2018 Cyber Maryland Education Track, Career Pathways

>>So, we’re going to; I think, we’re
talking about career pathways now, right, so let’s kind of continue
what we talked about just now. Say, if you were to look at the study,
you’d see as I said when I introduced it, that there’s a tremendous amount of stress in
being a chief information security officer. And I’m not going to reiterate what it ways in
the study, you can read it if you’re interested, but I want to make a more
positive statement about it. Some of the SICOs that I know are among the
most influential people in their company. They have a tough job. If something goes wrong,
they’re very publicly called out. But at the same time, they are a
partner in every new initiative. So, I think it’s a very exciting place
to be, a very exciting field to be in. It’s a very exciting time to be in this field. So, with that can we move onto our panel?>>Yes, thank you. Welcome all. Welcome. So, we’re going
to just kind of continue on the theme that we started with before. And if each of you could talk
about how you became a SICO, or how you ended up in the cyber security field, what was your career pathway
to get to where you are now.>>Sure, I’m Paul Cunningham. I’m the Chief Information Security
Officer for the Department of Energy. So, I think 2006, I was a
helicopter pilot in the Navy. So, you kind of think, you know, in 12 years how
does somebody go from just flying a helicopter to being SICO, hopefully
I can kind of cover some of that uniqueness that made the difference. And really, it goes into the years of
experience you get before you’re even kind of considering this executive level type work. You know, I was an admin officer. I wrote policy in the Navy. At one point I was even the analysis officer, so
I had to work with the legal guys to make sure that the chain of custody
was being taken care of. All that stuff applies into it. But one of the major things was actually
flying, where I had to do risk management, and I taught risk management for the Navy. Crew resource management, how to
communicate better in the cockpit. And then, also to do mishap
investigations, which was obviously helpful, and we had our own mishap, in cyber to be
able to unwind and be able to get the factual, you know, like the critical information
to the senior leaders when they needed it. So, you know fast forward again,
so 2006, I get out of the Navy, I start working as a cyber
security analyst, because, fortunately in the Navy,
they like to make you work. When you’re not flying, you’ve
got to do something right? So, I spent a lot of time on cyber
security, or IT work as well. Was IT director for a bit and had about 3000
users that I had to manage in that group. So, along the way I picked up
my CISSP and Ethical Hacker, my certificates along the
way, which was helpful. So, I made that transition out. I can actually do some cyber
security analyst work. I’ve got to tell you, the first job
was not that great, it was just looking at certification, accreditation paperwork. And we were really slow at doing it. And I found a way to do it quicker, using
tools that were readily available to us. And take scan results and put them into Excel
and dump them in Access and dump them back again to be able to get these reports quicker. And all of the sudden, hey,
that initiative was recognized. And next thing you know I was working; again,
I was a contractor, so I started working as the division manager in my
company, where I had learned budgets. And I spent more time talking
about budgets and contracts, and all the stuff that had
nothing to do with cyber security. But again, it became another tool
in that toolbox for me to wheel out. And when the time came, I said, hey, I
want to be a CISO, I talked to CISOs. I know I’ve got that capability. I like to lead, I like to make those decisions. I came back to the federal service with
the intent that I want to become a CISO. And so, that’s how I did it. So, in 2010, I took another, not a
CISO job, I took a branch director job, writing policy in exception to labor. It’s the most unexciting
part about cyber security. But that got me in, right. That got me in where I could
start talking to people. And I got to work with the SOCs a lot closer
and the next thing you know I’m running the SOC, that was part of in my portfolio
and then someone.>>Well do you want to explain
to people what a SOC is, just in case not everybody knows it already?>>So, in the IT you have your network operation
centers that put the boxes on the desk, get them set up, make sure users can get
in in accessing the places they need to go. The Security Operation Center work very
closely to Network Operation Center, looking for those sort of anomalies
or signatures that might indicate that there’s a compromise going on and
then help mediate when an attach occurs. So, that’s the Security Operational Center. One thing that was pointed out
earlier was people kind of fleet up; people leave the federal space,
and they go into corporate. Or, they’re in corporate and
they go to another company. The trick is to kind of get into that network
and get into that slip stream in a way that when the opportunity comes, you’re
going to have the skills, the resources. You’ve written papers, you’ve wrote
opinions, you’ve argued points successfully and unsuccessfully is just as important
too and how well you handle that. So, that way when you’re ready and
you get that opportunity to apply, you’ll have something really concrete to
differentiate yourself from the other candidate and be that right person for that right job. So, that’s pretty much how it happened to me,
I went to the Department of Energy from ISO as branch officer, there was an opportunity for
me to be a deputy CISO for Department of Energy. Within eight months of getting
there, the CISO, I’ve got a great job on the outside, and guess who was acting? Right, and that just starts you
know putting your slip screen and then you’re in, there right? And now you’re acting, and now
you’re applying for CISO jobs. Or, you’re going on details to do
exciting work, high profile work. I was the executive director for healthcare.gov. By the way, no one in their right mind
was going to take that healthcare.gov job. But I get a phone call from assistant
secretary from another organization that said, hey I want you to come over and help us. And it’s kind of hard to say no at
that, but now I’ve got you know, a little card in my pocket, right? So, if I need some help, I know
I can call a couple people. And that network is really important. You get a reputation out there, you get
your name out there, that critical thinking, that willing to go out on a limb a little
bit in saying, hey we’re doing it this way, but you can do it maybe a little bit smarter,
a little bit cheaper, a little bit better, preferably a combination there of. And then you’ll make a name for yourself
and doors will magically open for you. So, probably a little long-winded,
I used up all of his time.>>Can I just ask one question?>>Oh, absolutely.>>I don’t know if anybody
else would like to know this, but is it more exciting being
a CISO or a helicopter pilot?>>They both have their challenges. One of the jobs in the Navy I was a
flight instructor and I said that’s hours of boredom being broken up by moment of sheer
terror as the student is trying to kill you. But I think that’s the way
cyber security is, right? I mean the best you can do is break even,
you make sure nothing bad happens and then when something bad happens,
everybody is you know, ringing your phone, and knocking on your door. And you’ve got to be there, you’ve got
to be there with an idea of thought, strategy to kind of move
forward in a very logical way, because that’s what you’re paid to go do.>>Yeah, Dr. Nobels [assumed spelling]?>>Well, my career’s a little different, I consider myself to be a
cyber security researcher. I actually work for a fortune 50 company
as the lead for identity access management. Most along the lines of pro-bit
access management. So, I’m one of the team members
that actually come in and say, no you can’t have access to something. But it’s really based on risk. We just don’t say no just to say no. So, but my career started about a large
agency, about 15 miles south of here, can’t miss it if you take the DWI Parkway,
there’s some large buildings over there with a lot of security around
it, stay out of there. But that’s where my career
started, in the basement over there. It was started before it was called cyber. Back then, we used to call it computer
network operations, Joe, you know. Computer network attack,
computer network defense. So, I grew up in those days
as a Navy cryptologic officer. I spent a lot of time doing cryptologic
work, different types of cryptologic elements for the different agencies up in the DC area. Working with different agencies up there. And so, I grew up in that element. So, this it was very normal for me
to make that natural transition. Typically, as a cryptologic officer, you
either stay with the signals intelligence side, or you either go with the cyber side. So, I went with the cyber side,
and that’s where I really felt, where I really resonated,
where I really enjoyed. And today, I consider myself to
be a cyber security researcher. I happen to be a cyber security policy
fellow for a think tank down in DC. So, I spent a lot of time
developing relationships. This morning, I was on the
phone with a CIO and a CISO for about 45 minutes, actually
on my drive up here. Because they ran into a problem and they
called me and asked me for some assistance, because they know that I do a
lot of research on the side. So, you don’t necessarily have to
go out and sit in the hot seat. Because this is a hot seat. I’ll tell you that right now. That’s one of the things that I’m contemplating. Is it worth the move to be here, or can
I work the angle that I’m working now, as a cyber security professional and as
a researcher, and be just as successful? And so, some people take different routes. I will tell you right now if I go
and ask my CISO, about being a CISO, he would tell me to run the other direction. Because it’s a challenging job. I mean, it’s a hug transition going from being
a technical SME, to being a business executive. Because that’s one of the things
that we need to understand. As a CISO, you’re not a technical executive. You’re a business executive. Your job is to address risk, change
management, profit or national security issues, depends on what’s the nature of your business. You just happen to be very technical
because you spent a lot of time. It takes 15 to 20 years to make CISO. That’s a long time in the making. And if you don’t have that underpinning, you
know to be very knowledgeable on the systems and the background of information
security and cyber security, it shows. We’re seeing it in several high profile
cases, I don’t want to name them, but we’ve seen where the CISO was
not really qualified to be there. We need to take these job very, very seriously. And so, for your large organizations,
we have more, there’s one CISO, but what we call business life
information system officer. There are men and women who serve in
smaller capacities as like the CISO. They have the same level of responsibility, but they report up to the Chief
Information Security Officer. And these are great learning
platforms and positions to be in, so you can actually learn the role. A lot of people serve in these roles
and they run in the opposite direction because they see it’s extremely challenging. So, my takeaway form this is you know you can
be; there’s so many jobs in this community, CISO just happens to be one,
CIO just happens to be another. CSO is another one, Chief
Technological Officer is another one. There’s so many jobs in this field,
you know just work toward them. But I tell you learn the foundations. Learn the foundations of just being
the information security officer. And you just learn the foundations
of being cyber security. And you will find yourself, you
will promote to different positions. There’s so many positions out
there, we can’t even name them all. So.>>Thank you. The next question. Earlier, someone mentioned the Target breach. I view the Target breach as the one that
really woke up the country and the world. CEOs started to pay attention. Government officials started to really
pay attention beyond lip service. How do you maintain a job as a CISO
when you look at the potential risk within the environment for an attack, or some
kind of incident, or some kind of vulnerability to really have an impact on
your business environment? How do you manage that as a CISO?>>Well, I think the first thing is trust. A CISO again, spends a lot of their time with
the other chief executives and with the other, well, even with the board of directors,
spend a lot of time doing that type of work. So, they have to entrust the
team to do their responsibility. I tell you, we talk about the Target breach, I don’t think the Target breach
is the most egregious breach. I think the most egregious
breach is the Yahoo breach, because that’s when the leadership
there absolutely failed. They knew about it, they
didn’t do anything about it. And so, working with my CISO I can tell you
that he spends a lot of times in meetings. So, a lot of times I’m looking
at his calendar trying to find a way to get in with him, and I can’t. I might go two weeks before
I’m able to get in with him. So, I’m entrusted to make those decisions. I base those decisions based on my training. I make those decisions based on the risk
management profile for the organization. And I make those decisions based on the threat. So, I take all those things
in and we make decisions. I’ll give you a story here, I just started
working with this company that I work for last, today was a year ago that I
started with this company. Everybody was on leave during Christmas,
except for me, I’m the new guy, right? We needed a policy signed. Guess who signed that policy. I signed that policy on December the
18th, my boss came in on January the 15th, and he said, who signed that policy? I said I did. And you know what? He looked at me and he said,
you know what congratulations. That’s exactly what I wanted you to do. I had to get that policy pushed through
because we were holding up other projects. And that’s him entrusting me, even though I was
the new guy, I was able to take all of it in and just look at the situation from a risk
management aspect and make a decision. And that’s exactly what I did. I based the policy on risk management. And so, that’s what it’s really about. It’s really about how well
you’re approaching the problem and how well you are able to stay on course. And how well you’re able to represent that. Because the board of directors, CEO everybody,
they know how much money that they invest in the cyber security, it’s our
responsibility to use that money wisely. Over course of time, you need
to show that your program, your cyber security program
is actually maturing. If you can’t show that your program is
maturing, that’s when the seat gets even hotter. And so, they can’t keep investing
millions and millions of dollars every year into a cyber security program
where there’s no return on an investment, or no return
on risk mitigation. We have to be able to show that. And so, that’s how we take a lot of pressure,
not only off our CISO, but off our CEO and everybody else is that
we show the difference, we’re able to show the board
of directors what we’re doing. We’re able to show how we’re mitigating
the risk, and we’re able to present back to them the metrics that show that our
cyber security program are strengthening. But again, it’s a never-ending fight. It’s always something going on. Where you might be totally compliant
today, tomorrow you might not be compliant. But that’s okay, you roll up your sleeves and you start mitigating the reason
why you’re not compliant today. And that’s how you win in cyber security.>>Paul?>>I always joke around about I’m only 35,
so I’m either a CISO or a crack addict. So, but you know it’s a hard job. It’s a hard job being a CISO. You have to trust yourself, you
have to trust your team and you have to trust your leadership as you mentioned. And that’s where it really gets into
are you really doing compliance, are you really just checking boxes and running
down things that are not in compliance just to go back and run the whole trap again,
but for me I found it very successful to really base everything into the
risk management and risk principles. And that sometimes means training people that
think they’re very good at risk management into using sound risk management principles. And when they are above your pay
grade that’s even more tricky. So, you’ve got to kind of know your audience
and how to work with them a little bit. For me I look at it this way, my
boss is the chief information officer who reports to the secretary. And so, you know everybody knows
Secretary Perry, or most people do. So, you know when you start thinking about
it that way, what I write down and give to my boss may be in the paper
or may be in “Talking Points.” And they have to be what I
call complete with staff work. They have to be really thought
out, not a volumes thought piece, but sometimes it just might be bullet
points that the deputy secretary has to read in five minutes to go in front of a camera and
speak about as if they’re very well-versed. And they’re very intelligent people. But you’ve got to know what to say and how
to say it and understand that environment. And so, it’s really kind of the
trust that you talked about. And really, it’s about showing due diligence. Because you’re never going to; if you can show
that you’re doing due diligence, I mean yes, people are going to be mad if
there’s a breach and data was lost. Actually I really liked the Target breach
because right before that and a lot of people don’t know that because
that was right around the 13th, the Department of Energy had a major breach,
and it was 104,000, it wasn’t millions. So, the fact that it was so many people, we kind
of fell back underneath the radar a little bit. But I’ve got to tell you we spent a good seven
months every day; Saturday, Sunday, holidays. On phone calls, 8:30 tag up calls. What are we doing today to find
everyone of those 104 people to make sure that they were alerted, they were notified, and
remediation actions were being put in place, on top of trying to patch the holes
and get into a stronger structure? So, you know, CISO is great. But it’s a lot of work, it’s a lot of you know
working your teams, and you’ve got your teams that are in there and if something bad
happens, they’ve got to believe in you in a way that they’re going to come and bring their
A-game for 7 months straight being able to call and; you know, granted they were taking
days off and we were running shift team work. But man, that is hard. And by the way you are not going to win this. You already lost the data, right, you’re
just trying to put the lid back on. You’re just trying to get the
frogs back in the boiling pot. And you know that’s the tough part. So, again, I go back. If you’re doing that, if you’re working with
your teams, working with your leadership and when the breach happens, they
have the confidence when you tell them that you know we’re doing everything possible,
and they believe you; you’re probably going to work your way through it, if they have
no confidence in you and you have a breach, you need to probably start
polishing up the resume, you know, because you’re not going to be there very long.>>Thank you both. Excellent answers. Next question. Is the CISO the pinnacle of the career,
or is there something after being a CISO? What’s next for a CISO?>>You know, I think I look at it, I think from a cyber security perspective,
it is pretty much getting there. I mean you can move to other organizations. You know, Department of Energy, we call
ourselves the 14th largest cabinet level. So, I could move up the pecking order, or
you know, try to work at another federal job. Or, I could move into the commercial world
and work into you know the Fortune 500, Fortune 100, so kind of work my way up. And then I think most CISO I
talk to kind of get to a point where they’re either advising, consulting. Because they’ve been there, they’ve been in
the first, they’ve see those tough moments and they want to give back to the community. And those people at the first time;
it’s interesting, I think I mentioned that the CISO left and I was the
deputy CISO because acting CISO, six days later we had that
breach I just talked about. So, talk about trial by fire. And if it wasn’t for someone that was kind of
help set the pace and making sure that we’re all on track and having that team available
it probably wouldn’t have gone as well. I mean it was as can be expected
when you lose something like that. And that’s how we measured our
success is how do we do that. So, I think for someone who wants to be a
CISO, I mean it’s usually as you mentioned, you know, you’ve got a 15-year onramp. You’ve got some timing issues
you kind of need to be in place. You’ve got to go out and experiment a little
bit, get some branding out there and then when it hits, then you kind of hold on. You ride. Looking for those
little nuances, little nuggets. Because there’s no road map. And then, you’ll find that right
thing that’s for you that will go. I know some CISOs that when they
hung their hat up, that was it. They don’t do anything. I don’t even think they have a computer
anymore, they’re so scared about cyber security. And they’re like, I can finally sleep, I’m
not going to have a computer in the house. But I think there’s a lot more to it out there. I think it’s kind of, you get in that level
and you can start seeing the next hill, then you’ll know it’s the
right hill for you to go to.>>Now, before we go to the audience, I
want to ask one more question to Dr. Nobels. What role does education play in becoming,
or the pathway to becoming a CISO, and while you’re actually a CISO,
what’s the important role of education?>>I’d say education is very key. I know especially at the doctorial level what
it do, it gives you the ability to go out and research things and bring those
things back to an organization. I don’t know how many times
throughout the week I go out and research something and I bring it back. And because I’m able to do that, my team
actually expects that of me, of doing that now. One of the things that I really like to
research, that we really have been incorporating into our organization is human factors. There’s not a whole lot of people that really
understand human factors in cyber security. You know, I tell people all the time we
invest millions of dollars in security and awareness training, but we don’t really
take a look at you know, really what’s going on cognitively, psychologically
with the end-users, or even with the people that’s
running our cyber security operations. And one of the things that I
like to do to people is ask them, how complex are your security operations? Can you quantify how complex
your security operations are?>>Very complex. Is that quantifiable?>>Right, but if I ask him as a heli-pilot,
what are your critical phases of flight?>>Oh, yeah, I can break
those out in three or four.>>See, what I’m saying here? We haven’t done due diligence in
understanding that and breaking that down and leveraging those things
from other technical fields. And so, that’s one of the things that I
like doing is going out and borrowing things from other technical fields and bringing
them back to cyber security and making use of those things in our organization. It plays a huge role. You know you don’t really actually
necessarily need a doctorate degree. I know people that don’t have any
degree, who are very savvy and going out researching and bringing things back. You just have to have that passion, you
know that affinity for wanting to find out what’s next and what’s right. and that’s exactly what we need. And to be honest with you, I’ve hired
people who don’t have any education, but you know what they had, they had heart and
the affinity for it, we will educate you later. A lot of companies will do that. They will send you to school to
get the undergraduate degree, to get the graduate degree,
to get the certificates. But what we can’t find on a daily basis are
those that have the heart and the passion to do the work, because the
type of work that we’re doing, I’m sure most of you see it not enough,
it’s not like the work we see on TV, where you got all the code moving real fast, you got everything looking
real glamorous, it’s not that. It’s totally 180 of that. And so having someone who wants to be
educated, wants to be a continuing one, that is so important to cyber security.>>Thank you, I think you addressed
that first item on the study, talked about finding competent works,
the inability to find enough of them. We’re going to go to the audience at this point. If you have a question, please just
raise your hand and I’ll come to you. Are there any questions from the audience? Go ahead, Doug.>>I want to ask a question. What role do communication
skills play in this field?>>I would say if you list the top
three things I need, it’s communication. I need teams that can sit and take ideas. I’ve got plenty of people who will
come in and admire the problem, but I ask them write me a paper, or
more importantly, write me a one-pager and it will take them three weeks. Because it’s, well if I only have one
page to write, what do you put down? And I think it was Cicero that said sorry
for the long letter, I didn’t have much time; enough time to write it shorter, or
something along that line, I’m paraphrasing. And it’s absolutely true. I mean it’s what’s that critical piece
of knowledge that needs to be down, so the next person can take it and do the
next leg of work, and that’s integrated with the other priorities and policies and
the other things that they have going on. So, I certainly do not think that Secretary
Perry reads every piece of paper I write, I certainly know he doesn’t, nor should he. He’s got plenty of other things to be
worried about in the Department of Energy. My job is to take cyber security and take
that worry, or at least lessen that worry. And so, I need my team to be able to write like
this is what it means to you when you see this. You know, our number went
from, you know, 50 to 65. Okay, in context what does that really mean? And what should we; when should
we start worrying type thing. So, communication and being able to get
up and talk to people is very important. There’s times where I’m not going to be able
to address the, we have a cyber council made up of under-secretaries,
very senior level people. And I need to have my team have the
confidence that they can give a presentation and hit those key points that are imperative in
that 15 minutes of speaking that they’re going to take away what I want them to take away.>>I’m just going to relate something that
I remember from my undergraduate degree, which as I said, if you were listening,
I graduated 32 years ago from Columbia, and I have a degree in computer
science, so I’m a programmer by training. The best thing I ever learned
was what is a perfect sentence? And I ask people. I ask my kids, I ask friends’ kids. Do you know what a perfect sentence is? Nobody has a clue. It’s a sentence where you cannot remove a word
without changing the meaning of the sentence. It’s a very important concept in
writing code that you want less. But more importantly communicating with people. If you can take a word out
without changing the meaning of the sentence, the sentence was too long. A very important concept, I think.>>No. I agree with you, I’m going to piggyback
on that for just one more point on that. You know we’re writing policy
and I talk to folks and I say, it’s just simple English exercises. I wasn’t a big English guy growing up,
buy hey, what’s that first paragraph, does it tell you what the rest
of the paper is about, right? And I tell them that each paragraph has another
idea that’s important to that initial idea. And that first sentence matters, right? Because I found because I worked with
some people that didn’t have a lot of time but read a lot that they pretty
much read that first sentence, and if they agree with it enough, they
won’t read the rest of that paragraph, right, they jump down to the next one. And that’s how they get through it very quick. So, technical folks write opposite, right? We write, and we talked about
it when we did this, and we tried this, and this
is what we discovered. And at the very end, here’s the ah-ha
moment, right, that’s how we write. And so changing my writing style was critical. I mean I wouldn’t be here if I
didn’t, and in teaching my team to be able to write that way too. It’s like look, just one
sentence, what’s important? Once sentence and then give me the
information that supports that one sentence. And you’d be surprised. I mean you know if you take the time and
talk to the technical folks and explain why that matters, then you’ll start seeing them pick
up the speed and write a lot better, you know, at least from my perspective, where
I deal with a lot of executives.>>Hi.>>Let me add just real quick,
communication is key because a lot of times, communication must go up and
communication must go down. A lot of times the operators and the
analysts that are key handle keyboarders that are operating on technology,
they see things that we don’t see in a management position on a daily basis. We must give them latitude to report that
back to us and we must be able to react to them, what they’re telling us. A lot of times if you shutoff those people from
reporting back to you, you’re missing key things that will put the organization at risk.>>Well, thank you very much for
your input and giving us, you know, your experiences as a CISO and as a consultant. So, my question is, so I’ve been in the information security industry,
I’ve been doing it for 18 years. And I’m more on the compliance, auditing,
assessments policy, all that good stuff. Now, as a subject matter expert, it literally
takes me about 8 months to a year to prove that I have the knowledge, the skills,
the work that I’m delivering is you know, what’s going to be good for our
company, etcetera, etcetera. So, as a CISO, my question is when you started
your respected roles, did you feel that you kind of have to prove yourself in order to now gain
the respect of the person that you direct to; whether it’s the what is it, the
CIO, the CEO, etcetera, etcetera.>>For me, I think it’s interesting, I think
at the federal level when you get the CISO or deputy CISO, you’re pretty
much already did your brand. And I know a lot of CISOs who we were just
talking, we were talking with Emery and I worked with Emery before, and Emery and I are probably
opposites in a lot of ways, but we’re both very, very passionate about cyber security and
we play you know those strengths on off. But our brands were already
defined before we were deputy CISOs. Because we were out there, we were
writing papers and we were volunteering to do things inside the federal space. Working on working groups and bringing ideas. Not just sitting there waiting for somebody to
go what should we do, and then someone says, well this and then I just
kind of saddle up in there. A lot of cases, I stepped up and I don’t
know if you remember the high-valued asset, the OMB sprit after the OPM incident. If you’re in the federal
government, they had six sprints and they wanted to do something immediate. And of course, OMB doesn’t have a lot of
people, especially technical background, so they’re going to canvas and they’re going
to scrape people from the federal agencies, and you have to now work for
OMB for a short period of time. Sometimes doing your other job at the same time. And of course, no one wants to do
that, right, that’s just more work. You’re not going to get paid anymore. You don’t get paid overtime in the government. So, now you’re in this high risk,
high tempo, high profile exercise. And I remember my boss, he
says to me, he says, Paul, I know this is probably a ready firing
exercise, something along those lines, he’s no longer there by the way, so I
can probably talk a little bit outspoken. But what I want you to do is I want you
know the Department of Energy really needs to back the administration and OMB on this, and
I want you to do everything to help out, right? So, you know the Uber ride over I’m thinking, okay I’m going to have to
do something really crazy. And I said to myself, first thing that they
ask for a volunteer for, I’m not only going to volunteer for it, but I’m going to lead it. I didn’t even know what it
was going to be, right? And so that’s what my boss wants me to do
so, I want to be able to say the Department of Energy was the first one to
step up and back OMB’s plight. Because that was important to my boss, right? It interests my boss, it
fascinates me, so there it is. And so, that’s exactly what I did,
and it was the high valued assets. And I don’t know, people talk
about the high valued assets, you can blame me or thank me, I don’t know. But what I did was I said,
hey what are we going to do? We’ve got to now assess all
of our assets and figure out which ones are the most
critical of critical? What’s the crown jewels. And the only way we can do it is
there’s not like a one big ruler. I said, well let’s go back and let’s
do operational risk management, like we did in the Navy, right
back to what I did before. And what are those key flags that might indicate that this thing might be really something
we need to take like a unique database, does it have forward facing
IPs, is it sensitive data, you know is it PII, is it
health, is it financial? Which by the way when I worked
for CMS for a bit, I realized that not all PII is the same, right? Because people don’t want their personal
information out, but whatever you do, don’t want their health information out. But if you’re going to let that out,
don’t let their financial information out. And I always thought it was
the other way around. But apparently, the financial stuff
is more important to most people than their health, which I thought was odd. But anyway that was kind of the idea, how to
kind of breakout some critical characteristics, and then how to kind of quickly scale
them and decide whether we ought to look at this a little bit closer as high value
and add a little more security to it.>>Dr. Noble has that been your experience?>>The question; the follow up is to Dr.
Nobel’s has he had the same experience as Paul in terms of?>>So, again, earlier I said I consider
myself to be a cyber security research, so I’m always doing research on my
own, and I’m always presented research. And I like to do what we call applied research. That’s research that we can
use in the field right away. And so I go to a lot of conferences. As a matter of fact I be speaking Friday up
in Minneapolis, and I be speaking next week down in Atlanta with research of my own. And so, that’s how you build your platform and
your brand, you know as a researcher and again, that’s how my education comes into play. And that is how eventually I ended
up with a fellowship in a thinktank down in Washington, DC, so it’s important.>>Thank you.>>Is there another question in the audience? While you’re thinking about your
question, I have another question. There are always these discussion
about what cyber security is or is not. Is it about technology? Is it management and policy? Is it about processes? Where do you spend your time
as a cyber security expert? As a CISO? Where is your focus?>>I spend; I like to steal a page from
[inaudible] book, we talk about this when we have lunch sometimes
that we both believe that cyber security is a business strategy. I teach at the MBA program at UMUC. And I’ll tell you right now, we talk
about cyber security in my MBA program. And the reason I say that is because there’s
nothing like a business leader that’s coming up that doesn’t understand cyber security risk. The earlier I can expose them to understanding
that cyber security is a business strategy, they need to understand the risk,
they need to understand the technology that these organizations are bringing on. Because at the end of the day, it’s really
about people, technology and processes. And as a business leader you need to learn
how to drive those things and manage the risk, as well as be able to understand
the cyber security threat. So, to me cyber security threat and risk
is just another of the 11 types of threat, depending on which type of organization. I mean the 11 types of risk
depending on the organization. But it’s about managing people,
processes, and technology. Mostly people. I like to put my focus on the people. Because technology and processes are
developed by the people for the people.>>Thank you, Paul?>>Yeah, I think most time
spent is about risk management. I mean it comes down to everybody is a risk
practitioner, you decide what roads to take, are you going to run that yellow light, you
know you’re going to run a little bit faster, you’ve decided; you’ve made these decisions
whether you think about them or not. And for those who say, you know, well I don’t
make a decision until I have all the facts. Well, you just closed down a lot of options. What you really did was wait until
there was only one option left, right and then you took that one. Which is not, I call that risk avoidance. But so that’s the other thing is how
do I kind of communicate with risk? Because we all think we’re
great risk practitioners. But we all know that’s not true. We call can’t be the best one; I’m up here. No, I’m just joking. You know we all can’t be best. So, we are all good at different
ways of looking at risk. And now how do we kind of get that common view? And when I do that, you know sometimes I use
stories about flying, because I don’t want to talk about cyber security, because people
are kind of really entrenched in the position about you know this tool, or that tool. And I like to just kind of break it down and
do little pieces and parts and do a little bit of story telling about hey,
what are we trying to do here? And it’s not uncommon for me to, after you
know being in a meeting and everybody’s kind of arguing little ways I kind of say, look,
you know I’m not trying to solve world hunger. I’m just trying to pl ant a field of corn. I’m just trying to get through today and what’s
the most important thing we have to do today to kind of move the ball forward. And so, again, it goes back it’s about
communication, it’s about you know trying to get people all looking at the same thing. Or at least understand what the
same vision is so we can get there.>>Thank you very much, did you
want to add to that Dr. Nobels?>>Oh, no. I’m good.>>Hi, my question is about keeping current. As we all know cyber security is a larger
complex field, getting larger, getting complex. How do you keep current? What are your sources of information? How do you prioritize what you want
to focus your energy on in terms of learning new technologies, and techniques,
and policies, and how do you know when to see that responsibility to somebody
who works for you? In other words, have the people
who work for your who know more than you about a particular topic?>>Can you identify yourself please?>>Yes, I’m Alan Carswell [assumed spelling]. I’m formerly of the University
of Maryland University College. I’m now at CMCU University
where I’m department chair in information systems out
of the business school.>>Thank you, Dr. Carswell.>>For me, you know, before
we go and do these talks, we kind of get together we talk a little bit
about strategies what the questions are going to be because I know it all looks very
impromptu, but we practice, you know. We at least talk. And one of the things I talked about in
our discussions was about when I worked in a sub agency, I worked very closely
with the technical and I kind of look at it from a technical operational executive,
and then you can move people, process, technology if you kind of want to
do a chart and that’s really kind of interesting to see where vendors hand out. You know, very technical and technology
and very little people in process where we really need that
gap filled, but I digress. But the idea is that from
a technical perspective, if you have just raw data you can’t
do actual intelligence on that. You have to make it into information, then to
analysis and then have an actionable plan on it. And that’s the way I look at cyber security. We have technology, but you’ve got to make
it operational, and then the operational so what for the executive, right? So, that’s kind of my stack that I work through. When I work for sub agencies, when I worked
at ICE, I would say probably a good 40 to 60% of my time was in the technical, was probably
you know 30 to 40% in the operational. Maybe only a little bit 5
to 10 worried about writing, and because I knew somebody
else was in the stack, right. It’s going to be looked at by 15-20
people before it gets to the secretary, and it gets all rolled up, right just one
small wheel on the big cog of machine. And the higher you go though,
it gets flipped over. It’s been, probably only about
10-15, talking about technology. I tell people I don’t buy technology, I look for
capabilities that are going to move the needle, you know is going to be very
impactful, and that’s what I focus on. So, I don’t, you know. Cracks me up about this time that
everybody started naming the solutions -ums, like baryonium and Tanium. And I was like, you almost need
a nuclear physicist to come in and put these pieces together because
they sound so chemically oriented. But really, it’s about you know if I’m
spending more time in the operational, and really most time about the
executive, the strategic thinking. OMB puts out a new requirement, or the
president puts out a new executive order, how are we at the department
going to support that? Well, still doing what we’re doing. And we really don’t like these little pieces,
but we can’t necessarily go on record, so how do we show that we’re supportive
and how do we move the needle again? Where do we need to be in
the future to be responsive? So, to your question, I gave up the technical
stuff a long time ago, because they get paid, there’s people that get paid to do that. I used to be in that fight. My job is to kind of keep the trains on time,
to be the conductor, make sure the schedules are on time, not the engineer on the train. And if you try to be all of that,
you’re not going to get any sleep. You won’t be very successful. I will say, though it’s good to have an
understanding of what the engineer does, or you know what everybody does in the piece. So, you’re not going to be thrown
in right off the bat and be the CISO and you don’t have any experience in policy, and don’t have any experience
in technical solutions. It might be a little bit of hey, I was over
here, and I worked very technical looking at the bad guys from a very adversary
perspective, and I groomed my way to be CISO. And then there might be somebody who’s
a policy person, and you’re like well, they’re not in the playing
sphere, they’re in the back. They’re you know they’re like the supply
folks, you know we don’t care about them. But they’re very critical right? And they help us move the
marker back to the center. So, along the way, as you are kind of
going up the pipe of cyber security, every time you get a chance to do something,
especially something you haven’t done before, maybe you know right outside the comfort zone,
take that opportunity, or at least piggyback with somebody to learn a little bit more so you
can understand it when you get up to that point.>>Thank you, we have about three minutes
left before I ask my last question. I think we have a question in the back.>>I mean, I’m Dr. Hollers [assumed
spelling] I’m also a professor at UMUC teaching cyber security. This is for Dr. Nobels. You mentioned earlier human factors in
cyber security, my question is if you were to propose both military and the civilian
side as well as addressing human factors in cyber security, do you
see any disparity in the two?>>Absolutely. Last research that I show where the
military actually tracked what we paid for in human factor of the piece of
research that dates back to 1996, where we invested $200 million
in human factors in the military. And the next question I asked was why? Because that’s when we was, you
know, coming off the Cold War, we’re transitioning to a
lot of advanced technology. That’s why we were investing
so much money in human factors. But today, organizations, we buy technology
and we boat technology on top of technology. And then we end up having to
loosen our security controls to get that piece of technology to work. The reason why is because
we’re not doing our homework. We have to do our homework. Because at the end of the day, it’s really about
the operators and the end-user that’s going to be interfacing with that capability. We just don’t do our homework. The military is very great at human factors. We invest a lot of time and a lot of
people and we leverage it from medicine, nuclear power, industrial safety, aviation. They learn the hard way. I mean, but in cyber security, we haven’t embraced human factors
and we’re learning the hard way. You know, again, we could cut this time
in half if we just do lessons learned from other organizations and other
industries when it comes to human factors. You know, it’s more than just
security awareness training. Because the one thing that I
ask security awareness vendors. So, when you’re selling a company
security awareness training, what is your scientific foundation on why
you’re selling them that specific training? They can’t give it to you because
you can’t take one set of training and apply it to every organization. It doesn’t work. Every organization should have
proprietary training based on their data, what their data is telling them in terms
of their failures, their limitations and their weaknesses where
they’re then applying, like mayonnaise on a sandwich,
it doesn’t work that way.>>Thank you. We are toward the end of the session, but
I have one closing question for you all, but before I ask that question, I
would just like to remind the audience that we have another session
right after this one. So, please stay with us for
the last session of the day. It will take a few minutes to mic up our next
panel, but we’re going to have a great panel. So, please stay with us. So, my last question is what
keeps you up at night?>>I think for me that what kind of keeps me up
at night is you know what’s my next strategy. You know, I worry not about
what happened yesterday and what are we going to do to fix that? Because that’s to me like driving down the
road looking through the rearview mirror. I’ve got to look down range and
say, okay, what’s coming up, and how do I kind of get the distractions,
and believe me vendors will love to throw more buzz words at you
than you can shake a stick at, and make sure my boss is
looking at the right thing. So, not only do I got to start figuring
out what’s in the art of the possible, but then where can I position the
team to be ready when the time comes? And so, you know, I know a lot
of people are worried about, hey we’ve got you know bands
persistence threats. And we’ve got the insider threats. And I’m like, you know yeah those are always
going to be there, those are our constant, and we’re going to work on those, but what? It’s that change, it’s that fundamental
change, that new executive order. That new requirement. That big unknown breach that’s coming up and
all the sudden you realize that you’re part of that breach, or you’re just
as susceptible to that breach. So, you know, I worry, what gets me
to bed at night would probably be, the better part of the story would be is how do
I make sure we’re investing in things that show that due diligence I talked about
earlier, that when someone comes up and says you know hey this
occurred, I can say yeah, well I can show that my organization
did the best they could, and they used the taxpayer dollars wisely. They invested correctly, and
we forecast it down range to be in the best position possible
when the time comes.>>Thank you, Paul. Dr. Nobels?>>There are certain thing that keep me
up at night, but I’m up mostly anyway like most cyber security
professionals, we’re like night owls. But the one thing that really keeps me
up are insiders, inside of your systems that are looking to do malicious IT. These are people that have elevated privileges
and accesses that you know they have access to a lot of critical information. That’s one thing that keep me up at night. Those personnel with elevated privileges
who don’t protect those elevated privileges and so somebody else can
gain access to your network. And then the third thing that keep me up at
night, the things that we don’t know about. What’s the next threat. What I don’t know, what I don’t know. Because I’m always looking for what
I don’t know, based on what’s going on in the cyber security landscape.>>Wow. Thank you very much. Let’s give our panel a hand. [ Applause ]

Leave a Reply

Your email address will not be published. Required fields are marked *