Passion for growing cyber talent, risk-based transformative decision making and alignment to business outcomes as well as customer mission are three traits successful Chief Information Security Officers (CISO) must possess. LaLisha Hurt embodies these traits and over the course of her varied career, she has held progressive roles as a regulatory examiner, auditor, consultant, IT risk leader and now Deputy Chief Information Security Officer for General Dynamics Information Technology (GDIT). GDIT employs over 30K dedicated employees and provides strategy, technology and mission services to some of the most complex government, defense and intelligence initiatives across the country.
At GDIT, Hurt provides cyber leadership, strategy and trusted advisory support to internal partners to ensure cybersecurity is interwoven into the fabric of business operations. She is also responsible for leading the cyber managed security services (MSS) practice within Technology Shared Services for internal and external customers across federal civilian, defense and intelligence sectors. These MSS include security operations center, threat intelligence, governance, risk and compliance and supply chain security capabilities that are fused together and offered out of GDIT’s Integrated Technology Center in Bossier City, LA.
Hurt’s role is rather unique in the industry and she has prepared herself for this moment with a diverse mix of both experience and education. She has an engineering degree, a Master of Business Administration and a Master’s degree in Information Assurance, along with numerous certifications. This background allows her to communicate and influence across a variety of domains, be it associated with technical IT issues, business needs, or cybersecurity.
Strategy and Business Requirements Drive Cybersecurity
For today’s cyber landscape, Hurt believes it is essential that the security management team partners with business leaders to drive risk-based decisions and outcomes aligned to the mission. Hurt believes, “There is an evolution within the CISO role and it has changed over the past decade. The new and evolving challenges we face today require decisions be made jointly with our customers and business stakeholders, alike. Not just around technology and cyber operations but also addressing critical areas such as workforce demand management, service-delivery, and business enablement.”
CISOs are becoming trusted executive risk advisors and strategic partners who work to align security needs with the corporate vision and business mission. Hurt has adopted this approach and works to advocate this mindset at every opportunity through culture building within her organization. She points out that while alignment to the strategy mission is important, building the partnerships and motivating teams to work together to deliver is just as equally important. “To be a strong leader requires us to constantly build trusted relationships, communicate with empathy and influence others to drive the business outcomes needed for our customers, ” she said.
Cyber Everywhere Mindset
In an interconnected world, cyber should be embedded everywhere in all that we do. It’s a mindset that Hurt has adopted as she drives key cyber initiatives to include Cybersecurity Maturity Model Certification (CMMC). The CMMC is a united cybersecurity standard required for Department of Defense (DoD) acquisitions that combines standards, best practices and control processes across defined maturity levels. CMMC is a DoD certification process that measures a company’s ability to protect federal contract information and control unclassified information while servicing its customers.
In addition to CMMC business alignment, Hurt and team are also scaling and growing their 24/7/365 SOC, governance risk and compliance and cyber fusion center capabilities which is in alignment with the most recent Cyber Executive Order that was announced May 12th. GDIT is combining threat intelligence and defense operations into a single integrated cyber platform that promotes information sharing, enterprise-wide visibility and collaboration that can improve response times while simultaneously helping to optimize costs. Hurt points out that “adopting a cyber everywhere mindset that aligns to mission, customer needs and industry landscape is a recipe for a win-win strategy.”
Retention of Skilled Staff is Key
On the subject of the shortage of cybersecurity professionals, Hurt has been successful in attracting diverse talent, particularly in Louisiana and Virginia. She credits this to the strong strategic alliances with various universities, colleges and cyber organizations that GDIT partners with. With these partnerships, she is able to strategically focus her efforts on workforce demand management as well as retaining and growing the talent once on boarded. The key to building a high performing team is aligning to a culture that is rooted in company values – one that allows employees to know what they do each and every day truly matters.
Hurt points out that there are many ways to encourage career development. The first step is to listen to their needs and then provide them with a career journey roadmap that allows them to grow professionally. If an employee says they are interested in a technical career path, it behooves the organization to provide the training required to meet that goal. On the other hand, if someone is interested in pursuing a leadership track, that also needs to be encouraged through formal leadership programs. In all cases, providing individuals the opportunity to be exposed to different positions within the organization is a great way to keep employees engaged. “Providing them training and exposure to different areas of the business is critical to cyber staff retention. The key to retaining the talent you attract is to show them that you’re just as invested in their success as they are.”
Final Thought
When considering what traits allow people to become security professional ‘rockstars’, Hurt points out that curiosity and problem solving are the most important non-technical skills. You can teach people technical skills but curiosity is intrinsic to the person. “In cyberspace you need people who can think about a problem, challenge the status quo, identify risks, and offer recommendations for improvement. These cyber professionals are typically your strong defenders and over time, could potentially be the next CISO for your company.”