2018 Cyber Maryland Education Track, Opening Remarks and Keynote Address

2018 Cyber Maryland Education Track, Opening Remarks and Keynote Address

October 9, 2019 0 By Stanley Isaacs


>>Good morning. Welcome to the Cyber Maryland 2018
breakout session on our education track. We, UMUC, University of Maryland
University College has sponsored this for a second year in a row. It may be a third year in a row. I’ve done it for two years. But we’re delighted to have you. Once again, I am Dr. Loyce Pailen. And I’ll be your host for the day. I’m responsible for the center of security
studies at UMUC and I’ve had the pleasure over the last year and a half or so of hosting
these events and also handing out scholarships to some of our students who
are actually in audience. We appreciate your attendance and guarantee
that you’ll have a great lineup of speakers that will provide a thought provoking
discussion about what CISOs worry about and how their educational background
have prepared them to handle the job. You will have photos and bios of all
of the speakers in the program booklet. So, we’re not going to spend a lot of time
talking about each speaker’s background. But that’s going to let us
maximize the time that we have for discussion and questions and answers. So, without further ado, we will begin
our program as shown in your program, starting with the greeting from my
friend and colleague Dr. Greg Von Lehmen from the UMUC President’s Office, Greg. [ Applause ]>>Well, good morning everyone, and thanks
Loyce for that introduction and congratulations on organizing such a wonderful forum for today. So, I was coming in and somebody
recognized my speaker, one of the industry people, and
he said oh, you’re speaking. He said, no that kind of overstates my role. I’m not really a speaker I’m
here to introduce the speakers or introduce those who will
introduce the speaker. So, just a quick story to make a larger point. I was a new provost, at UMUC in 2008. And our president came back from a trip and she
said I want graduate programs in cybersecurity. And I’m saying, well what’s cybersecurity? And she said I want to start them next semester. And I’m saying, well there’s a lot
involved in starting a program, would you give me at least a year. And so, she said yes. And what happened over a period of time was
that we formed a national advisory board of government, former military and industry
people to help us devise that curriculum. Because in 2008, we didn’t know if
cybersecurity was one word or two words. We actually had those debates. And so through series a series of morning-long
meetings, three or four over the period of a year, we would listen to that group. We would come back to them with translations
of their comments, curricular translations. Ask them to react to that, and we came
to what was really the first iteration of two graduate programs in cybersecurity. So, this is all to say that if you’re interested in developing effective workforce programs
you really need to talk to the people who are doing the work, who have the experience,
have risen to positions of prominence because they’ve been successful at what they do. And certainly, that’s what
we hope to offer you today. As Loyce has mentioned, we’ve identified
one role, the role of the CISO, which we know is really pivotal in
organizations for a lot of reasons. And so, as educators, it’s good for us to
hear from people who have been in that role, or work for CISOs, to understand what
they worry about, to understand what in their backgrounds best
prepared them for the role. So, we have testimonies today, even some
survey data from the Ponemon Institute. All with a view to helping us at what we
do day in and day out at the university, so to hone in our cybersecurity
programs, to make them more effective. So that when our graduates go into
the workplace they can perform well and have clear trajectories
to important positions. So, with that, I introduce the person
who will introduce our speaker. And that is the Dr. Emma Garrison-Alexander. She is the vice provost for cybersecurity
programs in the graduate school. There have been a lot of changes
in our program since 2008, 2009, 2010 when we first launched them. And Emma’s been very important part in
innovating and developing the program, in consultation with our industry
and government representatives. So, I’ll ask Emma to come up. I do want to give a call-out to
our keynote speaker, Marcus Sachs, Marcus was on the initial
board that I mentioned, and his fingerprints were all
over our cybersecurity program. And that’s one of the reasons why
it was so good, so thank you Marcus. Emma. [ Applause ]>>Thank you, Dr. Von Lehman. How’s everyone today? Well, we’re very, very excited to have you
here as a part of our program for today. I’m Dr. Emma Garrison-Alexander, I’m the vice
dean for cybersecurity and information assurance in the graduate school at the University
of Maryland University College. I’m also joined today by my undergraduate
colleague, Dr. Esbascar [assumed spelling], who’s responsible for the
undergraduate programs. Between the two schools, in the graduate
school, we have four cybersecurity programs; three direct programs and one master’s in
IT with a focus in information assurance. We have a Master of Science in
technology, we cover digital forensics. And we cover management and policy. The undergraduate school has three
cybersecurity programs that coincide with the ones in the graduate school. We’re very excited to have had the opportunity
to sponsor this tract again this year. As Dr. Pailen said earlier, we
sponsored two years in the past and this is our third year
of sponsoring this event. I would like to also welcome you to the
conference to hear our keynote speakers and the panels that will
follow later this afternoon. I would also like to take this time to thank
Dr. Loyce Pailen for her leadership in planning and setting up this particular event. And also, Ms. Jennifer Hull who served
in a role, an administrative role, and really has provided leadership as well. Also, to our marketing department. To Dr. Von Lehman, who is very
generous in helping to fund this event. To all of our program chairs, our collegiate
faculty and any adjuncts and other support staff that have been a part of this planning
and making this even a success. Thank you for choosing this session. At this time, I’m going to say a
few words about our keynote speaker. His full bio is in the brochure
that you have on your seat. Marcus Sachs, Chief Security
Officer of Pattern Computers. Marcus Sachs is the Chief Security
Officer of Pattern Computers, a startup in the machine learning and artificial
intelligence field, where he is responsible for the overall corporate
security policy, and strategy. He is also a partner at RIDGE LANE Limited
Partners in the technology practice. Marcus is also a retired US Army
officer and was a White House appointee in the George W. Bush Administration. Let’s welcome Mr. Marcus Sachs. [ Applause ]>>Good afternoon, well actually
it’s good morning. Three minutes from now it
will be good afternoon. Dr. Von Lehmen just said in
2008 we started this journey of creating cybersecurity
at the University Maryland. It’s hard to believe that was 10 years ago. And look how far we’ve come in
10 years, ’08 was also the year that USB thumb drives became
something people were worried about. I don’t know if you remember where you were
then, but this was when they were found in Afghanistan being swapped
with soldiers outside the wire, they’d bring them back inside
their camps to do email, bring the USB key back out
and it would talk to Russia. That was a big awakening that year. Ten years prior to that, 1998, was the year
that we found bunch of hackers breaking into the Air Force and it looked
like it was coming from Taran. In the end, it turned out to be
a couple teenagers in California, set in motion what today is cyber
command, that was 20 years ago. If you go back to 1988, 10 years even before
that, that’s the year the Morris worm came out, for those of you who were around
[inaudible] remember more. So, if you go even 10 years before that, 1978
that’s when the Apple computer was launched. So, in 40 years, we’ve gone from just a little
simple homebrew computer system known as Apple, all the way up to where we are today at
2018, where everybody knows what cyber is. We do still argue about whether
cybersecurity is one word or two. I don’t know that those debates
will ever go away, but here we are. So, I was asked to do the keynote this morning,
I was thinking about, you know, what do I do? What do I talk about? And of course, you know telling
your life story, that’s fine. That’s nice and boring for everybody. But what I thought I would do is just a
little bit about what we worry about as CISOs and we’ll focus a little bit
more on the career field. And what gets us to where we are. Because all of us have had different things. So, again, a little bit about our concerns. But these career paths that we take,
and this is a focus on education, it’s a focus on developing the career force. We all have taken different paths. So, I’ll show you my path later,
towards the end of the talk. But I’m going to give you some ideas about
others who are coming into the field. If we look at the threats
that we’re worried about. And cyber is a very technical subject and
it does scare people because it’s technical. But there are many people in our career field
that are not technical; business leaders, finance people, all over the world. In fact some of the best CISOs that I
know do not have undergraduate degrees in computer science. Did not grow up in pure scientific world, but
they learned what the business impacts are of the security, or the government impacts. And have also, then, gone on and maybe
got a masters degree or something extra in cybersecurity to round out
their undergraduate education. But when we look at the threats
that we worry about, you can kind start of start at the bottom. The reputation damage, you know the things like
a phishing exerciser, or a website defacement, or somebody takes over an account. Generally not a lot of direct impact on an
organization, other than it’s embarrassing, you just don’t want to see your name
someplace being publicly embarrassed. Theft of property is probably a bigger issue. You know we all worry about
somebody stealing our phones, stealing our laptops, stealing corporate assets. Those things can be recovered. We can put them back online if they’re stolen, but online identities being stolen may be
something that’s a little hard for us to do. Or, if somebody breaks into your
corporation and steals intellectual property. That may be hard to restore,
or steals customer records. The third area, which is a growing area and
has been building for a number of decades, but we’re finally actually
seeing it happen is ransomware. All of you, hopefully are
very familiar with this. Where the criminal groups
will put malicious code into somebody’s computer,
gets it to activate behalf. They hope it spreads, the attackers we
have, spreads through that organization, and doesn’t steal anything, it just
cryptographically locks your hard drive. Encrypt everything on it, pops up a little
ransom demand on your screen and you have to pay a big coin in order
to unransom your machine. We had talked about this for decades,
this possibility that we might get away from just simple worms and
viruses that are nuisance, into something that would actually cause
damage, in this case logical damage. We’re here today. You probably remember the City of Atlanta, just a few months ago suffered
a massive ransomware attack, they haven’t even completely
recovered from it yet. Knocked them off line for several weeks. The mayor, in front of a camera,
trying to explain what’s going on. Really unprepared for that type of an event. So, part again, of this being a CISO is also
making sure that the people you’re working for, your senior leaders, government officials,
CEOs, others know what to say in front of a microphone when bad happens in cyberspace. It’s not just a technical
matter, you have to react to it. The two on the right are the
ones that really scare us. We don’t see a lot of it, which is good. But it’s the one we really, really worry about. So, if somebody jumps this boundary from
enterprise IT to working on Outlook, or email, or whatever and gets into the control
system, gets into your air conditioners. Gets into machinery or the plant,
and is able then to manipulate on that side, that is a very scary thing. My last job was the CSO of
the power grid working at NER. And this was a big thing we worried about, could
somebody phish their way into a power company and then hop over and actually
manipulate the grid. Luckily we never saw that
happen in the United States. We have seen it happen in Ukraine. That is exactly what went on
there, they phished their way in and then gained control of
some large Ukrainian assets. That one at the bottom, mechanical
or logical damage very, very rare, but this is the top-notch thing, could
I break in, could I cause damage? Could I cause a train to stop? Could I cause an airplane
to fall out of the sky? Could I cause motorists to mechanically break? In theory, yes. Experimentally, yes. We can demonstrate that this is doable. We do not see it, fortunately, we don’t see
it happen, but as I’ve gone through each one of these, everything up to that point
has happened, it’s just a matter of time before we hit the bottom one. This is what we worry about. These are the things that are top of
mind from a technical perspective. If you remember WannaCry last year,
this is what WannaCry looks like, ransomware in a control center. This is like the choking moment. Oh, my God, oh dear, what do I do
because I have literally lost control. If there’s any good news
here, what you’re looking at is a photograph of a Russian
railway operation. So, ransomware that originated in Russia,
targeting the West bounced back and hit Russia and screwed up one of their networks. You go to love the internet. It knows no boundaries, it has no friends. And when you unleash something bad on
the internet, it may come right back. It’s like spitting in a fan. It may come right back at you. And that’s exactly what happened
to the Russians. So, I like to show that picture to show that you
know there is a little bit of love hate going on here, but sometimes the good
guys win, the bad guys lose. But what we really are going to focus
on later this afternoon, after lunch, Ponemon has done a study on what
CISOs are truly worried about. You’re going to see a little bit
of this coming up after lunch. One of the things I like
to highlight of course is that very top item, competency
of the inhouse staff. That is not a technical thing. You know, we’re not worried about operating
systems, we’re not worried about patches. We’re not worried about whether we have you
know, the latest and the greatest controls. I’m worried about the people. Can I hire experts to work for me, or do I have
to take somebody in and reach them everything that they need to know with the fear
that assumes they become smart enough, they’re going to be poached by another company. Or, am I the poacher, am I the one
who’s got the feelers out looking for talent elsewhere, stealing from others? This is a bit of a problem
here in the Washington area where we have a government it
really, really, really needs talent. But we’re surrounded by industry, that
really, really, really needs talent. Guess who wins in the end when
it comes down to finances. And a lot of really good talent that comes
to the Washington area last for a year or two in government and is
immediately sucked off into industry. I don’t know that that’s
the best for our country. But we need to have a little bit more harking
there between industry and government. Well, I’m going to cover a bit more about
this fear of not having staff on hand. So, the education of our cyber professionals. How do we do this? In fact, is there a path that somebody
who’s in high school right now, they’re talking to their guidance
counselor, they want to know what do I do? I want to be a CSO. Just like somebody might want to say,
I want to be a chief financial officer. Or, I want to be the head
counsel at some company, or I want to be the doctor that runs a hospital. There are those conversations being had at
the high school level within counselor rooms. What do you tell a high school student? Do you go get a degree in computer security? Is such a thing available? Yeah, it’s available. But is that really what you want? Or do you want a more well-rounded
person, maybe an undergraduate in business with a masters in something computer-related. There really is no clear answer
and I think that’s our challenge in the educational community is what is
that path, or are there multiple paths? Are there different options we can give? I’m going to show you some
examples in other career fields. Others have gone before us. Cyber, as I was explaining earlier,
we’re relatively new, only in the last 10 to 20 years has this become a thing. Medical science has been
around for thousands of years. Engineering has been around
for thousands of years, we’ve got a lot of other career
fields that are out in front of us. So, we’ll take a look at what some of the
others have done that have gone before us. Part of our big challenge of course
is defining the security career field. When somebody says I want to
have a career in cybersecurity or just in security in general,
what does that mean? Well, I can tell you back in 1998, 20 years
ago when I was talking to my father-in-law who was a retired armored officer,
and I was an Army officer at the time. I said, I’m getting really into this security
thing and I think it’s probably going to be where my career will take me. And got all irritated because in his mind
security to him was that guy at the front of Walmart, you know, who is
retired and is acting as security. Or the mall security guard. And he said, how could you possibly
think of that as a profession, that’s what people do who
don’t have college degrees. They just stand there and occupy a spot. And they’ve got a little badge
that says they’re security. I said, yeah, that’s too bad that
that’s how you view security. But unfortunately, across a lot of
America, and across the country, that’s still how they view security. It’s a low-level, kind of nothing job. Nobody gets into it. Good people will become doctors, and
lawyers, and accountants, and engineers. They don’t become security professionals. So, our challenge is how do we raise this? How do we make this profession a profession? How do we attract youngsters who are
in middle school and high school to see that this is truly something on the
same level as all these other careers that a guidance counselor might talk to them
about and things they might get interested in. But if we look at what we do,
in terms of professionalization, I have a few things highlighted here. To be a security professional,
to have that title and call yourself that, there
is no mandatory anything. There’s nothing about your education. There’s nothing about certifications. There’s nothing about who you work for. There’s no licensing, none of that. It’s just a self-proclaimed title. I am a security professional. Folks, we’ve got to stop that. At some point, we’re going to have
to professionalize the profession. So, let’s look at how others have done it. How have other professions thought about it? For example, as lawyers. If I want to become a lawyer, I can get an
undergraduate degree in just about anything. Most lawyers do get a business degree
or something along those lines. But then I have to pass a test. A law school admissions test in
order to even get into Harvard, or get into some place, you know, some prestige. And most colleges and universities
offer law degrees. If I get my JD, and then the
whole young journey starts. I’ve got to go work at a law
firm, as a clerk, low-level. With my JD, you know, I’m Mr. Lawyer here,
but no I’m going to start at the bottom, and I’m going to be tutored year, after
year, after year by other lawyers. Ultimately making my way up. I have to pass the bar. Continue getting education. And now I truly am calling myself a lawyer. It is a well-known career path for
those who want to become layers. If I want to be a doctor, same thing. Get an undergraduate degree in some field,
usually it might be biology, chemistry, something that might be medically related. Take another test, go to med school. Oh my God, I pity anybody who’s
had to go through med school. And then, it’s you start off at
the bottom with your residency. And you start making your
way up the doctor ladder. And of course, there’s lots
of splits and branches within the medical services field as well. But again, you’re licensed,
continuing education, this expectation of continued excellence. Do we see any of this in cybersecurity? Any of these requirements? Kind of awkward right? If I look at CFOs, the financial
world, accountants. Others like that. Same sort of thing, probably an undergrad in
finance, or accounting or something related. Get a graduate degree. But then I have to get my CPA,
that’s kind of like a bar to get into this career field, is
I must pass this exam. And then, I continue doing more certifications. Would you hire at a corporate level, a
CFO that does not have this background? Would you hire a general counsel
that hasn’t passed the bar? But yet, we’ll hire a CSO
that has no certifications. Nothing. Nothing to hang their hat on,
other than I self-proclaim myself as a CSO. Yeah, awkward right? Couple more. Airline pilots. Same thing. Undergraduate degree, flight school. Most pilots come out of the military, not all, but the military is a good breeding
ground for future airline pilots. Lots and lots and lots of stick time, 250 hours
just to get you started, thousands of hours if you really want to fly the
big birds, the 777 and so forth. FAA certifications, experience. Again, you sitting in an airplane, you don’t
want to have up front driving that thing to be anything other than fully certified, but
yet, you’re okay with security professional with no degrees, no background,
no certification. Just self-proclaimed security professional. Finally, engineers, that’s where I came
from, my undergrad is in civil engineering, that was how I started my road off. But even in engineering, we require accredited
degrees, masters degrees are very helpful. EITs, Pes, continuing education. Every four years you have to recertify. Again, just like every other profession, there is a set of professional
steps you have to go to. And like many other professions, if an engineer
screws up, if I was practicing as an engineer and I design a deck for your house, and you
build that deck and you’ve having a party on it, and the deck falls down and kills somebody,
the investigation will start immediately with let’s get the engineering drawings. What professional engineers stamped
off on these things and let’s go back and see if the design was
actually correct or not. If the design was incorrect, that PE who
signed off on it has personal liability. Could get sued, could go to jail. As in other professions. Security folks, can we get sued or go to jail? Well, you might get fired from your job. But because you’re so hot in what you’re
doing, you’re immediately reemployed because everybody needs security people. Yeah, awkward, awkward, awkward. Teachers, I can’t forget the teachers of
course, because this is an educational group. Same thing. Undergrad degrees, Masters degrees. You want to teach at the
higher levels of colleges and universities you have to have a PhD. Many educators have two PhDs. I mean this is a very, very heavy
level, in terms of education. Teaching licenses, certifications. It’s all there. All these professions have
professionalized themselves. We have got to do the same thing. We as a security community
have got to move forward. So, this let me just back up a second
and ask, you know the fair question. Is it actually needed? Should we professionalize ourselves? Or, if we try and go down this road, we try to
get too rigid, do we wind up locking people out? It’s hard enough right now
to attract good talent. You know, it’s very tough to get high
school kids interested in what we’re doing because there’s so many other cool things
that are out there they can get into. So, if we go too far we might
put up some barriers. We do, however, have this what we call
snake oil problem within cybersecurity. The fakers that have come into the world. They just self-proclaim they’re experts. Because we don’t require any kind
of certification, and they screw up. And they screw up royally and
they cost millions to companies. And again, the worst that
happens is they get fired. And I’m pretty sure many of you have met the
snake oil cyber people who are out there, trying to kind of fake their way through this. So, you know that last little
thing down there about liability. I mentioned that a moment ago with
engineers, doctors, and other professionals. Are we at a point yet in cybersecurity
where we can hold somebody liable? In other words, if an individual programs
a firewall, and the firewall rule fails, or they put the wrong rule in and
they should have known better, they were taught by whatever institute,
that here’s a better way to do this, should they be liable as in financially
liable, for making that mistake. And I see some of you saying yes. And some of you saying don’t go there. Yeah, why are we saying don’t go there? Well, part of it is we kind of like
this world where we’re not liable. You know, we can make a mistake,
we’re not going to be fined for it. Again, at worst, our reputation might be
tarnished a little bit or we get fired. But I’m not going to stand in this
civil court and get sued for screwing up a firewall rule or forgetting
to apply a patch. Or for not teaching people
what phishing is all about. Or, even if you’re an employee clicking on
the bad link and causing all sorts of harm. You’re not going to get sued over that. I haven’t really gone into this, but
imagine the software hardware world, you know where somebody writes
an improper line of code in C++. And they knew they should’ve done better, but
yet, that’s what causes the buffer overflow that leads to an airline falling out of the sky. Will that programmer be held liable? In today’s world, no. You can’t do that. In tomorrow’s world of a professionalize
cyber force, maybe we need to go there. Not today, not 2018. But these are the kind of conversations if
we’re going to professionalize our community, we have to start had that
awkward liability conversation. So, maybe our way ahead, maybe where this
takes us is kind of a two-parallel tract. This I not unlike other professions. So, we can have the professionals,
that become the leaders, the experts. You know, those that might perhaps
be licensed, might have liability. And they lead that type of professional life. And then we also have more
of a technical trade area. This would be like the blue-collar
side of the world. And I think what we’re seeing is a lot of
that bottom one is really enticing to people. They don’t want to be leaders. They want fingers on a keyboard. They want to program. They want to write code. They want to break things and
do things at a lower level, but t hey don’t want to be in charge. I don’t want to lead that SOC, I
don’t want to lead that red team. I just want to be the red team. I just want to be the person
that’s doing the analysis. I want to be the person that’s
writing the reports. So, perhaps maybe we are starting
to see a little bit of a split here. But if you look at other
more technical trade areas, there are still requirements for licensing. A welder for example, is clearly a trade,
but you can’t become a welder at GM or Ford, or any place else, even at
your local welding shop without having some sort
of welding certification. Some way of attesting to the
fact that you know how to weld. A plumber has to go through all sorts of
testing to be a plumber, an electrician. These are technical trades. What about software, hardware. Should we treat it the same way? And again, I think you know
what my answer is, of course. But in 2018, we’re not quite ready. Maybe 10 years from now, if we’re doing this
10-year thing, we come back in 2028, we’re there and we think, you know, we think we’re ready. So, if we talk about this licensing thing. Let me kind of cover a little
bit and then I’m going to shift gears into how I got to where I am. But licensing for most of the professions,
I’ll show you some examples in a second, is based on century, decades at least
if not centuries of understanding of how the physical world and the science
world, and technical world works around you. So, if you study how like this
building, the way it stands up, there’s physics involved in
how this building stands up. You can teach physics to people. You can teach them compression, and tension,
and all sorts of things about engineering. Is there an equivalent in cyberspace? Are there physics of cyberspace we can teach? Is there a biology of cyberspace that we
can understand, or we can test and retest, and confirm that if I always do it this way, I’m
going to always have the same expected outcome? Like in physics, I know if I push
something it’s going to move, you know good old little Isaac Newton
taught us you know, things like that. Is it like that in cyber? Can I identify those fundamentals. That’s a great research question, you
know are there things we can lock down? When we come to licensing,
that’s kind of that next step. If we can find the underlying science
of security and we can teach it and it’s repeatable, we might actually
build a licensing thing on top of it. If we can’t, then we need to
come up with something else. Some other equivalent for the security world,
for cybersecurity and cyber in general. Hardware software science of how do we certify
that somebody knows what they’re talking about? So, again like in civil engineering,
a lot of what you see today, the professional engineering world,
actually came out of the Civil War. There was a l to of frustration then because
railroads, just a brief history lesson. Railroads have been around
for a number of decades, but most railroad bridges were
built out of stone, stone arches. Because we had learned over thousands of
years that stone arches work very well. Or if you needed wood, you
built like a scaffolding. You know, scaffolds have
been around for a long time, and so the timber trestle bridge
looks sort of like a scaffold. Well, a lot of these bridges fell down
in the Civil War, as you can imagine, and there was a lot of work
to try to reconstruct them and they would continue to fall down. And the railroads were very kind of frustrated
because they wanted safe, secure structures. Following the Civil War, West Point and other
engineering schools started to devote themselves to learn the science and engineering. To try to understand materials. What does wood do? What is this new thing called
steal and I-beams and things. What can we do? How much stress can it take? How much bending? And they began to quantify all this,
so by the end of the 19th century, by 1900, a lot of the science was done. And it set up the capability
to start licensing engineers. Because you had science that
you could teach them. It was no longer just Roman arch
bridges and do the best you can. Other professions, like medicine. Same thing, late 1800s, lots of snake oil. And you know types in those days. They wanted to get rid of all that and they
professionalized the medical community. Finance, Chicago double-entry bookkeeping. Other types of accounting
forced the accounting world into getting very specific
about how this is done. Post-World War I aviation, barnstorming, if you’re going to have commercial flight the
passengers are paying, I can’t have that guy with the goggles and scarf around his neck, you know flying his airplane
whatever way he wanted to. We had to develop a career field for pilots. Are we at that point with security? I’d say so. I mean so much of our economy
depends on making this work. So, our little story, if you go back
through the years, probably 1950s, ’60s is a good starting point in terms
of when did research really get going? But look at the science of networking
and the science of computers. There’s some really cool
papers that [inaudible] and MIT and others put together 50, 60 years ago. They are worth looking at. Because in those days there was no Internet. There was no social media. There were no worms and viruses
and things like today. But a lot of really good thought going into if I build this future connected
world, how do I keep it secure? Keep in mind this is the nuclear age, there’s a
lot of other concerns, Soviet Union is rising, global national security was a big deal. A lot of good picking we
might be able to look at. NSA, of course. Early lead the crypto community have
long been thinking about security. ARPANET from 30 years ago, 40 years
ago when the Morris worm let loose. Kind of re-engineered its thinking. And we’ve had in the private sector with
Microsoft and others, a lot of thinking. So, professionalizing based on science, I
think we have enough background to get started, we just need to start having the conversations and see if perhaps this is
something we’re ready to do. So, let me wrap this up you
know how did I get here? How did I get up to this podium? How did I become a security professional? You already know I started off as a civil
engineer, that’s not security, by any means. Maybe physical security in a sense. But my story is my story. Every other CSO, every other security
professional has a different story, a different path to get here. So, my undergrad, Georgia Tech is where I come
from, you know rambling wreck, rah, rah, rah, the hell with Georgia all that good stuff. But it’s in civil engineering. And back then, I’m programming
the [inaudible] using punch cards. And I learned how to program. Programming is kind of fun. What’s security? Nobody knew. The professor would tell you don’t, you
know when log in, don’t break things. Okay. Thanks professor, I can do that. Did we figure out to abuse the system
back then in the ’80s, and the ’70s? Of course we did. We were kids in college that’s
what college kids do. We would write programs to circumvent
to give ourselves extra time on the mainframe, and of
course we’d do all that. I went on and got a bachelors degree many, many years later in an interesting
thing called science and technology commercialization,
it’s like an MBA in startups. Uncle Sam sent me to do that. that was 20 years ago, that was in 1998,
to get a degree in how to build a startup. Absolutely fascinating, very
helpful in my military career, because we were building these
little small military units. Finally went on and actually did get a
computer science degree from James Madison. And unfortunately, my doctorate, yeah
I got started on it, ran out of gas. I’m ABDE sorry for the rest of you who are
doctors, I’ll catch up with you some day. You all know the pain it goes through,
just eventually you run out of gas. Maybe when I fully retire I’ll get there. But I was an Army officer for 20 years. Learned all about security
from a physical perspective. Had no idea this would lead
to a cybersecurity world, but my world began to change about 1991, 92. When Uncle Sam decided that I should
not do civil engineering anymore, that it was time to start getting into computer
networking, I got sent to 18th Airborne Corps at Fort Bragg in North Carolina in ’93 and
took over 18th Airborne Corps networks. That was the hobbiest inside of me. I had a strong hobby background in this stuff. Hand radio guy since I was
like 12 or 13 years old. So, for me as a Corps of Engineers guy, working
with the Signal Corps doing signaling things, it was a neat little diversion, thought I might
do it for a year, go right back to engineering, but during that year, I found out that the
Signal Corps air conditions everything, and all the computers have
to stay nice and cold. And Fort Bragg can get very,
very hot in the summertime, and I’m looking at my engineer buddies out
there just sweating and being miserable. And my new Signal Corps friends
all being cozy and comfortable in their little air conditioned shelters. It does not take a rocket scientist
to figure out where I wanted to stay for the rest of my career in the military. So, I wound up going there. September 11th happened, I was
in the process of retiring, working for a little organization called the
Joint Task Force for Computer Network Defense, or JTFCND, the precursor of Cyber Command. And about a week or two after
September 11th, White House called said, hey, I hear that you’re retiring. There’s a hacker in the group,
and would you like to work at the White House after you retire? Okay, tough question, because I was going to
be in industry and work for General Dynamics. White House, General Dynamics, hard choice. Wound up at the White House, totally unexpected. Worked for Condoleezza Rice in the
National Security Council and learned a lot about very, very strategic level security. Helped create Homeland Security. Kind of orbited in that world for a while. Worked for SANs for a little bit, SRI. About eight years at Verizon. And all of these in security jobs,
just kind of making my way up. My first CSO job was about
three years ago with NER and these are the guys that
regulate the power grid. And when I left NER at the end of last year, I figured I’d go onto another big
corporation, maybe a bank or something. And this little startup started
knocking on my door and said we would like you to be our CSO in startup. And I figured, okay, I’ve never done the
startup thing, this will be kind of fun. So, I’m actually able to start, literally
small and build security into a small company in their products and services, as
well as the mindset of the employees. Helping them to think securely, and
what I told them from the get-go. I’m here to make your life
better and more productive, I’m not here to make your life miserable. If I ever start messing you up, if I
ever start slowing you down, throttle me. I want you to do your job securely. I don’t want to ever be thought of as
somebody who’s not letting you do your job. And this has been a good
philosophy for most security people. Is to think about how to do your
job, how is it that you can help? Again, I talked about different roles, military,
policy expert, blah, blah, blah, blah, blah. That was my computer system in the upper
right-hand corner about 20 years ago. Military cybersecurity at
its best back in the ’90s. So, last thoughts. Good security people are naturally curious. You have to be. You don’t know where the
threats are coming from. You always have to be asking, thinking
and what-ifing, where are the unknowns? What might they do? Thinking like the bad guys is not a bad thing. It’s a lot like law enforcement. Where the very best law enforcement
professionals are those who think like criminals. And think about how you might break
something, that’s how you go after them. You have to be able to play well. You’ve got to have good bedside manners. The worst security people I’ve seen,
are those who are so technically focused that they cannot talk to other people. They don’t know how to interact. They have no social skills. And so, that’s a key piece. Blends of backgrounds. Technical, business, other
things, extremely helpful. And then those last couple of things
there, security by itself is not objective. Whatever the business is you’re working
for, the organization, institution, whatever their role is, that’s the objective. Your job as a security person
is to get them there securely. Whatever that means to the organization. It’s not that you’re doing
security as the primary role. And a lot of my peers miss that point. They think it’s all about them. It’s all about security. No, we are in a supporting role. Exception would be if you’re a security company. If you’re McAfee or Symantec, okay a little
bit different there, but I could even argue with them, it’s all about shareholder value. And it’s about making money, not
necessarily about being secure. Does everybody kind of follow that? And these are the kind of things
we as security professionals need to start teaching the youngsters coming up
through the level, about the profession, again these other professions I talked
about, they teach their youngsters, they give them the history, they
bring the philosophies involved. We need to do the same sort of thing. So, folks, that’s it for me. I’ve got a few minutes until lunchtime,
Dr. Pailen, wherever she got off to. There you are. If you want to take a few questions? Or? And then I think it’s going to be lunchtime.>>Good afternoon, sir.>>Yes, sir.>>My name Iodigi Undra [assumed spelling] I’m
a doctoral student from Boise State University. I’ve been having.>>Please, please, please finish
your doctorate, don’t do like me.>>I’m starting my last year now.>>Good.>>I’ve been having this
kind of two-minded issue. Someone once told me that taking cyber
security programs to a certain level is like narrowing yourself or
boxing yourself into a corner. I’m doing my PhD in computer science and I was
told that computer science is like a master of everything, but you’re not specify. You’re not really a master of, like a jack
of all trades master of none kind of thing. I just want to know, have your opinion on that
issue, that is it true that taking cybersecurity as a course, or as a terminal degree, are
you kind of narrowing yourself into a corner because technically there are
so many cybersecurity jobs out there you don’t have the edge
over the competition out there.>>Well, I think what’s key is not just
your education, but your experience, and your passion, and as I pointed
out earlier your natural curiosity. So, some of the best cybersecurity
people don’t have degrees, but what they’ve done is they have a
personal burning passion for this stuff, they’re hobbiests and they think
about and breathe it 24 by 7. Some of those who have degrees
think about it, breathe it 24 by 7. It kind of depends on what you want to do. Getting a PhD in something, generally
means you’re going to go into a world where you’re going to be doing a lot
of giving back; lecturing, teaching, you know putting that degree to work. The business world, if they look
at you and see you’ve got a PhD in cybersecurity, it’s like well, that’s great. What’s your experience, you
know what have you done? Or, give you the hard test, you know here’s
5000 lines of snort, tell me what I’m seeing. You know, if you’re comfortable
doing that, or can you write me up a little one-page security plan for
how I address phishing in my organization? If you can rattle that off, that
to me is very, very important. I think the degree is important, but in
the business world, they’re not really look for that, they’ really want to see your chops. What is your experience, what’s
your passion, what’s your desire. So, you’re not really narrowing yourself
down, unless that’s what you want to do. Yeah, and if you want to be narrow, fine. But I think any education,
anything like that is good for you. And my congratulations to
you for finishing you PhD. I think that’s really awesome. I’m jealous. But keep going and once you’re done
with that, continue your education. That’s another piece we tell people. Don’t just stop with the undergrad,
or the masters, or the PhD. You’ve got to continue doing that. Our world changes so often, that if you stop
getting educated you’re behind the scenes. So, thank you. Yes, ma’am.>>Hi. Sorry, oh am I the last one? Good afternoon, wonderful presentation. So, my name is Deli I have been in
the information assurance field more on the compliance, auditing
policy side for about 18 years and I do have my PhD in leadership. But my dissertation was the
leadership of technical teams. So, I say all this to say that you noted that we
have to professionalize the cybersecurity field, which I completely agree, because there has been
some staff that did not know what they’re doing because they weren’t properly trained. Now, IT as a whole, what
would you say about that? Because we have system admins, we have
developers, we have you know mail admins, network engineers, who you know it was just
their passion and they got certified, or. So, what would you say?>>Every time you saw security in there,
just replace it with information technology.>>Okay.>>I’m keeping this narrowly
focused on security, because of why we’re here, but you’re spot on. The broader field. Think of cybersecurity as a like a
form of surgery in the medical world. There’s large medicine, from you know
private practitioners, to specialists and where security is just a little
piece of the bigger IT world, or a bigger infrastructure world, if
you want to even think on it that way. So, yeah, you’re spot on. IT is unfortunately one of those areas,
both from a human side, as well as products and services, trillions of dollars of
industry worldwide, with very, very, very little oversight, no laws, no; you know
where is the equivalent of an oversight agency like there is for airlines and
doctors, and every other profession. There’s nothing like that for IT. And I’m not begging there to be one, but I am
pointing out that it’s a very interesting world that has no oversight, no regulations. Other than regular business law that’s in place.>>I do have one last follow up question. Now, so in the cyber world then, you’ve noted
and with the gentleman’s question talking about how there’s the leadership role, and then there’s what I call
the subject matter expertise. So, in your opinion, do you think
the SMEs should also get a degree? Or would you consider the SMEs for the technical
certification verse somebody like myself who wants to get into the higher
leadership role with the degrees.>>The answer is yes to both. The certifications and so forth are
very good to have at a tactical level. But as your career matures, if you don’t
have that broader higher education, which is general what a college
degree is going to bring to you. You know 17 years, from the
time I went from undergrad to when I took my first Masters course. I’m so grateful I didn’t do a
masters degree right out of undergrad because I was just a student, I
had no the business experience. Seventeen years later, I
know why I’m in grad school. I’m there to learn. I’m not there to party, I’m not there to you
know cheer for the football team [music]. But thank you, thank you for your questions. Dr. over to you [applause].