Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
1:10
Today on CyberWork , I have a big guest
1:12
for you . Jeffrey Brown is the Chief Information
1:14
Security Officer for not a company , not
1:17
a healthcare org , but for the entire state
1:19
of Connecticut . Jeff walks me through the
1:21
scope and reach of a statewide CISO , a
1:24
countrywide move towards a whole-of-state strategy
1:26
and , frankly , I spend an awful lot of time
1:28
just talking to Jeff about where he finds the time to
1:30
do all the things he does . This is a really
1:33
wide-ranging and inspiring episode . Whether
1:38
you're slogging through search study or hitting a wall trying to figure out your next career pivot , my
1:40
talk with Jeff will absolutely give you some new perspectives . So
1:42
please keep it right here for today's episode of Cyber
1:45
Work . Hello
1:50
and welcome to this week's episode of the Cyber
1:52
Work podcast . My guests are a cross-section
1:54
of cybersecurity industry thought leaders , and
1:57
our goal is to help you learn about cybersecurity
1:59
trends , the way those trends affect the work of
2:01
infosec professionals , and leave you with some tips
2:03
and advice for breaking in or moving
2:05
up the ladder in the cybersecurity industry
2:07
. I've got a really cool guest today . As a
2:09
cybersecurity executive with over 28
2:12
years of experience , jeffrey Brown's mission
2:14
is to align cybersecurity strategies with business
2:16
goals . The journey has taken him across
2:18
diverse sectors including finance , insurance
2:20
and government , culminating in his current
2:22
role as the first CISO Chief
2:25
Information Security Officer for the state of
2:27
Connecticut , where he's pioneering its quote
2:29
whole state cybersecurity approach . Jeff's
2:32
experience lies in understanding complex business
2:34
needs and delivering tailored cybersecurity
2:36
solutions that balance both the risk
2:38
and the opportunity . So a while back
2:40
, I was looking around for people who
2:43
could talk to about security in state
2:45
and local government capacities , and to
2:47
find out that there is a CISO
2:49
for the state of Connecticut . I absolutely jumped
2:51
at the chance to talk to Jeff
2:53
here , and so , jeff , thank you for joining me today
2:56
. I'm really looking forward to this . Welcome to CyberWork .
2:58
Oh , it's my pleasure . And what a great topic .
3:00
Hey , all right . So , Jeff , to
3:02
help our listeners get a better sense of your
3:05
background and how you got into this whole thing
3:07
, can you tell me about your earliest interests
3:09
in computers and tech and security ? Was there like an initial
3:11
draw ? Was it in school ? Was
3:14
it just at home ? Did your family have a home computer
3:16
Like where did you get started ?
3:17
Yeah , great question . And you know it's funny
3:20
because 27 , 28 years ago
3:22
this wasn't really a
3:24
profession for many . So you know how
3:26
did I get started and , frankly , I have
3:28
a non-traditional educational background
3:30
so I didn't study computers in school or anything
3:32
like that . However , key
3:34
decision points there used to be something
3:36
called word processors , and that's all they
3:38
did was word process . Both
3:41
of my parents were IBMers , so they said you don't
3:43
want a word processor , you want a computer that does
3:46
word processing . So that was
3:48
a very early decision in my career
3:50
that had a lot of influence on me . You
3:52
know , I think back when you're a kid you want to be a writer
3:54
or something when you grow up and it
3:56
turns out later on I did that . But you
3:59
know , when you don't really have that kind of experience
4:01
, it's really easy to just sit
4:03
down with a computer and just start messing around
4:05
with it and you know you're starting with a blank page
4:07
. you don't really feel like reading , and then you just start learning
4:10
the computer , you get in trouble and you have to figure it
4:12
out and how to fix it , etc . So
4:15
I spent a lot of time on computers . Never
4:17
really even occurred to me to study
4:19
computers in school , because I was kind of studying
4:21
them all the time . So I actually my
4:24
educational background was actually in communications
4:26
and publishing and journalism and
4:29
that's a background that's actually served me
4:31
really really well in this industry . That's actually
4:33
served me really really well in this industry . You know , I really it started
4:35
in cyber specifically by
4:38
somewhat by accident , like many people did
4:40
, and this would have been in the late 90s
4:42
. Cyber really
4:45
first of all . It was called information security
4:47
back then . So I think things have changed
4:49
a little bit , but I was between
4:51
two different companies that I was looking
4:53
at and I ended up
4:55
going over to Merrill Lynch , which is now
4:57
part of Bank of America , and it was my
4:59
very first job in cyber . I
5:02
didn't really know a lot . I mean , if you really
5:04
look back then it was all Unix and mainframe
5:07
and stuff that I just didn't really have . But
5:09
what I did have was something called Windows NT and
5:12
it was just starting to come on strong . The
5:15
Unix guys didn't want to touch it . The mainframe people didn't think
5:17
it was worth their time . So that was
5:19
the opportunity . The opportunity was really being
5:21
able to come in and I ended up
5:23
helping Merrill Lynch roll out their very first Active
5:26
Directory in year 2000 . So
5:29
just had a really interesting and very technical
5:31
start to my career .
5:33
Yeah , so NT is that sort
5:35
of between 3.1 and then like seven
5:37
. Is that where ? Where ? Where does it stand ?
5:39
This would have been the very first version
5:41
of of of Windows NT
5:44
3.1 .
5:45
Okay , okay , yeah , yeah , which is right
5:47
up there .
5:49
And what was happening was there was a business problem
5:51
and that's that's something we always want to keep our eyes
5:54
on as professionals was the business problem
5:56
was suddenly brokers are trying to use
5:58
this stuff . There's now applications
6:00
that will only run on Windows NT and
6:03
, you know , the security folks knew that they needed
6:05
to understand that stuff better , but nobody
6:07
really wanted to spend the time to actually do it
6:09
. So that was my in , that was how I
6:11
got in the door .
6:12
Yeah , yeah . I feel like that's probably still
6:15
a pretty good bit of advice
6:17
if you're trying to sort of make yourself distinguished in
6:19
the job pile is to find a
6:21
thing that no one else wants to do and get really , really
6:23
good at it .
6:25
It absolutely was .
6:27
Now , as a fellow person
6:29
with a background in communication and the publishing industry
6:31
can you talk about ? You said that it was very , very
6:33
helpful for you in your kind
6:35
of cybersecurity track of your career
6:37
. What were some of the takeaways
6:39
that you got from those particular areas of
6:41
learning that you apply all the time now ?
6:43
Well , it was very interesting . I mean , I actually started
6:45
working at a publishing house , harpercollins
6:48
, and what happened
6:50
?
6:50
was .
6:50
I ended up the internet was just starting
6:52
to come on strong . It was still pretty much
6:55
dial up for everybody back then . But
6:57
I got pulled into a lot of the IT stuff
7:00
again because of Windows NT . So
7:02
everybody wanted to see something called Java . Java
7:05
would , only it wouldn't even run on Macs back
7:07
then . I mean , it would only run on Unix and it would
7:09
run on Windows NT . I happened to have Windows
7:11
NT , so I got really pulled into that
7:13
and it was boy . There was a lot of potential for distance
7:16
learning and subjects like that and
7:18
I started to realize that if I was going
7:20
to do something for free it
7:22
would be IT and
7:24
, by the way , there's a big calling for that and you don't
7:26
have to work for free . So I decided
7:28
to make the jump and I actually made that first
7:30
jump over to Dean Witter Reynolds a long
7:32
, long time ago as just an IT analyst and
7:34
I was thrilled to be working in IT . I was like now I
7:36
have an IT job and I'm going to be just doing this
7:38
stuff all day . And then later
7:40
on I made that shift over to cyber , which is
7:42
a really interesting way to sort
7:45
of specialize in one thing without really
7:47
specializing in anything , because cyber covers everything
7:50
. So it's a really interesting way
7:52
to not specialize at all .
7:54
So , in comparison to before , where your
7:56
big claim to fame was that you
7:58
were doing Windows NT when no one
8:00
else wanted to , now at this point in it
8:02
you're able to sort of have
8:05
your hands in a whole lot of different things , but in not
8:07
quite like as an extensive kind of way
8:10
. Is that right ?
8:10
Yeah , that's absolutely right . I mean , if you think about
8:12
what we have to worry about in security it's databases
8:15
, applications , networks , people
8:17
, right
8:21
, Like people that comes into play quite a bit . It really it's very big and very broad and we have
8:23
to go deep on a lot of subjects , but we also have to
8:25
go very wide on a lot of subjects as
8:28
well , which makes it kind of an endless challenge
8:30
. I mean , you know , you don't stay in an industry
8:32
like this for almost 30 years , three decades
8:34
, with doing
8:36
the same thing day in and day out . I mean , this is
8:38
something that is very dynamic in this industry
8:41
.
8:41
So I remember a professor in high school
8:44
telling me the better part of knowledge is
8:46
knowing where to look it up , and it's like if you can feel
8:48
, you can feel your way through a lot of different
8:50
things that way and get a lot further
8:52
than you would if you just try to commit every
8:54
single thing to memory and what have
8:56
you . So , yeah , I was going
8:59
through your sort of background
9:01
. We've talked a little bit about this already , but that's my go-to
9:04
move is to go to the LinkedIn
9:06
experiences tab for our guests and see what
9:08
you've done . In your case , though , this is kind of an embarrassment
9:10
of riches , honestly , jeff . So you've served in
9:13
CISO or VP , information Security Functions
9:15
for everyone from GE Capital to AIG
9:18
to Citibank . You serve on the advisory
9:20
board of several high-end curriculum development groups
9:22
, as well as your research with IANS
9:24
, and all of this is before we even talk about the
9:26
CISO Connecticut part . So my question
9:29
is where do you find the time
9:48
or , more plainly , what's your time management strategy
9:51
?
9:51
I mean , it sounds like you've had so many different things
9:53
going on . How are you able to kind of called Leading the Digital
9:55
Workforce ? It talks about peak performance
9:58
, it management and
10:00
not just security but IT in general
10:02
, and it's like we have a really tough job
10:04
in IT because things change so much on
10:06
us and there's so many moving parts and complexity
10:09
. But when I think
10:11
about time management specifically , we
10:13
all get 24 hours . Time is the great
10:15
equalizer . I mean , that's something that you know
10:17
. Whether you're a billionaire or whether you're just making
10:19
$20 an hour . Everybody gets 24
10:21
hours a day and you can do with it what you like
10:24
. People overestimate
10:26
what they can get done in a year , but they underestimate
10:29
what they could get done in three years or in five years
10:31
. You know they just
10:33
don't really look at things the right way . One
10:36
of the things is just understanding
10:38
what some of your goals actually are . So
10:40
I'll give you an example . I have sort of a process
10:43
. I always have three for the year , three big
10:45
ones for the year , three big goals . Then
10:47
I have three for the month , then I have three for the week
10:50
, then I have three for today , like , what are your big three
10:52
? And I'm starting to learn even now , even
10:54
this late in the game , that it's like , well , what's the number
10:56
one ? Like , if you're going to get through today and call
10:58
it a win , what's the one thing that has
11:00
to be done by the end of the day and make sure you're working
11:02
on that stuff . And you really can't
11:05
, you really can't trust your
11:07
brain on this kind of stuff , because you open
11:09
up email , you get sucked into things like incidents
11:11
can happen , all kinds of stuff can get you
11:13
distracted . So , having some
11:16
sort of system where you know , every time
11:18
I get up out of my desk , I have
11:20
an idea of , like , this is what you were working on
11:22
, here's where we left off , and now I can come back
11:24
and it doesn't take me 20 minutes to just reorient
11:26
myself . I know exactly where I was and
11:28
I can pick up right where I was . Just
11:31
reorient myself . I know exactly where I was and
11:33
I can pick up right where I was when
11:35
, when we talk about things . Cause I mean , on top of this , I've been writing books and stuff
11:37
too , right , you know . And and there's a couple of ways to do that . One
11:39
one with the communication book that I wrote
11:42
it was cramming
11:44
and it was you know . It felt like I was working a day
11:46
job , and then I would cram all weekend and try to catch
11:48
up with writing , catch up in quotes , right . What
11:52
I learned was that it's not a great way to do
11:54
things , but what is a great way to do things is
11:56
just write for like even half an hour a
11:58
day every day , and
12:00
, whether it's quality or not , you showed up , you
12:02
did the work . Now you have a process and
12:04
you'd be surprised at how much you can
12:07
get done just doing like even 30 minutes
12:09
a day every day , even 10 minutes . Show up for
12:11
five minutes , just write anything
12:13
and keep things moving , and that that
12:15
applies to whether you're studying for an exam
12:18
or a certification . No
12:20
matter what you're doing , no matter what goals that
12:22
you're that you're following , make
12:24
sure that you have a process . You know , sleep
12:26
in your gym shorts so that you're ready to go work out
12:29
in the morning . You know , just make it gym shorts so that you're ready
12:31
to go work out in the morning .
12:32
You know , just make it easy , Remove the friction Right .
12:33
That way you don't have to kind of talk yourself into
12:35
it . People
12:38
say , like , where do you get motivation ? Or how do you get motivation
12:40
to do things ? I don't . I try
12:42
to just facilitate processes that make
12:44
it easy .
12:48
Yeah , yeah , it's so much easier . I mean , it's the law of entropy it's easier
12:50
to keep something in motion than it is to like push it into motion
12:53
uh , endlessly . Like that , you know , like once it's once
12:55
it's already moving , you just keep it moving . And uh
12:57
, yeah , my , my wife's a writer
13:00
as well and she analogizes . She
13:02
has that same thing about a couple of minutes
13:04
every day , but she analogizes it to like turning
13:07
on , like a bathtub , like the water's
13:09
cold for a while and you feel like , oh , this is never
13:11
going to get warm . But like if you just turn it off and
13:13
forget about it for a week , like next time
13:15
you turn on it's going to be cold again . But if you just let it go
13:17
every single day , you're going to have a warm bath soon
13:19
enough and it's going to feel more natural and whatever
13:22
. So I don't know , that's a little abstract perhaps
13:24
, but yeah , no , absolutely
13:26
true . And you know , as someone who's working
13:28
on a search study right now , I think you really do have
13:31
to keep in mind that it's better to do
13:33
15 minutes a day than three
13:35
hours every two weeks .
13:38
Exactly and also eliminate distractions
13:40
. I mean , we all have our , our
13:42
kryptonite right , whether it's watching
13:44
YouTube videos or Netflix or
13:46
stuff like that .
13:47
The whole world's a rabbit hole these days . It's just
13:50
a series of rabbit holes and our attention span is
13:52
pulled in so many different directions
13:54
.
13:54
I mean , like you know , when I do writing , as an example
13:56
, I have notifications off , I
13:59
put the phone away , sometimes I even revert
14:01
to pencil and paper . Just because
14:03
it's distraction free , I can really
14:05
focus on one thing , and you'd be amazed that
14:07
, like if you just even take an hour of
14:10
dedicated time , no distractions
14:12
, you would be amazed at how much progress you
14:14
can make even in just an hour .
14:16
Yeah , some , some book I read I think it was , it
14:18
was . It was one of those habit books . But they said that like the
14:21
30 seconds of panic that you have when you start
14:23
to do a project is so , is so chemical that it like
14:25
within 45 seconds it
14:27
washes out of you and goes away Like it's
14:29
. So many people get stopped on that 30 seconds
14:31
of panic of like starting something new
14:34
. But if you know , if you know enough that like
14:36
this always goes away very quickly and then you
14:38
get into flow , you know in a few minutes
14:40
like it's just easier to keep doing that every single
14:42
day .
14:42
So I think you know it's funny because neuroscience is kind
14:44
of interesting in this space too . But I mean , when
14:46
, when we have big , lofty goals like write a book
14:49
, that doesn't , that's not helpful
14:51
. What you really need to do is break
14:53
that down into very little tiny things , right
14:55
?
14:55
My goal is to write every day yeah , exactly yeah . Or
14:57
my goal is to pick a subject .
14:59
right , I'm going to start by picking a subject
15:01
and then maybe start with an outline , and
15:03
I mean , that's
15:08
just a lot more concrete than write a book .
15:09
Write a book is undoable , I agree , and and and . Similarly , studying for
15:11
the CISSP , uh , sounds a lot
15:13
more huge than , if you like , open that book every
15:15
single day and look at it for 20
15:17
minutes or whatever . Eventually the pile
15:19
goes down . So , uh , uh , so , yeah
15:21
, so , so , moving on , but thank you for for for that
15:24
. That was all I think very helpful . Like I said , we have
15:26
a lot of students , uh , who are , are , who are , you
15:28
know , listeners and stuff like that , so I think that's always worth
15:30
reiterating . But , yeah , I wanted to have you on
15:32
the show because obviously I'm very eager to find
15:34
out about your role as chief
15:36
information security officer for the US state of Connecticut
15:39
. So I want to ask
15:41
like is this ? It sounds like in the bio
15:43
, this is kind of unique . Is there , is there , a CISO
15:45
for every US state , or is this kind
15:47
of a pilot thing ?
15:48
No , that's a great question . At this point
15:51
it's
15:57
actually there are about , I think , 53 CISOs , and the three being , you know , virgin Islands
15:59
and places like that that are traditional states but US territories
16:01
. However , four years ago , the state of Connecticut
16:03
did not have a traditional CISO
16:05
. We had some people who were dedicated to
16:07
security , but not really like that traditional
16:09
CISO role . So
16:11
, yeah , now this is a very , very big subject
16:14
at the states . My
16:16
understanding , as much as people
16:18
come into a CISO role like for a state
16:20
government and that sounds a little bit daunting my
16:22
understanding is that there's an awful lot of people who
16:24
are actually the governors and
16:29
there's an association called the National Governors Association and they , you know , you end up
16:31
in the governor's role and your background could be any
16:33
number of different things and then all of
16:35
a sudden , they're , they're kind of scared about that . It's like
16:37
, well , wait a minute , I'm on the hook for cybersecurity
16:39
and , by the way , the nation states better
16:41
, potentially after you . It's like you know
16:44
they're , they're , they're hearing that message
16:46
now and they're very , they're taking this
16:48
job and this role a
16:50
lot more seriously , just because the stakes
16:53
have never been higher .
16:55
Yeah , well , I mean , to that end I
16:57
you know . I think if you're
16:59
an ambitious person , it's not that surprising
17:01
to get up to a level like that . But
17:04
, like for someone like me who doesn't wouldn't necessarily
17:06
think to even look for something like that . What were
17:08
, what was it about your , your background and your experiences
17:11
that prepared you for a
17:13
job like being the CISO of an entire
17:15
state ?
17:16
Yeah , that's a very interesting question too
17:18
, because one of the things I spent about 24
17:20
, 25 years in finance
17:22
, you know , and
17:24
the reality is is if you took the
17:26
tactics that work at Citigroup and
17:28
you come in and you try to do this at the Department
17:31
of Motor Vehicles , that's not going to work
17:35
. You have to be able to adapt to the
17:37
situation . You have to be able to actually
17:39
observe and to listen to people and
17:41
to help them understand what some of the
17:43
cybersecurity concerns are . I mean
17:45
, you know , 20 years ago it was very
17:47
common to have the kind of conversation of like
17:49
, well , why would anyone want to attack us ? That
17:51
would never happen . You know , now
17:53
, all of a sudden , we have to worry about , like you know
17:55
, the San Diego Zoo was ransomware . I mean
17:58
, it's just really the zoo , you
18:00
know . You have to start kind of thinking of , like you know
18:02
, nobody is immune to this , including individuals
18:04
at home . You know , you see people losing
18:07
their family photos and stuff like that . Cyber
18:13
is now very much everyone's problem . One
18:15
of the things that really people ask this all the time , like , oh
18:17
, aren't you too much bureaucracy and state
18:19
government ? It's like you should try some of these financial institutions
18:22
.
18:22
Yeah , true , yeah .
18:29
They operate at a whole different level of bureaucracy that you might not even imagine , you know . But
18:31
I think the number one thing for me was to just
18:33
make sure I'm not coming in with some tired playbook
18:35
and just trying to re-execute
18:37
what worked in another company , even
18:40
in finance . I mean , I've worked in custodial
18:42
banks and consumer banks in insurance
18:45
. Ge Capital is like an industrial
18:47
with a bank embedded in it . I mean , you
18:49
know you have to go in with a new set of eyes
18:51
every single time and really work
18:53
with the culture , because you know , as they say , culture
18:56
eats strategy for breakfast . So you may have a great
18:58
playbook , but if you don't work with the culture
19:00
, it's not going to work .
19:01
Wow , yeah , no , I mean , was that
19:03
a big changeover for you then , like
19:06
you didn't really have a lot of like state and local government
19:08
experience before that , right , you didn't really have a
19:10
lot of like state and local government experience before that right .
19:11
I had none , you know , and there's a leap of faith involved in that
19:14
right . Like I , mean you have to say I'm going to make
19:16
this work and we're going to go do it . And
19:18
that's exactly what I did . You
19:20
know , I think being a first CISO is
19:22
interesting . One
19:24
of the things that why was the state even
19:26
interested in hiring me was because we were
19:28
in the midst of optimizing
19:31
IT , which means like really taking things
19:33
and pulling them to the center into the executive
19:35
branch of government . Think of it
19:37
as centralizing IT at a large company
19:40
. Suddenly , like
19:42
the game had changed quite a bit . So
19:44
now , you know , in the past you used to have people
19:46
embedded in the business and now we're going to centralize
19:48
all of that stuff . And somebody needed to build that
19:50
enterprise class program , you
19:53
know , and build that foundation for a program
19:56
that's going to be able to actually take care of everybody
19:58
, not just an individual agency .
20:01
Yeah , no , that makes that makes perfect sense . And
20:03
yeah , like you said you've already , you already
20:05
understand large bureaucratic
20:07
hierarchies very well , so
20:10
that's certainly not the impediment
20:12
. So well , I want to sort of
20:14
break apart your actual job role . We've sort of
20:16
mentioned a little bit of it and , like
20:18
I said , a lot of our listeners have kind
20:20
of being CISO of a company in
20:23
their sort of like wishlist where they
20:25
want to go or whatever , but it's usually for like an
20:27
individual company or a branch
20:29
of the government or the military , and so
20:31
I think this might be kind of new for folks . So
20:33
I guess , like , what does the CISO
20:35
for a state actually do and
20:38
or supervise ? Like , how big is your team ? What's
20:40
your reach ? What is your sort of larger
20:42
agenda ?
20:43
Oh , I love it . Yeah , and I mean , what do
20:45
CISOs do all day ? Yeah
20:48
, it's an interesting question because there's not really
20:51
an industry definition . So I think even
20:53
there's a saying in
20:55
the state government where it's like if you've seen one
20:57
state , you've seen one state . Every single one
20:59
of them is a little bit different . A lot of them have
21:01
grown organically and people have done
21:03
what they thought was right for their state , and
21:06
what you'll find is that no two states
21:08
are alike . There's some common themes
21:10
and things like that , but they're not really two
21:12
identical states , which is very
21:14
interesting . We have a lot of
21:16
you know . First of all , we have a
21:18
huge network of we all talk to each other
21:20
. We've met many of our fellow
21:23
compatriots in person
21:25
at events . You know we have
21:27
something called NASEO , which is the National Association
21:30
for State CIOs , so we actually meet up
21:32
in person . We all have that
21:34
lifeline and I think that that's really that's
21:36
incredible in state government
21:39
. You sort of have that a little bit in
21:41
finance , but not not to the extent
21:43
because at the end of the day , Citigroup and JP Morgan
21:45
are competitors and there's a little bit of friction
21:48
there . I'm not in competition with Colorado
21:50
or Florida . We
21:56
can . We can be very candid with each other . We can work together very closely . But in terms
21:58
of just the day-to-day , you'll find a lot of stuff just like in a company
22:00
, we have to do patching , we have to do third-party
22:02
risk . We have all of the basic
22:05
kind of stuff that you have to do , but
22:07
that we also have to work a little bit harder
22:09
, because state government is very unique
22:11
in that it's like being in every
22:14
single industry .
22:15
We have financial services .
22:17
We have Department of Revenue Services . We have the Department
22:19
of Banking . We got that . That's great . We also have
22:21
hospitals . We have a power plant .
22:23
We have healthcare
22:26
.
22:26
We have just all of this different stuff
22:28
, and you have to really be able
22:30
to work with the agencies , because that's
22:32
what puts security in context
22:34
. Yes , putting security in context
22:36
is a lot more important than people give it credit for
22:39
. People think like , oh , it's a vulnerability and you
22:41
have to patch it . It's like , well , what is it a vulnerability
22:43
on ? What could it ? What's the business
22:45
impact ? Right , if something happened , what's that
22:47
business impact ?
22:49
And being right . If something happened , what's that business impact ? Or even what's the path to get
22:52
to that vulnerability ? Sometimes there's just vulnerabilities
22:54
that you're like well , that's lower on my list
22:56
because there's no real path
22:58
in or out of it .
23:00
No , and a lot of CISOs don't like hearing
23:02
this but in some cases it's like you know , this is some
23:04
legacy system . We're transitioning off of
23:06
it , but we can't do it right now and you're just going
23:08
to have to live with that vulnerability for a little bit . And then
23:10
we have to start looking at how do we mitigate
23:12
that , how do we put some you know , how do we manage
23:14
the risk . And it's
23:16
funny because 25 years ago , in
23:18
finance I mean , we had to manage risk all
23:20
the time , not only because financial services
23:23
is a risk management function , but
23:26
because we also I mean back then
23:28
you just couldn't hire the people , I mean back then
23:30
you just couldn't hire the people .
23:31
I mean , there was no one to hire .
23:35
Now you sort of fast forward . There's a lot more people , but the problem got a lot bigger . So
23:37
now every industry needs somebody . You know , I feel bad
23:39
for some of the small medium companies . They try to
23:41
attract and retain these people , and sometimes
23:43
even the price tag is a little bit too difficult
23:45
. They end up with things like fractional CISOs and
23:47
stuff like that , whereas they might be served
23:50
better with a with full time . But they can't
23:52
afford it and
23:55
even if they could , they might not be able to find the right person . So it's , it's a big challenge for
23:57
a lot of people .
23:59
Now , what is your sort of reach in terms of
24:01
like having like a staff or a team , like
24:03
do you , do you sort of have people
24:06
in sort of local municipalities or whatever
24:08
that report to you , or
24:11
do you sort of send down like directives or like
24:13
and also like ? I guess my question is
24:16
is there any percentage of your work that also
24:18
is about defending or improving the security
24:20
of , like , the citizens of Connecticut , or is this mostly
24:22
all about the kind of like government and infrastructure
24:25
security ? Not enough of ?
24:27
it is about citizens , but let's talk
24:29
about that a little bit . So , number
24:31
one , the primary
24:34
focus of this role is really the executive
24:36
branch of government . So I mean , when you
24:38
look at government , it's also legislative and judicial
24:41
right , and they're separate . By design , they're supposed
24:43
to be separate from each other . That
24:46
said so , my team is , you know , I have a great
24:48
team of about 15 , 20 people now , and
24:51
boy they're just , you know , fantastic
24:53
in the amount of work that they get done and
24:55
just the way that we get things
24:57
done too , and partnering with the business . That's
24:59
been really incredible , you
25:01
know . But you know , in terms of our scope
25:03
and our reach , we are just now starting
25:05
this , what they call the whole of state strategy
25:08
, and that's where there's some federal
25:10
grants coming . That's
25:12
new for pretty much all CISOs
25:14
, all state CISOs , because usually
25:17
the municipalities are largely independent
25:19
, largely on their own . When
25:21
the state comes and asks , you know , hey , I'm
25:24
from the state , I'm here to help things like that . You end up kind of not sometimes
25:26
you get the cold shoulder it sort of depends , but I mean usually when we're
25:28
there to say we're here to help things like that , you end up kind of
25:30
not . Sometimes you get the cold shoulder . It sort of depends
25:32
. But I mean usually when we're there to say we're here to
25:34
help with cyber , a lot
25:36
of people will listen to that . You know , not too
25:38
many people think , well , we've got that covered already
25:41
. You don't hear that very much
25:43
. So usually people are quite open to that
25:45
. We're in the midst right now of working
25:48
through some of the grant process . So we do anticipate
25:51
some centralized services in the state
25:53
through something called Connecticut Education
25:55
Network or CEN , where
25:57
we'll be able to offer services
26:00
across all municipalities
26:02
. They already service a lot of the education
26:04
in the state , so almost 100
26:06
percent of public schools and , let's
26:08
say , 95 or so percent of the private
26:10
schools . So all of that traffic all flows through
26:13
one place that we can actually protect centrally
26:15
, which is a huge opportunity in Connecticut
26:17
, and it's not like that in every state , but a few others
26:20
and we're really
26:22
looking to . You know again
26:24
, make it easy . You know
26:26
, what will happen is that you may go into a municipality
26:29
. Maybe there's a head of IT , maybe
26:31
not . There's almost
26:33
assuredly not a CISO . A
26:36
few do . City of Norwalk is a
26:38
good example . They have a CISO , but even
26:40
some of our bigger cities do not have
26:42
a dedicated cybersecurity person and
26:44
that's all that they do . So getting on their
26:47
radar is sometimes very difficult , and
26:49
our job is to make it look . There's
26:51
stuff available for you it's easy
26:53
to tap into and you'd be crazy
26:55
not to do it . That's how we try to change
26:58
things .
27:00
Well , the whole of state strategy that you mentioned
27:02
, that sounds like that's kind of new and
27:05
being sort of mass implemented across all the states
27:07
. What's the sort of before and after on that
27:09
, like what was the approach before that and what
27:12
is changing with this whole state strategy
27:15
approach ?
27:20
Yeah , unfortunately , the before approach was they were on their own . Very few states
27:23
were doing anything . New York is an exception . I think they did an interesting deal
27:25
with CrowdStrike . I guess it was where they put aside
27:27
some money and made it available . That's
27:29
the kind of stuff everybody's trying to do right now
27:32
is try to get some
27:34
very specific things that are really going
27:36
to move the needle but that
27:38
don't also dry up . Because one of the
27:40
big challenges we have in government in general
27:43
is that if we're going to pay for things by
27:45
grant money , what can
27:47
happen is , you know , hey , there's an administration
27:49
change or the grant runs dry . What
27:51
you don't want to do is you don't want to say like , well , we're going
27:53
to deploy all these security controls and then if we run
27:56
out of money , I guess we're going to tear them down . That's
27:59
not what we want . We want sustainable controls
28:01
that really help move the needle . Very
28:04
basic things patching , multi-factor
28:06
authentication , even third party risk
28:08
, things like that . That are just some of the just
28:10
basic blocking and tackling kind of stuff
28:12
. The scarcity
28:14
in some cases I mean it'd be great if we had a blank
28:17
check and we could do trillions of dollars and
28:19
you know that's fantastic . But
28:22
on the other hand , it forces us to really
28:24
think about what are the most important
28:26
key controls for anybody to get in place
28:28
. And some of it's free , like patching right , like
28:30
I mean , patching is not something that costs a
28:32
lot of money . You may need to buy some products to help
28:34
facilitate it if you have a big environment , but
28:37
most municipalities aren't huge
28:39
. Especially in Connecticut there's 169
28:41
towns . Some are bigger than others
28:43
, for sure , but you know most
28:45
of them are not going to have to buy . You know enterprise
28:48
class tools to do patching and stuff like
28:50
that , but patching is free .
28:51
Yeah , yeah , and and yeah , it
28:53
makes a huge difference and uh , yeah , and it's
28:56
right there waiting for you . So , um , yeah
28:58
, so um . So I . But last couple of weeks
29:00
I've been talking to quite a few guests in the industrial
29:02
control system and infrastructure security sectors
29:04
, so I feel like local and state government has
29:06
been sort of partly in the conversation
29:08
. But from your perspective , like
29:10
what are the state , specific cyber
29:13
attacks and challenges that you're facing right now , are
29:15
there problems for the state that are front and center
29:17
in your mind at this point ?
29:18
Yeah , I think the big ones are kind of the
29:20
, I guess , fairly obvious . You know
29:23
, we have obviously nation state attackers
29:25
. It's an election year , so I mean I think those
29:27
kind of things come into play . You
29:30
know , a lot of it is really about like , how
29:32
are we going to , you know , protect our networks
29:34
? We own a lot of different kind of things . Connecticut
29:36
owns a power plant , things like that . I mean we have
29:38
to , you know , really be able to think about what
29:40
are we using , where are we using it , what
29:43
could cause a lot of harm if
29:46
something were to happen , and where would the
29:48
most impact be ? And
29:55
that's sort of , while a lot of people complain about , you know , sort of the scarcity of resources
29:57
, that scarcity makes you really think about what's the most important things
29:59
.
29:59
Oh yeah .
30:00
And I think it's actually a good discipline
30:03
. I mean , I think in financial services , you know , we have
30:05
people . We could hire people to go police
30:07
spreadsheets in the business , like that
30:09
. I mean you can throw a lot of people a lot of money
30:11
at it , but I mean , that's not what we need
30:13
, right , like we need to be able to make sure that we have
30:15
the basics in place and
30:18
that we have enough people to get those basics done
30:20
. You know , and for the first time we have
30:22
more visibility now . We didn't even have that visibility
30:25
four years ago of what's out
30:27
there . We didn't
30:29
have the right tools in place and a lot
30:31
of it was just communication . I think we
30:33
touched on communication being important
30:35
. I don't think it had ever really
30:38
been framed on , like did you realize
30:40
that we can't see all of our vulnerabilities
30:42
because we don't have the right tools in place
30:44
? When it's put in very simple English
30:46
like that , suddenly we got funding , we
30:48
got everybody's attention and we started making
30:51
a lot of progress in not
30:53
that much time . We've moved the needle quite a bit
30:55
over the last four years .
30:57
Yeah , there's those communication skills coming to the forefront
30:59
. You got to make your case . So
31:02
, yeah , I've talked with guests who are tasked
31:04
with like K-12 school district security
31:06
and higher ed security . Do you see common
31:09
attack vectors and targets when looking at things
31:11
from a state level ? Is it like these kinds
31:13
of things mostly phishing and social engineering , leading
31:15
to ransomware , or are there other
31:17
elements in the mix ? Are people like really sort
31:19
of like brute forcing into you know networks , or
31:22
where is it coming from ?
31:28
You know , it's interesting . I think in the very early days of information
31:30
security , we were worried primarily about some very technical attackers
31:32
and some very sophisticated threats . Now
31:36
, especially in the age of AI , right , I mean , it's
31:38
like you know , now the bar has been dramatically
31:40
lowered for everybody . So that's unfortunately
31:43
for attackers , but also for defenders I
31:47
see that email is still probably
31:49
our number one threat vector
31:51
. Just because everybody has email . Everyone
31:55
knows how to use email . Phishing
31:58
works right Like I don't need everyone to
32:00
click on it , I need someone to click on it . Unfortunately
32:03
, that's a pretty easy game to win and
32:05
a very difficult game to defend on
32:08
. We're
32:10
also seeing people are getting more clever . We
32:14
have some really great email controls in place
32:16
right now , and we're going to start sending SMS
32:18
messages or discords any
32:21
number of different things coming from there . The one
32:23
thing I would maybe add to that list , though , is
32:25
third party security risk
32:27
, and I file that under
32:30
their breach your problem
32:32
. So we've had
32:34
several incidents like that , where
32:36
we've had a third party . They
32:39
suffer a ransomware attack , and then we
32:41
scramble to say like hey , who is this
32:43
third party ? Do we use them ? What do
32:45
we use them for ? We
32:47
had an instance at one point
32:49
where there was a payment processor who had been
32:51
compromised and we had to
32:53
start really thinking about , like , if we can't
32:55
get these checks out , this is needy families . This
32:58
is , this is a very big problem for us . And
33:00
it wasn't because of anything we did right
33:02
, it was our third party . So I would definitely
33:05
keep third party risk on that list as
33:07
well , because it's the one that always seems to surprise
33:09
people .
33:10
Yeah , yeah , and yeah , I mean ultimately it's
33:12
. You know , assigning
33:15
blame is always the hardest part anyway
33:17
and doesn't generally help
33:19
very much . But yeah , I mean . Well , you
33:21
know , everyone has email and everyone clicks and a lot
33:23
of people check their email when they're tired
33:25
or not thinking closely . But , as someone charged with the
33:27
online security for the state
33:30
of Connecticut , jeff , what part does security awareness learning
33:32
and training play in the process ? I mean , some of
33:34
our guests claim security awareness training is insufficient
33:36
or done wrong , or others say
33:39
it's the best way forward . But do you have any thoughts on that ?
33:41
Yeah , you know , I actually unfortunately
33:43
know a few CISOs who think that awareness
33:45
is a waste of time , and
33:48
I'll respectfully disagree with that completely
33:50
. The challenge
33:52
is , and just because awareness and
33:54
training isn't perfect doesn't
33:56
mean that it's not important . So
33:59
, as an example , we do self-phishing
34:02
exercises . We do , you know . I'll give you an example
34:04
. We were in a tabletop . This was outside of the state . This
34:06
was a previous company . We
34:08
were in a tabletop exercise and this
34:10
business actually had what they call a BISO
34:13
or a Dedicated Business Information Security
34:15
Officer . So this is like the business's
34:17
IT security person . We're
34:20
sitting in a tabletop all day long and nobody's
34:23
engaged the BISO , nobody's talked to him at all
34:25
, in fact . I mean , it just was really puzzling
34:27
and we're sitting there trying to understand it and it
34:29
turns out that the business didn't know that they had
34:31
a BISO , they didn't know how to report
34:33
a security incident and it was like wow
34:36
, I can't buy a tool to scan
34:38
for that I can't do that I have
34:40
to actually get out there and . I have to be able to
34:42
do some awareness activity and it's like
34:44
hey , if you don't remember one
34:46
single thing from today , please remember how
34:48
to report a security incident when you see one .
34:51
Yeah , no , I was going to say that's a whole other
34:53
level of asset detection . We talk a lot about asset
34:55
detection out here , but if you don't even know your human
34:58
assets , boy , you're in for a hard
35:01
road to hope .
35:03
I think , at the end of the day , you can't expect people to
35:05
do the right thing if they don't know what the right thing
35:07
is . That's where training and
35:09
awareness comes into play , and that's why I think it's
35:12
a key component . You can't just
35:14
say like , well , we're not going to do that now . That
35:16
said , I think a lot of people check the box and they buy
35:18
these computer-based training and it's like
35:20
oh , here's a half hour worth of training for you
35:22
and people are just they cringe , it's like I'm busy
35:24
, I don't really want to do this . Get something
35:27
more engaging . If you have to get out there in person
35:29
, go out there in person . Show them a demo of here's
35:31
how people get in . There's
35:33
more engaging and shorter types of
35:35
training and awareness . We had
35:38
, I think , a not fit for purpose training
35:40
tool before , and that was a not fit for purpose training tool before
35:42
, and that was a . It was a high priority for us to replace
35:44
that tool with something that people could actually kind
35:47
of stomach and digest a little bit better , as well
35:49
as one that just had a better fishing component
35:51
to it , because , again , fishing is just so prominent
35:53
that it's like you can't stick with a
35:55
tool that's not doing anti-fishing correctly
35:58
.
35:58
Yeah , yeah , and you know it
36:07
is that it is easy to get into that kind of all or nothing mentality because , like you
36:09
said , it only takes one person clicking to like make a big problem but at the same time
36:11
, that you get less of that one person when , like , a larger portion of your workforce
36:13
understands , like what they're not supposed
36:15
to do , like you know , you get a lot less errant clicks
36:17
that way . And also , I would love to see in
36:20
security awareness programs just a little
36:22
more discussion around what you
36:24
said knowing how to report something
36:26
when it goes wrong , and also just telling
36:29
people like it's okay . You know what I mean ? It's not okay
36:31
, but it's like don't , don't panic
36:33
, don't hide this , don't pretend
36:35
like it didn't happen
36:38
, don't think it's going to go away . Like you
36:40
know , this is , there is an actual you know . I
36:42
think you're right . I think there's really a big
36:45
lack of understanding , like
36:47
if something really did , you know , hit the fan , like
36:49
what ? What do you do next ? And and realizing
36:51
that , like keeping a calm head is going to be a lot
36:53
more beneficial .
36:56
That hits another interesting point too , which
36:58
is that sometimes these programs are done a little
37:00
bit too punitive , especially anti-phishing
37:02
programs . So I send you a fake fish , you click on
37:04
it and we're going to come down on you like a ton
37:06
of bricks , like
37:11
why did you do that ? For you know that's a bad day at work , right ? So
37:13
what can happen is that you know people feel like , well
37:15
, I'm stupid , I didn't mean to do that
37:17
, I don't want to get in trouble
37:19
again . I mean , you know , when these programs are
37:21
overly punitive , what happens
37:23
is that when the next fish
37:25
comes and it might be a real fish and
37:27
they click on it again by accident , it's like
37:29
they don't want to tell anyone , they're scared , they're going to get
37:31
fired and they don't tell anybody . That's
37:34
exactly the opposite of the behavior we want
37:36
. We want the behavior like the data lives
37:38
with the individuals , and if
37:40
the individuals don't know the right things
37:42
to do , we can't
37:44
be everywhere over everybody's shoulder . We have
37:46
to get people trained that here's how you protect
37:49
information , here's how you report a security
37:51
incident and some of the basics . So you know we can't
37:53
teach them everything that we know , but we want to be
37:55
able to teach them , like here's how you spot
37:57
a suspicious fish or how
37:59
do you report one , and some of just the basic
38:01
kind of stuff , I mean you can't educate
38:03
everybody on everything and some people try to do
38:06
that and it's overwhelming for somebody who
38:08
just isn't part of security . This isn't
38:10
part of their day to day .
38:12
And again going back to what you said at the beginning about
38:14
, like you know , learning to write 15
38:16
minutes a day or learning to write for five
38:18
minutes a day , or whatever like , like . Having
38:20
you know this in your head on a daily basis
38:23
, even if it's for 30 seconds , you know , is a lot
38:25
better than that one time a year where
38:27
you have to sit in two hours worth of videos and
38:29
then and then it all kind of goes away again .
38:32
Sometimes it's annual training and that's all
38:34
it is , and people just want to get
38:36
through it and they fudge on the exams
38:38
and they keep clicking buttons until it just says you're finished
38:40
.
38:41
Yeah right , exactly so
38:43
. Yeah , so I want to go back to sort of our
38:45
podcasts Overall all goals here . Obviously
38:48
, we're all about helping students and new cybersecurity
38:50
professionals enter the industry , and
38:52
also people who are looking to change careers later
38:54
in life , which I think also fits with what you're
38:56
talking about . Given your background or
38:58
you know backgrounds in non-tech
39:00
you know discipline . So
39:04
, for those wanting to make a mark doing this kind of work at like a state
39:06
or local level , jeff , what are the most important
39:08
skills or experiences or types
39:10
of training or certifications or soft skills that you
39:13
think they need to actively pursue to
39:15
do this type of work well and demonstrate
39:17
their excellence ?
39:18
Yeah , one , I would say , and the most important one
39:20
is just a deep level of curiosity . I
39:22
mean , the way I learned security
39:25
was by just being so fascinated
39:27
with it and very curious . I would spend my own
39:29
money , I'd buy books , I'd buy magazines , I'd
39:31
do everything I could to just kind of get immersed
39:34
in it and just learn . I
39:37
don't think anybody was born knowing cybersecurity
39:39
. You have to learn it . And a lot of
39:41
people sit back and just say like maybe I'll get training
39:43
or my boss will come to me . It's like no , you've got
39:45
to do that yourself . I mean you can ask for training
39:47
and you want to maybe support that , but I mean you
39:50
know , in absence of that , you know what are
39:52
you doing personally . This is a great
39:54
day and age now , where I mean you can find
39:57
Harvard and MIT classes online for
39:59
free . The resources
40:01
are all out there . You can roll your
40:03
own degree to a large extent , but
40:07
without that curiosity , that spark
40:09
of hey , I want to know more about
40:11
this . You're just not going to have the engagement
40:14
. This is a funny industry where you
40:16
may spend a lot of time learning something
40:18
and have to throw it all away because this has
40:20
changed and this is new and you're going to have
40:23
to learn new things . Lifelong
40:25
learning is definitely something we look for
40:27
in our hires as
40:29
our soft skills , and I think that that's an important
40:31
one . In fact , I think it's so important that both of
40:33
my books kind of touch on
40:36
the soft skills component , because you
40:38
can't really especially if you want to be a leader
40:40
you can't do that in a vacuum . You're
40:42
going to have to work with peers , you're going to have to work with
40:44
people who maybe don't support you
40:47
know the well we're trying to get all this security
40:49
stuff done , but we have our job to do and this
40:51
stuff gets in our way and you're going to have to be able to
40:53
work with them and help them understand
40:55
. Why is this important and how can I help
40:57
you get this done ? Those are important
41:00
, important soft skills . Working on a team also
41:03
very important . I mean , we can't even a star
41:05
performer . You can't have a star performer come
41:07
in and all it's doing is dragging everybody
41:10
else down . You need a fully functioning
41:12
team and that means teamwork . That means being
41:14
able to work with other people and
41:16
being able to communicate , because that's how we work with
41:19
other people is by communicating .
41:21
Yeah , I mean , I feel like it's pretty easy to explain
41:23
to someone like how to get better
41:25
at tech skills . Do you have any
41:27
advice in terms of you know , because
41:29
it's one thing to lead a team but it's another
41:31
thing to get better at learning how to lead a team
41:34
via communication Do you have any like advice
41:36
in sort of like taking an active role in
41:38
doing that , rather than just kind of clocking
41:40
hours ?
41:41
You know that's a great question . When
41:43
I wrote Leaving the Digital Workforce , that
41:46
book was a very interesting journey
41:48
for me because I mean , if you think you're going to
41:50
learn a lot from reading
41:52
a book , try writing one .
41:55
You know and you really do learn a lot from that .
41:57
But one of the things I would say is that you
41:59
know , just being able to you know
42:01
, kind of focus on the right things , being
42:03
able to just not
42:06
only learn right . I mean , here's
42:08
a good question why isn't there a management
42:10
certification ? Why can't I be a certified manager
42:12
of this , that or the other thing ?
42:14
Exactly .
42:14
Yeah , aside from certifying .
42:16
MBAs , I guess Security manager , CISM
42:18
, but it's not really like .
42:20
oh , if I have CISM , I
42:23
should be able to be a manager of people . It's like , well , not really . You now
42:25
possibly know about management
42:28
, but not how to manage . And
42:30
it's not really until you take those skills
42:32
. You know what does
42:34
Mike Tyson say ? He used to have a great quote
42:36
of you know , everybody has a plan until they get punched
42:38
in the face . Right
42:44
, you know , and it's true . You know , I can learn about management . I can learn how to give feedback
42:46
and then , if that feedback is like well , unfortunately the business
42:48
is bad , we're going to have to let you go or your
42:50
salary is being cut because , you know , times
42:52
are hard at the firm . Those
42:54
are really hard conversations and you're
42:57
just not going to be able to read a book
42:59
and do that . Right , it takes practice
43:01
, it takes failure , it takes uh . I
43:04
have a saying in the book there is no failure , there's
43:06
results , right , like I mean , if you do something
43:09
and you get the results you didn't expect , it's
43:11
not failure , it's just how do you ? How are you going to
43:13
change your approach next time ? So some of this
43:15
is really just getting out there in the field
43:17
and just trying to do it and and
43:19
and iterating and learning from it , and unfortunately
43:22
, some people never learn from it . They just do it , they do it
43:24
badly and they don't get any better at it . The
43:27
best of us are ones out there who look
43:29
for opportunities to grow Like . I'll
43:31
give you a couple examples . I used to take on
43:34
just about anything that would help me grow . I mean , I
43:36
took on business fraud at AIG , I
43:38
took on the privacy
43:41
at BNY Mill and
43:43
things that are kind of similar that helped
43:45
me grow personally and also
43:47
give me more practice working with diverse
43:49
sets of people that are not always just
43:52
cyber people . Cyber people love talking to each
43:54
other , but when they get out into
43:56
the business and they start talking to the business leaders
43:58
, they don't know what to say , and
44:01
they don't understand what they're saying either . So I mean a lot
44:03
of us end up in the boardroom and
44:05
even big time CISOs , that big
44:08
time financial institutions , some of them feel like
44:10
imposters and you go into the board of directors
44:12
some of these guys are ex-CEOs
44:14
, cfos you suddenly feel
44:16
a little bit out of place . And you should
44:18
, but those are the kind of experiences
44:20
that grow you as an individual and
44:23
the ones that really help you keep going
44:25
. You know , and again , you don't stay
44:27
in this business 30 years by staying stagnant
44:29
.
44:30
Yeah , yeah . Now , going
44:32
to your position here , can you talk about your favorite parts
44:34
of the work that you do ? Are there any aspects
44:37
of what you do that makes you excited to keep pushing
44:39
and learning ? I mean , you seem like you're made
44:41
out of 98 percent enthusiasm and 2%
44:44
water anyway , but uh , uh , you know
44:46
, like what , what , what , what are your favorite parts of this ? Like
44:48
what , what ? What's made it worth it to hit this particular
44:50
spot ?
44:51
I love making a difference . I think that's that's
44:53
probably the key one . In fact , there was a big shift
44:55
in my career where , uh , I I've
44:57
been through interviews myself where it's
44:59
like , you know , things didn't go very well and
45:02
it was because I was so busy , focused on me and
45:04
look at what I've done and instead of
45:07
listening and hearing like , what's , what are your problems
45:09
, how can I help you , you
45:11
know , really being able to shift things around so
45:13
that that you know nobody wants to hire you because
45:15
you're just a superstar . They want to hire you to
45:17
fix their problems . You
45:20
know , and the more that you can focus on here's
45:24
how I can come in and help you fix your problems . That's a great connection . People
45:26
totally get that and every who doesn't want
45:28
to hire that person , right ?
45:29
Yeah , yeah , yeah , no , absolutely . I mean , you
45:31
know , you always hear the the sell me a pencil thing
45:34
for salespeople and no one ever thinks to ask what
45:36
do you need in a pencil ? They just start start talking
45:38
about the color or the shape or the one you know
45:40
the
45:45
color or the shape or the one you know . So , yeah , that's , that's all excellent advice . So you said
45:47
that it's not as big a part of your job , but for listeners who might
45:49
be citizens of Connecticut or you know states
45:51
in general , are there resources available to citizens
45:53
that they should know about to improve their
45:55
cyber hygiene that they might not know about now ?
45:57
Yeah , there , sure are . I mean , I would . I would
45:59
always start with some of the . Some of our federal
46:01
partners spend an awful lot of time on this , and
46:04
that might be the cybersecurity
46:06
and infrastructure security agency , cisa
46:08
. You could
46:10
also go to StaySafeOnline , which I think
46:12
is just StaySafeOnlineorg all
46:14
one word . Well
46:16
, org is the other word , right , right . But
46:20
yeah , those are , I think , great places to go
46:22
for Connecticut . We do have some
46:24
material on ctgov , but we
46:26
are in the midst of trying to expand
46:28
that a lot more . That's , unfortunately
46:31
, one of those kinds of things that you just don't have as
46:33
much time as you would like to see , but
46:35
we also do in
46:37
the state of Connecticut . For companies in Connecticut
46:39
who signed a nondisclosure agreement , we have
46:41
monthly calls . We have a lot of that kind
46:44
of outreach and that's been in place for a long time
46:46
, where we partner
46:48
with our water utilities , as an example , and our
46:51
energy utilities and stuff like that , where
46:53
we're making sure that they hear
46:55
what's going on out there , that they know
46:57
that maybe there's a big vulnerability that's in
46:59
the wild . We do threat reports and
47:01
updates like that , not
47:03
as much down to the citizen level , and I think we need
47:06
to get there , but that we're not
47:08
really resourced to do that right now . So I
47:10
think you know we're certainly hopeful
47:12
that more federal grants will be coming our way
47:14
and that we'll be able to funnel some of that
47:16
money all the way down to individual citizens
47:18
, because at the end of the day , that's what we're
47:21
here for . State government exists for its
47:23
citizens .
47:24
Yeah , yeah , absolutely so . As we wrap
47:26
up today , jeffrey , I mean , this is definitely an
47:28
area that I know that you think about as a multiple
47:31
author , but can you tell our listeners like the best
47:33
piece of career advice you have ever received ?
47:35
Yeah , you know I'm going
47:38
to actually share some anti-career advice
47:40
that I got , but it had a big
47:42
influence on me .
47:43
Beneficial yeah .
47:44
I think it's important . But , um , you know , when I was
47:46
a kid , I had some , some , some struggles , uh
47:48
learning uh , just due to various health
47:50
conditions , things like that . Um
47:53
, and then some of those headwinds went away . But
47:55
I mean , at one point I had a guidance counselor
47:57
and no disrespect to guidance counselors , I'm sure some
47:59
of them are fantastic , mine was not and
48:04
I was sort of told you know , maybe some people aren't
48:06
really cut out for college , you
48:08
know . And then later , I have a master's . I have about
48:10
five , six , seven industry certifications
48:13
. Obviously , it sort of lit a fire under me
48:15
that never went out . So my advice would
48:17
be get your
48:20
fire , get your spark from wherever you can
48:22
get it . Um , if everybody's giving you
48:24
negative energy , turn it around , turn it
48:26
into something positive . But I I think
48:28
that had a big influence on me .
48:29
it's like you know what I'm gonna show you yeah
48:32
, yeah , no , I was gonna say that that I
48:34
like that that's the sort of the capper to all this , because it
48:36
I feel like we've been sort of almost
48:39
saying that several times during this interview of like
48:41
, uh , of this discussion is like
48:43
it's up to you to sort of find your own sort
48:45
of energy source and it's up to you to find your own
48:48
enthusiasm and your own sort of forward
48:50
momentum . So that's , I think that's great . Yeah
48:52
, absolutely .
48:53
And it's something that's really important . I mean
48:55
, your mindset is is so important
48:57
and we hardly ever talk about it . Um
48:59
, but I'll . I'll give you a quick story when
49:07
I was going to Merrill Lynch . I was candidate
49:09
number four out of the top three , so in other words , I was
49:11
out . One of those candidates got another job
49:13
, so they suddenly I became number three
49:15
and I think I was sort of a distant number three
49:18
and the recruiter actually talked
49:20
to me and he said Jeff , you know what ? You can definitely
49:22
do this job , but you're going in like you can't
49:24
and it's showing . Go in there
49:26
more confident . And one of the things I learned
49:28
was I went in a lot more confident and we
49:30
started talking about the role and
49:32
, like many companies , the job description
49:35
was so just out of whack and wrong
49:37
and I mean it was like oh yeah , you would never do this . At&t
49:40
manages that . I mean , it's just stuff . That was like
49:42
. You know , I'm like , look , full disclosure . I don't really
49:44
understand this , that and the other thing on the description
49:46
. Don't get hung up on the description . Go talk
49:48
to them , see what they need , see what they want . They wanted
49:51
to talk to me for a reason and
49:53
I almost knocked myself out of the running because my
49:55
mindset was wrong .
49:57
Interesting . Yeah , that's boy . That's also very good advice
49:59
. So you've already given us
50:01
a lot about you know what you do
50:04
with the state of Connecticut , so let's just sort of wrap
50:06
this up . One last question here If
50:08
our listeners want to learn more about you , jeffrey Brown
50:10
, and the books that you've written , but also the work you do
50:12
with the state of Connecticut like where should they look
50:14
online for your stuff ?
50:16
Yeah , great . I mean I'm certainly pretty
50:18
active on LinkedIn , of
50:24
course that's unfortunately an embarrassment of Jeff Brown's in
50:26
cybersecurity . So I am at in
50:29
slash , jeffrey W Brown
50:31
, I believe , on LinkedIn . If
50:33
you can't find me there , you can certainly find me at
50:36
. A lot of my books are sort of highlighted at
50:38
digital leadershipcom and that's
50:40
with a hyphen digital digital-leadershipcom
50:42
.
50:43
Got it . That's awesome . Well , jeffrey , thank you so much
50:45
for joining me today . This was an absolute
50:47
blast , and I know our listeners got a lot of it as
50:49
well , so thank you .
50:50
Love it Absolutely and thanks for inviting me .
50:53
And , as always , thank you to everyone who watches , listens
50:55
and writes into the podcast with feedback
50:57
. If you have any topics you'd like us to cover or guests
50:59
you'd like to see on the show , drop them in the comments below , as
51:02
usual . Before we go , don't forget infosecinstitutecom
51:04
slash free for a whole bunch of free and exclusive
51:07
stuff for CyberWorks listeners Speaking of
51:09
Cyber Security Awareness
51:11
Training . Learn about our new Security Awareness
51:13
Training series , work Bites , which is a smartly scripted
51:15
and hilariously acted set of videos in which
51:17
a very strange office staffed by a pirate , a
51:19
zombie , an alien , a fairy princess , a vampire
51:22
and others navigate their way through age-old struggles
51:24
of yore , whether it's not clicking on the treasure
51:26
map someone just emailed you making sure your
51:28
nocturnal vampiric accounting work at the hotel
51:30
is VPN secured or realizing that
51:32
, even if you have a face as recognizable as
51:35
the office's terrifying IT guy Boneslicer
51:37
, we still can't buzz you in without your key card . Anyway
51:40
, go to the site and check out the trailer . Infosecinstitutecom
51:48
slash free is still your best place to go for your free cybersecurity talent development ebook
51:50
. We still download a lot of those every single week , so go check it out . You'll find our in-depth training plans for strategies
51:52
for the 12 most common security roles , including
51:55
SOC analyst , pen tester , cloud security
51:57
engineer , information risk analyst , privacy manager
51:59
, secure coder , ICS professional and
52:01
more . One last time . Infosecinstitutecom
52:04
. Slash free and the link , as always , is in the
52:06
description below . One last time . Thank
52:08
you so much to Jeffrey Brown
52:10
and the state of Connecticut and
52:15
thank you all for watching and listening and
52:17
until next week . This is Chris Sanko
52:19
signing off , saying happy learning .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More