with AI and with technology more generally, towards addressing some of the challenges that we have, in particular around our critical infrastructure, and take care of the big problems so that we can focus on the small problems. And I know there’s a lot of smart people, a lot of agencies, a lot of research and development money being spent here.
But for many, many years, we have built ourselves into a box with software that isn’t entirely secure with a lot of breach-capable system designs. And so now all of those are at risk, especially with the advances in AI. And then of course we haven’t even talked about quantum, but that’s right around the corner. And so technology will be our solution, but we have to think in some cases differently about it in terms of at least an aspect of defending and recovering and ameliorating some of the challenges, the weaknesses that exist today.
Joe Saunders (26:55)
And I don’t think I could say it better than you did, Bill. And I’ll just say a couple of things in my own words related to it, which is that I do think critical infrastructure is an extension of national security, and it’s a requirement to ensure that we have sufficient energy, sufficient data center capability, and all the other mechanisms that support the expectation that we can operate our programs and our systems and our missions.
Ironically, perhaps the AI threat could awaken us on some of the critical infrastructure areas, especially if AI is identifying those vulnerabilities faster than we can patch, it’s going to force us to really think about: how do we change and update or defend these systems? And it’s much like saying that you don’t truly understand algebra until you start to understand calculus. And then you become an expert in algebra. I guess I am always the eternal optimist here. And I think there’s great things to come with AI. And certainly there will be significant challenges.
But when you operate at machine speed and the threat is increasing, those are some of the great moments I think for people, for teams and organizations to grow and learn. And I suspect all of our military and certainly other aspects of critical infrastructure are going to rise to the occasion. And perhaps it is AI that’s going to induce us to do so.
Bill Bender (28:16)
I certainly share that sense of optimism. I do think that therein lies the answer. We just have to think differently about how to use it to solve problems, but also an honest assessment of where those problems exist. I’m an optimist in the long run, so thank you for that perspective.
Joe Saunders (28:36)
Thank you.
Paul Ducklin (28:36)
Bill, I think that’s a really brilliant way to conclude. If I might try and summarize it, there’s a great Australian saying about let’s not worry, which is she’ll be right. The problem is she probably won’t be right unless we all bring a little bit of our own effort to the table. Ask not what technology can do for you. Ask what you can do for technology.
Bill Bender (28:57)
Yes.
Paul Ducklin (29:04)
And remember, folks, you heard it here from Joe, it’s time to brush up on those differential equations. So that’s a wrap for this episode of Exploited: The Cyber Truth. Thanks to everybody who tuned in and listened. If you enjoy this podcast and find it useful, please like and share us on social media. Once again, thanks to everybody who tuned in and listened. And remember, stay ahead of the threat. See you next time.
