2018 Cyber Maryland Education Track, Addressing Threats

>>Hello, everybody. My name is Chris Dorobek. I am, I’m a journalist. I am a — so I was an editor of a publication
calledFederal Computer Weekfor a bunch of years. And then down there at Washington, DC we have
a radio station called Federal News Radio and I was the afternoon guy on Federal
News Radio for a bunch of years. Now, I do a blog and podcast that
is through an outfit called GovLoop. I’m also writing a book about how to do
this job because if you’ve ever sat in — well, you’ve all been in these sessions
before and you feel like Harry Potter. Dementors are sitting here sucking
the life blood out of the room. We’re not doing that today. Because look — look who we have. Also, I know when you’ve been doing
cards and stuff, we’re not doing that. We’re actually having a conversation so you
guys can ask these fine-looking people questions and we can find out what you think. How many people are students? Just a — oh, great. Industry people, who are industry people? Okay, a couple of industry. Oh, government people? Are there government — oh, look at that. So we only have 35 minutes so
we’re going to be very efficient. And these are all government people so their
titles will take about 35 minutes so [laughter]. So you’re — we’re basically out of time. We’re talking about threats and I’m going
to ask — but before we get into all that, I’m going to ask each of you to
kind of tell people what you guys do because it can be a little
bit different in government. You guys have been in a couple
of different places. I’m going to start on my far side. That is Gayle Guilford. She is the CISO or CESO? Which is correct? Put that in the next poll. CISO? We’re going with CISO? All right. I’m going to say Chief Information
Security Officer, how’s that? Okay. Gayle is with the gorgeous city of
Baltimore where we are residing right now. She is with the Baltimore City Government. Tell us what you do for a living.>>Hi. I’m responsible for cybersecurity,
e-discovery, some physical security, investigations, testifying in court, keeping
an eye on employees who like to do things that aren’t supposed to be done on rare
occasions, and keeping everybody as aware as possible because we all know it’s
when, not if, you will have a cyberattack.>>Biggest thing that keeps you up at night.>>Biggest thing that keeps me up at
night is the person who falls for phish and the third party vendors that
are totally out of my control.>>Don’t mention the target people, the agent
where they got information [inaudible], right?>>That is correct, yes.>>Yeah, awesome. Next to Gayle is Stacy Dawn. Stacy is the Chief Information Security Officer
at the Export-Import Bank of the United States. An organization that four people have heard of. What does the Export-Import Bank
do and then what do you do there?>>The Export-Import Bank gives loans to
companies here in the United States that want to export products to other countries. And I am, I prefer CESO, sorry. But I’m the CESO there and
the things that work — keep me up at night, we had talked
about is we have a gap projected of 1.4 million cybersecurity
professionals between now and 2020. And what we have to do with our youth and
the people who want to enter that workforce to fill those gaps because our adversaries
are at us 24 hours a day, seven days a week.>>Doug in his, in the [Inaudible]
survey data showed that kind of, do your executives get this and care about this? And he was kind of like so-so. Do — you’ve been in a bunch
of different agencies.>>Yes.>>So I’m not just saying Import-Export Bank. Do folks in government get this? This is something that matters. This is important.>>This is something that’s very
important, very, very, very important. And I think that our senior leaders are
starting to really get their eyes open. They’re coming to forums like
this and we’re bringing ideas. Women on Capitol Hill is coming
next week with DC Cyber Week. And so just getting the word out
there, how important this is. They’ve stood up Cyber Command so I
think that it’s taken a long time. It should have come sooner but I think
that we’re really reaching that now.>>Next to Stacy is Emery Csulak. Am I doing it right?>>Csulak.>>Csulak. That’s nowhere close to right. He’s the Chief Information Security Officer. We’ll do all this in one breath. Senior Official for Privacy in the Centers
of Medicare and Medicaid Services which is of course, part of the Department
of Health and Human Services. Tell us what you guys do and
what keeps you up at night.>>We basically protect the information
for everybody on Medicare and Medicaid, healthcare.gov, CHIP and we have –>>We have 17 people total.>>You know, I’d say it’s anywhere
for about 150 million beneficiaries across the United States right now. It’s actually a little bit more than
that because we do both living and dead. So you know, there are a number of beneficiaries
who may have passed away and we still have to protect that information as well.>>Dead people don’t complain as much though.>>Oh, but their relatives do.>>Oh, yeah [laughter].>>So biggest, biggest threat
that you’re watching out there.>>You know, we’re looking at
the threats from the outside but I think we look at it a little different. We’re trying to figure out how
we can reach our constituency and our beneficiaries in a stronger way. And what we like to look at is
how are we building in innovation? How are we enabling innovation? So everybody wants to jump on a cloud
bandwagon or a [inaudible] bandwagon. And you know, you can do that
but you have to make, you know, conscientious decisions to deal with anything. You know, one of our biggest
risks is managing expectations. You know, how do we engage with the public
and make it easier for us to embrace new ideas and new technologies without endangering
the beneficiary data that’s [inaudible].>>Where we [inaudible], most of these people
are students and they all want your job. But I want to be doing what you’re doing. How did you get here? What choices did you make? Talk a little bit about your path.>>For me, I’ve been in IT for,
oh, I don’t know, 25 years now. I actually — 25 years ago, I
think I was teaching at UMUC.>>That’s [inaudible].>>Yes, actually. I was doing modem and telecommunications
management for a large consulting group at the time.>>For those kids out there, a modem used to
be something that you would connect [laughter]. Go to the Smithsonian. You can still see it.>>You know, but over time, I was a programmer. I was doing network, you know, development
and teaching and then I was started working in compliance and eventually
worked up into operations as well. And you know, prior to CMS, I was
the Deputy CISO for Homeland Security and different roles supporting the Department
of Energy and everything before that. So kind of a diverse consulting
and government role.>>Gayle, how’d you get here?>>Interesting path. In the ’70s, IBM in that time, the
Bell System, the technology leader, were looking for artistic majors. Because you have to be able
to think out of the box and see your own picture
when you’re in technology. So I was scooped up and got some training
in voice and data and I was very fortunate. They sent me to MIT. Then I went on to work for them. I worked for a consulting firm. And I learned business. And then I became the head of IT
for Baltimore City Police Department which was a challenging job
I did for eight years. And one thing I came out of
there knowing is security. Because security for criminal
data and witness data and victim data has been very strong for years. And guess what? You can be charged with certain crimes. You can be 95 years old, the
law says you must maintain that criminal record for
that person for 100 years. Even though you are 95 years old. So that’s where I learned about storage. I learned a lot about IT. You have to have a passion. You have to understand the business
need, not just the technology need. You have to be able to speak English, not
[inaudible] or cyberese or healthnese. You have to be able to speak English. And the path has always been
about the arts part of me wanting to know why something does something
and why something else does not. The human, I love people and we
all know we step across the lines. So that was my path which is very interesting but there was no computer
science when I came along.>>Yeah.>>So when I was going to school, it was before
Al Gore invented the internet [laughter]. So I looked at what degree would get me
— I was looking at becoming a manager. And computer science majors, I
learned, were programmers sitting in a cube and I’m a people person. And I think a lot of your CISOs
have to be a business person and a people person in addition
to the technology. So I said, “Well, what would be a good fit?” And the best I could find back in the
’80s was Management Information Systems. But what I did was I took a
lot of internships and jobs that worked somewhat with computers back then. And so I helped build my resume as a student
to go into a career that dealt with computers. And then I entered civil service in ’97 and I
did a rotation through different areas of IT. And one of those areas was information
assurance which was the predecessor to what we call cybersecurity today. And information assurance
was not sexy back then. It was all about compliance. And we had to tell you what to do. And you can’t do this and you can’t do
that and stopping people from doing things. And so I tried to find with
my business background, a way to keep things safe while
being able to do the mission. And I built my career on being mission-focused,
not cybersecurity-focused but what can we do with cybersecurity to make sure
that the mission takes place. So I worked with the customers to make sure
that their needs are met in the constraints of being safe online or protecting your data. Then we moved into now, you have
to protect privacy data as well. So PII has become a big issue and
globally, not just in the United States. And overseas, they’re even
more strict on privacy data. So for some of those students that we have in
the room, if you look at what needs to happen in the next few years, big,
big, big market in privacy. So I got here by looking
at where are those gaps, what can I do education-wise to fill those gaps? My bachelor’s degree is MIS and
then I got a master’s in business and human resources management to take care of
the people, to learn what the people need to do so that they can protect
the information and help us. And that’s how I ended up here.>>Emery and all of you, but I’m going to
start with Emery, one of the hardest parts of this job feels like you spend your day
telling people no, they can’t do this. No, they can’t do that. And these days, with these
marvelous little devices, guess what? If you keep telling them no,
they’ll just find a workaround. It was in the [inaudible] lot data. They just go through and all of a
sudden, you have something connected to your network that you don’t know about.>>That’s called shadow IT in a lot of places.>>Yes, exactly. Hidden, the hidden stuff. How do you deal with, how do you not
become the person that everyone says, “Oh, don’t talk to them because they’ll
stop us from doing what we’re doing?”>>Well, I mean, I think,
you know — two pieces. The first piece is that you want to
be seen as a partner in this process. You need to not be the office of no and you
know, engaging with the conversation and coming up with inventive, innovative ways to
address the risk is really important. But the second piece is to
know that it’s coming. You know, you need to stay
abreast of what’s coming. You know, it’s like, you know, what’s
the latest in mobile technology? What’s the latest in cloud technology? What’s the latest in all of these fields because
somebody is going to want to do it as part of their business is they’re trying to
reinvent and modernize their business? They’re thinking of that. I got to be able to think about it so
that I can get the right people in place, the right experience in place
to be able to figure out. Okay, instead of saying no, let’s
talk about how do we make this happen? And there’s a lot of things that you can
do to kind of prepare yourself for it as well as prepare your staff for it.>>How do you avoid being the CIS No?>>One is soft and one is hard. Soft, build the partnerships with
the various agencies within the city. Go around and talk about cyber and it
will make bells go off in people’s heads. The hard part is get a solid relationship
with legal, procurement and risk management. And don’t let any contracts come through
even the elevator, even the electricity, no contracts go through without
a cyber review and then steal from legal and say cyber sufficiency.>>Yeah, right [laughter].>>Therefore my liability is
a little lower but it’s — the key is partnerships, a
softness and then a hardness.>>Let’s get them involved but before I do that,
let me ask all three of you about mentorship because I’ve heard from people who
get in these places, what mentors — how did you find mentors that help
you become the people that you are? And also, what do you look in people
that you would take, be mentors too?>>Okay, I was fortunate. My mentors, I found through
my networking and connections. I also am a firm believer in partnerships
like the Multi-State ISAC or even in Deloitte. When I worked with Deloitte, I really
had the opportunity to get mentors because consulting is all
about knowing a little bit about everything and a whole lot about nothing. And those relationships –>>You tell people that you
know a lot about everything.>>No. The day you know everything,
you’re six feet under.>>Oh.>>And but it’s important –>>They’ll still have your records though. It’ll be fun [laughter].>>But it’s the partnerships and taking
the time to listen because if you listen, then the people would do the
reverse and be willing to help you. If you come in like a bull in a china
closet, you’re not going to have a network. But don’t be shy of conferences. Don’t be shy of going to
schools and meeting people. That’s the only way you can get mentors.>>That’s right. Don’t be shy about asking.>>And don’t be shy about asking.>>People are happy to help. Mentors, both being one and having one.>>So finding mentors coming up in
computers back in the ’80s was a little bit on the challenging side because there
weren’t that many mentors in the field yet. And finding strong women in the cybersecurity
field has always been a challenge. And so I like to pay it back by
taking on students as mentees and I do a lot of STEM volunteer work. I am a member of AFCEA, the Armed Forces
Communications Electronics Agency and affirm. And I volunteer for these boards and working
with students and bringing people up. So I think the biggest thing, like you said,
is if you’re looking for a mentor, ask. And if you ask for advice, and the mentor gives
you advice and you follow through on that, let the mentor know and say thank you. And pay it forward. Let the mentor know when
you’ve taken on a mentee. Because as you go through your career, you’re
going to be at different stages and you’re going to always want to have a mentor
that’s above you where you want to be. And you want to have a mentee
that’s coming in behind you. And you will be surprised as you go
through your career how much you learn from your mentees as well as your mentors. So keep an open mind. Listen. Get out in the community. Do conferences. Do seminars, educational courses and volunteer. And you will, it brings so much
to everybody, not just one person.>>Emery, mentors, do you have one and how did
you find this person and have you been one?>>Yeah, I mean, I think —
well, yes in both directions. You know, I don’t know. I think in the ’80s and the ’90s, you
know, my background was originally in electrical engineering and obviously, computer science was a happening
thing at the time. So finding like-minded individuals that you
wanted to work with was really easy at the time to kind of engage in that conversation. And I think it continues to today. You know, while I had some great mentors
that I worked with back then, you know, it’s still a matter of, you know, where
you’re making those connections today and I’ve helped a number of people
and it’s about making sure that, you know, why are you in this field? Are you in this field because
you have a passion? If you have a passion about it, talk about it. If you talk about it in the right forums,
you’ll find like-minded individuals. I mean, I’ve been to every single vSide, DEFCON
meeting in the DC area for the last five years. And there’s a lot of people who want to
talk about, you know, what they’re doing, where they’re going with their career. I was down at Fredericksburg for
DEFCON meeting a couple of weeks ago. And we had people who were, had
absolutely no understanding and in fact, I was a little surprised that she was turning an
unpatched machine on in the room to, you know, people who have 20, 30 years of experience. But it’s about finding your
peers and finding, you know, those people who have the same
passions and sharing those ideas.>>Cross-check for something in the [inaudible]?>>Yup, no. I ran my first business in
the late ’80s and early ’90s. And when I was hiring people to build
networks, well, there was nobody to hire. I had to find people who had some level
of educational background that fit and had an attitude and an aptitude. And I had to train them. And the great thing as I tell
you, a lot of years later, that the people who worked for me are now CISOs. I prefer CISO, but CESO sounds better. It sounds a little more esoteric. They’re CTOs and CIOs and there’s a
Facebook group from my old company and it’s kind of cool to see these people. I get a lot of satisfaction out of
that seeing where they have gone and how much they’ve had
an impact in their careers.>>Was it one of the Facebook
groups that got hacked? No [laughter]. All right, questions. I know that no one likes to ask the first
question so we bypass the first question. You’ll ask the second question. And we should be done with it. Otherwise, I’m going to come and
call on somebody so thank you. I have not tried all of this.>>Okay.>>Anyway, I might have something
to do with this.>>Absolutely, thank you. So thank you all for being here. I appreciate the information
and knowledge from the panel. One of the questions –>>[Inaudible] that one.>>Oh, I’m sorry. I’m Dr. Amelia Estwick. I’m the Director for National
Cybersecurity Institute at Excelsior College.>>Oh, that’s a long title as well.>>Yeah, it is [laughter]. So the question is, is that I find a
lot that we are an online university. We have with adult learners just like UMUC. And we have folks with a tremendous
background that want to go into kind of a career pathway mid-careers and they
possibly can do the CISO or CESO work. But the problem is, is finding those
organizations who are willing to take a chance with someone sometimes out of
their, you know, their organization. Because normally, I find these roles
to be kind of someone they groomed from kind of within sometimes, number one. And number two also, the
report — it’s two things. So how does someone get in
from the mid-career aspect? That’s one question. The second question is there is a
battle, I hear, in the [inaudible] about who CISOs or CESOs report to. So there’s always this big argument about
you want to make sure if you go into a role that you have direct, you know,
relationship with the CEO. Or there’s some that say, “Well, you’re reporting to the CIO
who then reports to the CEO.” So that’s kind of — so there’s two questions. They’re kind of different in aspect.>>Doug, I may have you start actually on
the question about who reports to whom. Does this matter and where you,
what have you seen out there?>>Yeah, it most definitely matters somehow. I’m not talking about the [Inaudible] study. There’s a bunch of other states we’re
involved in without naming things. But one of the discussions
that I’ve been involved relates to something called the data protection officer. So if anybody here is familiar with the
European Data Protection Regulation called GDPR? If you’re not, you will, you should be. You have rights. As a data subject, you have a right to privacy. You have a right to your information not
being spread where you don’t want it to be.>>It just feels — data subject
feels so wholesome, doesn’t it?>>Yeah [laughter].>>It’s delightful.>>Right, but the truth of the matter is that it’s a very important concept
that you are a data subject. The minute you sign up for
anything anywhere electronically, you’re a data subject and
you should have rights. So this concept of data protection
officer is very important. And it is supposed to report
to the Board or the CEO. This is a kind of an ombudsman to
respect and advocate for the rights of the people whose data is
being supplied to the company. And that person should be
independent, has to be independent. If they report to somebody who has
another agenda, there’s something missing. It’s not working. This concept that GDPR advocates for
is called data privacy by design. This person’s job is to think about the
business process of collecting and using and eventually destroying private information. That has to be an independent
position, in my opinion. I don’t see how it works otherwise. And a lot of the GDPR law makes
it very clear that it’s got –>>It’s just like everyone’s eventually going
to be reporting to the CEO, for goodness sakes. I mean, every single part of the organization. Where do you report?>>I report to the CIO. I can honestly say –>>All three of you report
out through CIOs, right?>>CIO.>>Yeah.>>I can honestly say to you that almost
40% of what I do, the CIO does not know about because I’m reporting to the Office of the
Inspector General as well because when you get to that point that what’s legal and what’s
illegal, then you kind of shift from the CIO to the Office of Inspector General. Now as they more define in the future the role of the Cybersecurity InfoSec
Team, you might see some changes. And then your other question
was how do you get in? Yeah –>>How do you get a job and they say
you can’t get a job until you have a job and you can’t have the job
until you get the job. It’s this circle.>>It’s so important to be members
of organizations where you can learn but more importantly, you meet people and that
the mentor but also the companies represented. You’d be amazed how many — I’ll be honest. I have spoken in another panel and when we
had issue in Baltimore City, me and my staff, we were really cracking up because two weeks
after I got through all of the voicemails, 10 of them were people saying, “Oh, I
know Baltimore is going to fire you. Just wanted you to know, you
can start here in Philadelphia. You can start here in Denver.” I mean, literally, I had –>>That’s so sweet.>>Sure, it was sweet but it was the
result of attending structures like this and not being afraid to talk to people. You know, you won’t make it as a CISO if
you’re afraid to just go up and talk to people.>>So I’ve been in civil service a long time
and they changed the federal hiring process where all of the jobs are posted on USA Jobs. And a lot of people outside of
government think that it’s a black hole. And I don’t believe that. It’s not. As a hiring manager –>>We’re not going to put her on a
lie detector test, let’s just say.>>As a hiring manager, I
have never preselected. I did over probably 40, 45 hiring
actions in my career so far. And some of the positions are
open to only gov but if you look, there are so many deficits
in cybersecurity right now. There are positions open to the public. So get your application in
and follow up with the point of contact that’s on the job application.>>The problem with that is a lot of
these people haven’t had their first — so it’s that cycle that you
get and you can’t get that. Once you have the job then you get into a
place where okay, you can get your next one. But it’s getting that first
one, getting in the door.>>And that’s why it’s so
important to do internships, volunteer work that you can get those contacts. Go to the conferences. Go to meetings. Spend the time and invest in yourself.>>So are the internships
posted on USA Jobs too?>>Yes.>>Okay.>>For the federal government. I don’t know outside of federal
because I’ve only been federal.>>How can somebody, they
want to be your employee. How do they do that?>>One is definitely an opportunity
for internships. We, you know, I think what we see, what I see a
lot is you know, after working at DHS and CMS, I’ve seen thousands and thousands of resumes
of people who’ve an academic background. But what I’m looking for is somebody who has some practical experience
and one is through internships. You know, you can apply at any
time to the federal government. We’re always looking for interns as well. The other approach that we’re trying
this year is cognitive apprenticeships. So cognitive apprenticeships is where we bring
in candidates who are high performing candidates who may have a little bit of technical
background but a strong interest. And this year, we’re actually piloting
the program with a series of veterans where we bring them in and they go through
a challenge-based learning experience where they try capture the
flag and learning experiences. Then we put them on the floor. They apply that knowledge directly. So you know, one of the things that we
see is a lot of people come with a lot of academic understanding but they lack
complete confidence in being able to apply it. So in addition to internships,
we like this apprenticeship model that we’re piloting this year
to see can we bring people on? Can they learn it? Can they go back to the training? Can they reapply it? And you know, come up with new and
innovative ways to kind of get you over that hurdle of building experience.>>Let me get [inaudible]. Hi, who are you?>>Hi, my name is Jelly. So I just wanted to know as a CISO, do you have
a big say-so when it comes to the cyber budget? So a good example is role-based
training because we always complain that we don’t have enough skilled resources
but role-based training is one of the big ones. So do you have a say-so into that?>>I can honestly say the first three
years I was a CISO, the budget was 0.00. I don’t think you can get any bigger than that.>>Yeah.>>You have to be creative which is why I feel that thinking outside of
the box is so important. And you have to be fortunate to have staff that
have passion, patient and creative as well. And then you have to become, they call
me bag lady because I literally went to every conference that
Director Dr. Phyllis spoke, who used to be in charge of Homeland Security. I went there. Everything that was free, I got in
her face and asking for what she does for the feds to do for little Baltimore City. It took me about eight months. I got more than I ever imagined.>>Go fast because I want to get one
more question in before we wrap up.>>Not enough in the budget because
our budgets are pretty flat right now. And if you think about a flat budget, you still
had increasing cost in your maintenance fees so it’s really a decrease even if your
budget is the same for the next year.>>Your budget’s [inaudible].>>I’ve had my budget doubled
every year for four years.>>Whoa.>>So there’s the guy you want to [inaudible].>>Are they hiring [laughter]?>>Well, I’ll [inaudible] their organization.>>Exactly. It’s all those dead people that you’re watching. Get these young people and people
who are choosing second careers and students, give them a piece of advice.>>I think, you know, really as we said
earlier, go out and network because that’s where you’re going to make the connections. That’s where you’re going
to make the opportunities. My deputy is now the CISO for
Small Businesses Administration. You know, my staff from DHS are in most of the
major agencies across the federal government. It’s about who you made, the
connections that you make and leveraging these experiences
like these events here.>>When also, if you can’t hire, what’s a
good organization like SBA doing all sorts of amazing stuff right now, right? And who are the interesting people
and so, use — talk to these. You’re smart people so offer advice.>>Combination of formal education and
certification so that when you do apply for jobs with your internships and background,
we know you had at least some base of knowledge coming in, and show
your initiative and follow up. Simple piece of advice. Internships, residence, anywhere you go,
remember what you have to sacrifice to get in. Just because you have a college degree or
just because you had 20 years’ experience on a firewall does not mean
you can walk in the door and be a cybersecurity professional or a CISO. You have to — I want to say almost be humble
but that’s not really the word I would like. But you have to understand your worth but
understand that you will always only be one link in a chain that forms the team of cybersecurity.>>I’m going to do moderator’s
privilege and offer you one tip. Care about learning. Learning doesn’t stop and you’re
already learning it so much. So thank you. Please join me in thanking them. Awesome job. [ Applause ]

Leave a Reply

Your email address will not be published. Required fields are marked *