Many CISOs eagerly turn to hobbies to ease the pressures that come with the job. Not Montae Brockett.
“For me, unwinding is cybersecurity,” said Brockett, the Deputy Chief Information Officer and Chief Information Security Officer for the District of Columbia’s Health Care Finance agency in Washington, DC.
“My colleague said to me the other day, ‘This isn’t work for you, is it?’ And I said no, because I love it. I eat, sleep technology every single day. It’s a rare night that I don’t pick up a cybersecurity book. I read constantly. I’m on my computer every night until 3 o’clock in the morning studying or training. And that’s because I have a goal in mind, and I’m always reminding myself that I’m not where I want to be.”
And where does he want to be?
“I want to be one of the top technologists in the United States and eventually the world,” Brockett said. “My dream is to establish a cyber security company, which I have started, and for it to be successful. And to be able to employ individuals from my community and communities that are underserved in the cybersecurity space.”
His company, Cyber Defense 3, is a boutique, woman-owned consulting firm focusing on risk reduction, compliance, governance and establishing information security programs. The goal within the next two to three years is to move into the defense and intelligence space and provide services to organizations that are on the front line defending the U.S. from threat actors, he said.
Brockett didn’t start out in cybersecurity or anything remotely related: His bachelor’s degree is in accounting. But he was bitten by the bug as a senior in college and has not looked back since.
He started out as an information system security engineer at an academic consortium, and for the past 15 years, has been working in the public sector. During more than a decade at the DC Department of Human Services, he matriculated from security engineer to CISO for the department’s human services programs, including cash and food assistance, overseeing cybersecurity for the entire agency.
Humility, Brockett said, is the most important trait a CISO can possess. “We have the stigma of being unapproachable,” he said. “Having that sense of humility allows you to engage others more, try to be more collaborative.”
He’s been in his current role at the DC Department of Health Care Finance for the past year.
“Being able to be in the weeds of technology innovation, understanding the program side of it, positioned me to be able to have success in an environment that’s complex in its regulations, its governance, and the importance of the services that they are delivering,” he said.
Brockett identifies three main challenges to his job: balancing customers against risk exposure for the agency; modernizing the environment; and getting buy-in for new initiatives that could have an impact on the delivery of service to customers.
The biggest innovation he is trying to introduce is leveraging technology to replace some of the manual processes in place, “to make our jobs more effective and efficient as we deliver services,” he said. “Supporting the adoption of cloud technologies will be key to positioning us with new technology and putting us in a continuous stage of innovation.”
It’s time for CISOs to stop leaning on the “users are the weakest link in the supply chain” argument, Brockett said.
“We can’t blame it on the users because we understand the environment,” he said. “We should account for the known and unknown to prevent or mitigate risk to an organization or that user.
“Our perspective has to be understanding the business operations and business process, and collaborating more effectively across the environment,” he said. “Organizational divisions often work in silos, and that actually reduces your collaborative efforts, your efficiency, and your effectiveness to deliver a successful project for your user community.”
To reduce these obstacles to collaboration, Brockett favors informal meetings to discuss creative ideas in an open format where people can comfortably communicate.
“We’re not sitting at a table with our pens and pads waiting for direction to drive the conversation,” he said. “We’re creating an environment where we all can just facilitate ideas. It’s the first step in having buy-in from your stakeholders and users of a specific project. We need to let ideas sprinkle through the entire ecosystem, because it’s through inclusion that we improve.”
Humility, Brockett said, is the most important trait a CISO can possess.
“We have the stigma of being unapproachable,” he said. “Having that sense of humility allows you to engage others more, try to be more collaborative.”
At the same time, being authoritative is also imperative because CISOs can be faced with decisions that go against their principles as security officials, he added.
“We have to be able to articulate and provide communication to senior leadership, provide the context they need with regard to requests they make,” he said.
Brockett expects to see more CISOs sitting on boards and in the C-suite “to be able to provide context on where the organization is from a risk and security management standpoint,” he said.
“Those are the things that are going to be the nuances of this role, that you will be required to be able to provide that performance-based evaluation to senior leadership so they can make decisions.”
For those entering the field, the most important thing is to take advantage of all the resources available for security practitioners, Brockett said.
“Don’t wait on anyone to provide you with the resources that you need to do what you want to do,” he said. “There is so much free training that can educate you in the various technologies that are being used throughout a lot of organizations and environments,” he said.
“I read every single day. I buy books, I buy training platforms, and when new technologies come out I immerse myself in them. There is so much material and so many opportunities out there, including social media platforms where you can communicate with people who can drive you in the right direction.”
There are so many unfilled jobs in cybersecurity because individuals aren’t educating themselves in the new technologies and getting the skill sets that organizations need, said Brockett, who is developing a training platform for at-risk youth interested in entering technology.
“Have you ever built your own lab? When you get into interviews and they ask, ‘Why should I want you?,’ if you have practical knowledge and actually built these things, then even without experience you’ve demonstrated that you can build all of these technology solutions yourself,” he said.
“You have to challenge yourself and show that you have the drive to learn. That’s one of the biggest traits that you have to have getting into the cybersecurity profession.”