“As an educator, we are trained that if you want to be effective, you have to know how to speak to your audience. As a CISO, I have multiple audiences, and I need to speak to each of them in language they can understand, that resonates with them – same as I do with my students.”
In the course of a 26-year career, Garrett Smiley has ping-ponged between technology-focused and educational roles, on top of getting an infosec-related PhD. That dual focus has colored how he approaches his CISO job.
“As an educator, we are trained that if you want to be effective, you have to know how to speak to your audience. As a CISO, I have multiple audiences, and I need to speak to each of them in language they can understand, that resonates with them – same as I do with my students,” said Smiley, the chief information security officer at Serco, a contractor for the provision of government services.
“When I’m speaking to the board of directors, I’m speaking with the language of liability,” he said. “With operational executives, you tend to have conversations about the bottom line and how to achieve our mission with a reasonable risk tolerance. With legal, the center of most of our conversations is material impact – explaining to them that we won’t be eligible for a $15 billion pipeline” if we don’t get externally certified as being compliant with our customer’s requirements.
Longtime academic
Smiley’s professional experience has ranged across a wide variety of areas, including technology-related roles and operations management. He’s held just as many educational positions, doing things like curriculum development, writing books, creating training modules, developing courses and training.
He’s been in academia for 22 years, and as adjunct dissertation chair at National University in Arizona, is helping doctoral candidates get their PhDs, largely in business and technology.
His biggest challenge is something he shares with most CISOs, he said.
“Our mission is generally not very well aligned with where we are organized on the org chart and where we report to,” Smiley said. “Very often, we are reporting to someone with a different mission – generally the CIO or CTO – and our messages are filtered, sometimes to mask inconvenient truths.”
“If we’re not in the room when decisions are being made, I don’t know how we can properly influence those decisions to be less risky while still allowing the organization to meet the mission,” he added. “We CISOs only have the ability to speak to who we’re allowed to speak to in the ways in which we’re allowed to speak to them. That might sound harsh, but it’s the truth. We’re still light years from where we need to be.”
Be shrewd
Because the understanding of the role and the mission of the CISO is not where it needs to be, a CISO needs to be shrewd, he cautioned.
“A lot of times we will be invited to personally take on liability and risks that no individual should ever be taking on with relation to cybersecurity protocols – especially in organizations that are not as mature,” he said, recalling how a defense contractor recently had to pay a $9 million settlement for misrepresenting its compliance with U.S. government security requirements.
“I tend to use colorful language and then say, ‘No.’ We have to be very, very, very shrewd.”
One thing Smiley and his staff are heavily focused on right now is automation.
“We’re trying to automate anything that is predictable and repeatable, and there’s quite a bit of that,” he said. “We’ve been chewing on it and we continue to chew on it and we will be doing so for years.”
Panel interviews
Another change they’ve introduced are panel interviews of would-be employees, where the candidate is scored in a variety of areas — some technical, others not — to try to get a quantitative sense of whether they would be a good fit for the team’s culture. And then the panel – basically run by the team’s leads – solicits feedback from the rest of the group.
“Since we started doing this two or three years ago, it has worked almost 100% of the time,” he said. “I’ve definitely seen the difference because now the people who are on the team pull the weight collectively. That was not the case years ago. I had superstars and I had marginals.”
Smiley has also been actively designating people with primary responsibilities and support responsibilities to help with coverage, and that has worked well, too, he said. “All these things together really helped to support the team culture,” he said.
Employers have to open their purse strings and invest more time in training people if the cybersecurity talent shortage is to ease, Smiley said.
“It costs money and time to get people up to standard where somebody else would want to poach them, and nobody wants to do the training and raise them up. Everybody wants to do the poaching,” he said.
Press in
“The other aspect of the workforce shortage is the overwhelming majority of employers that have open positions are being way too cheap,” he said. “The shortage wouldn’t be anywhere as big as it is if the problem makers would acknowledge what they’re doing.”
For those trying to get a job, “press in,” he advised.
“If you don’t have work experience yet, say you’re a student, there’s nothing stopping you from standing up your own lab, or getting familiar with tools by using trial licenses or freeware. There’s stuff out there on the internet where you can go and play in other people’s sandboxes at no cost, where you can expose yourself to tools that are commonly used.”
Other options are internships, involvement in groups that do “Capture the Flag” exercises, or getting certified, he said.
“That’s what I look for if you don’t have any work experience,” he said. “If you’re just going to school and have not made efforts beyond graduating, there’s always somebody who is making the effort and showing they want to be part of this field. So that’s who I consider. So wherever you have an opportunity to reduce your ignorance in the space, take it.”
Consolidating spend
With the cybersecurity landscape changing so quickly, a top trend Smiley sees is consolidation of technology spend.
Companies like Microsoft whose security technology was once considered a joke have invested heavily in improving their space in the security market, Smiley said. And it’s those companies that are getting serious about security and bundling technologies that are going to win the budget, he said.
“When you go to those who hold the purse strings, and especially for those organizations that aren’t currently where they need to be in their technology and security tool stacks, it’s huge to be able to say, if you get this license, you can get 20 things,” he said.
Companies like Microsoft and Cisco will continue to buy companies, and roll their technology into a bundled package, he said. “I’m actually able to get certain technologies in this environment that I wouldn’t have had a chance in hell to do before bundling and aggregating,” Smiley said.
Video gamer
As someone with a part-time job as adjunct faculty at a university, and a full-time job at Serco, Smiley doesn’t have much free time.
“With what little time that’s left over, right now, I predominantly take my kid to the water park that’s close by,” he said. “We have a wonderful water park here in this county, it’s got a lazy river and big slides and the whole thing. We go there almost every day.
“The other thing I do is play copious amounts of games on Xbox,” he added. “I like video games a lot. They’re quite mature nowadays from when I was a kid and it was Atari and Nintendo.”