Clifford Stokes Jr., Chief Information Security Officer (CISO) of Florida A&M University, has his cybersecurity strategy all mapped out. He sits down with his supervisor and produces a three-year plan, a two-year plan, a one-year plan. And then he takes the strategy and breaks it down into components and targets.
He plans his day equally meticulously. He tries to maintain a schedule, preparing himself to work on tasks toward objectives he has set earlier.
But he always makes room for surprises.
He knows the pattern more or less by now. Plans for a quiet morning working on policy, for instance, could be thwarted by a full day’s preoccupation on a security incident.
“In cybersecurity there is no such thing as a typical day,” he says. “You never really know what you are going to walk into.”
An early spark
Stokes’ parents got him an Apple 2e computer when he was in middle school. He liked it and learned as much as he could on how to make the machine do the things he wanted.
What he liked even more, however, was trying to revive the computer when it was hit by a power surge. “I remember my dad coming in and working on one of the circuit boards. That really sparked my interest.”
He became so interested that he took a programming class in high school and worked toward a degree in computer information systems in college.
“IT is what I have always wanted to do,” he says.
A CISO in evolution
Stokes’ started his career in the Office of Information Technology as a Distributed Computer Systems Analyst, doing IT work for the Department of Corrections – a job he enjoyed. He then went on to investigating computer crimes for the Florida Department of Law Enforcement. “That was where my drive for information security took off.”
His current role at the university is a tinge more challenging. “We protect all sorts of information: Business, personnel, student, research.” And yet, despite the need to secure information, an educational institution is fundamentally designed to be open, to allow students to research and basically dabble in many things.
He also has to make the people in his organization understand that technology controls are not there to hinder them or slow them down. Instead, they are there to maintain the safety of the information.
It’s a tricky balancing act, and the role of the CISO as communicator cannot be understated.
“With anything that is related to technology, you have to be adaptable,” Stokes says.
“You have to welcome change…but some people can be quite resistant to change.”
Helping people overcome this resistance is neither fast nor easy. “You have to listen to people; understand what they are trying to accomplish from a business perspective. And then, you work from that end to incorporate your security standards, your methodology/controls, into what they are trying to accomplish.”
Stokes enjoys that part of the job where he tailors his cybersecurity message to highlight how it can benefit the people he is talking to – how it is appropriate to them and their role.
Simply walking through the door and announcing: “Hey, you gotta turn these controls on now!” is just not going to work.
“I try to make them see that I am working to improve business processes overall. Once they understand that, then they become receptive to what I am there to do.”
The bigger picture
Whether he is talking to other departments in the organization or to members of the leadership team, Stokes applies the same two-way, open, people-centric approach. “Members of the management are people, too, and you have to meet people where they are and with what they understand,” he says. “For example, one executive could be into the metrics and would want to see numbers and figures. That’s what you give them.”
To be an effective communicator to top management means evaluating what your leadership looks like, what they understand, react and respond to.
More with less
The second quality that makes a good CISO is the ability to see the big picture. “You have to be able to understand the overall mission of your organization.”
Leaders would naturally be concerned with keeping costs down – especially when the organization does not enjoy a hefty budget. “When your finances are limited every expense is looked at, thoroughly. Management is always looking at return on investment. Prioritization plays a major role in determining what security solutions you can actually invest in, versus operations. Operational expenses, those that maintain the business function from day to day, will likely be up there in terms of priority.”
So how does he make sure cybersecurity is on the agenda?
“Just try to get decision makers’ ears and get them to understand where this money is going to, and how the industry is being affected, and how this is going to keep you from landing on the front page of the paper.”
He takes a wildly pragmatic view of potential incidents, too. “You have to ask management: ‘Have we prepared our organization to respond? Because it’s not a matter of if something is going to happen. It is when it’s going to happen.’”
In preventing incidents and foreseeing trends, Stokes’ team relies much on threat intelligence. And it’s one thing to have access to and understand the intelligence. It’s quite another to incorporate better controls to act on that intelligence and minimize threats.
Again, it boils down to relating well with the leadership. “Bad actors are always going to go after the low-hanging fruit, end users of systems who easily fall victim to various deceptive scams. Thus, the key is to make strides in educating the user population.” To set the education in motion, a CISO needs to get management buy-in: Make them see why these things are important, why they need to invest in training.
The next generation
Between work and family – a wife, an 11-year-old daughter and an eight-year-old son – Stokes does not get to have much free time. Still, he works hard at it. “Spending time with the family is very important to me, whether you’re just sitting around in the backyard, watching a movie or even doing homework.”
He also credits his wife for supporting and pushing him to be the best he can be. “I’m just trying to make the world a better place for when my kids step into.”
He would encourage his kids to pursue careers in STEM, but even if their passions drive them elsewhere, he would still be supportive. That will be the energy that sparks them. “I always tell them, if you find work that you love, then you’re never going to work a day in your life.” He certainly speaks from experience. “I see myself in cybersecurity for a long, long time. I just love this stuff!”
Still, he recognizes that there are never enough resources in the industry. “We have to invest in the next group of workers. Look within your own organizations. There are many who want to learn more and do more,” Stokes says.
He has this to say to younger people thinking of pursuing cybersecurity as a career. “It’s interesting work. That’s what I like about it the most – there is always something going on.”
Indeed, there are plenty of surprises in the field, and things don’t usually turn out how you plan. It is precisely in this environment where Stokes thrives.
“Surprises are a learning moment, a challenge. They are an opportunity for you to test out your methods, skills. You learn what works, and what doesn’t work. Seeing things from this learning perspective makes every day valuable.”