U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry
In this installment of SecurityWeek’s CISO Conversations series, we talk to two CISOs with a military theme: Renata Spinks, CISO at the United States Marine Corps, and Kevin Brown, CISO at SAIC. The former is ‘in’ government, (military) while the latter provides services ‘to’ government (military).
Our purpose is to discuss the similarities and differences in being a security leader inside government with being a security leader in related private enterprise.
The person and the job
It is difficult to pigeon-hole Renata Spinks. At the time we spoke, she was the acting CISO for the Marine Corps reporting to the CIO, but also the cyber-technology officer for the Marine Corps Forces Cyberspace Command – the center of the marines’ cyber operations. She had one foot in defensive cyber and one foot in offensive cyber.
Spinks is a rock-solid military lady. But she is also managing director of Rising Footsteps outside of government. “A lot of people don’t like that,” she commented. “Even within the Marine Corps legal team, they don’t like that I have a consultative company.” Partly, this illustrates a key aspect of her attitude towards cyber security: information sharing and partnering with the private sector.
“I’m all about information sharing,” she said, “and I don’t think you can do a good job, within the department of defense from a security perspective, if you don’t grow partnership with industry. There’s just so many things that we don’t know, and where we are slow to adapt.”
It’s also an escape route. “If I don’t want to stay in the military, if I want to go to private industry, I have a place that I can land very quickly, because… the bureaucracy sometimes gets the better of you. Sometimes if I’m honest, sometimes I’m like, you know what, I just want to go and do my own thing, because you guys don’t listen.”
That’s a hypothesis rather than a likelihood, because Spinks describes herself as ‘married to the mission’.
However, occasional frustration with a ‘C-Suite’ that won’t listen to its own CISO would appear to be common to both government and private industry cyber security leaders. In reality, both Spinks and Kevin Brown, current CISO at military contracting firm SAIC, are more likely to stay and fight for what they believe in.
Brown also reports to the CIO. He accepts that many CISOs question whether this is the right place for the CISO, but he believes that relationships rather than specific hierarchies are key. He hasn’t yet faced that brick wall where leadership simply refuses to do what must be done, but says, “If you’re not being heard today when everybody just understands how important cybersecurity is, you’ve probably just got to find other ways to make it work.” He doesn’t believe that moving to another firm is the solution – he believes that part of the job of CISO is to make it work.
Spinks is just as unlikely to move on easily. “I’ve had a couple of opportunities recently in private industry that I turned down. I said I’m just not ready to go yet because I’m married to the mission. I like the mission more than the money, which is definitely better in private industry. But I told them, there’s salary and there’s value. For me, the value of being within the department of defense alongside warfighters that’re just trying to make the damn radio work is a whole lot better than a product line that’s based on revenue. That’s where I am, today.”
Recruiting and retaining the security team
Gaining and retaining quality security staff is a problem for all organizations – whether government or private – but for slightly different reasons.
The skills gap
The lack of money working in government spreads to recruitment. For Spinks, the recruitment problem is more of a finance gap than a skills gap. She would like to take on ready-made experts but cannot offer a competitive salary. “I’d like to find some cloud security engineers – the ones already building technology in the cloud – because they understand the best ways to secure it. But those people are often being paid in excess of $200,000, and the government simply doesn’t have that kind of money for salaries.”
One of her alternatives is to try to catch people when they’re young, before they’re married with a family and mortgage. She hopes they can start small and young, and get bitten by the same ‘military bug’ that caught her. “I came into government right after serving with the military, and I just stayed. I like the flexibility the federal government gives me [she signed off early for our conversation]; and I like not having to jet off to different countries in an international corporation.”
In fact, Spinks paints a very rosy picture for the young cybersecurity entrée into the marines. For a start, there’s flexibility in which hours you work. “Nobody’s micromanaging and hovering over you,” she said. “And you get to use all the facilities of the base – the gyms and swimming pools. You have the ability to travel to different bases – I recently visited San Diego – and almost all of them are by the sea with different beaches, because, well, we’re the marines.”
The hope is that people will join young and grow to love the lifestyle and the mission and stay; just as she did. But she admits to a serious staff retention problem because of the pay. “I had a technician a couple of months ago, who came to me and said, ‘Microsoft offered me $210,000.’ I can’t compete with that! I’m kind of upset because I sent him to the engineering course and I made him become an expert in Microsoft products, and now he’s going to go work for them. It’s unfortunate but it’s just the reality of working in government.”
Her solution is to double down on her information sharing and partnership principles. “We have to partner with industry so that if we don’t have personnel internally, at least we are partnering with industry and still getting that expertise through either contractual means, memorandums of understandings, or memorandums of agreement –you would be surprised how much industry just wants to help out the government.” Being able to cite the government as a partner or customer carries a lot of commercial kudos.
SAIC’s Kevin Brown has more traditional recruitment problems. In private industry, he’s not so hamstrung over salaries, but still has difficulty finding the bodies. When he’s contracting to government, he can’t just put forward a trainee. “Everybody’s looking for the same type of talent in some honestly niche areas, such as identity and access management and cloud security. It’s a real challenge to find and retain genuine cyber security talent.”
Where specific qualifications are not required, Brown looks for a passion in and a commitment for cybersecurity. “We can do on the job training. We can do formal training. I wouldn’t say we take anybody, I always ask, ‘Do you really want to be in cyber security? Is that your passion?’”
For Brown, candidates don’t necessarily need direct cyber security experience, nor even work for a cyber security company. Security is embedded in so many functions within business that there are areas in which to seek – or from which to poach – new staff, possibly from other companies. DevOps is an example. “Security has to be embedded with DevOps. So, we can help with the concept of security by design, and then we can help train the engineer to do better security.”
There is one area where SAIC’s cyber staff recruitment is more difficult than for other private industries. Since it is a government contractor there are certain restrictions on who can be employed. “It could be that we require employees to have certain levels of security clearances. And depending on the nature of the work, we may be limited to employing only U.S. citizens.” Security clearance and nationality requirements simply make the skills gap even wider.
Diversity in the security team
Diversity in recruitment is important everywhere — but perhaps nowhere more than the security team. “When building a team, we seek both specific competencies and a cohesive range of personalities,” said Brown. “I think a good spread of diversity within teams is critical — a mix of technical skills with business skills. You don’t want everybody in a team to be exactly like everyone else because you’d just get too focused on one area and not see the bigger picture.”
For Spinks, diversity (especially in gender) is deep rooted. For example, she has two responses to there being a higher proportion of women CISOs than women security engineers – the first is almost spiritual and the second practical. God first created ‘man’ and then he created ‘woman’. “From the beginning of time,” she said, “the universe always knew that guy needs a little help, and that help can only come from a woman.”
The second reason is less philosophical. “We’re the ones who bear children and are most often the nurturers, the ones carrying the household and keeping things afloat. Women are forced to be versatile and see things from a different perspective.” It’s that ability and training to see different perspectives that makes women good security leaders. “It’s not a guys are better than girls or girls are better than guys situation,” she continued, “it’s just the different perspective that girls can bring to the table.”
She gave an example. “I’m usually the only girl in the room,” she said. “I don’t have great ‘a-ha!’ moments, but I often think and say, ‘why do you want to do it like that? I would have done it like this?’ And the guy looks at me and says, ‘Hell dang! I didn’t think of that’.” For Spinks, it’s all about the ability to bring a new perspective to the issue. “Security has been so male-dominated for so many years that we’ve developed a particular way of doing things. It’s when you introduce different perspectives that you shake things up and make things change for the better.”
Diversity in security teams, whether it’s gender diversity, cultural diversity, neurodiversity or any other diversity, brings a different perspective on how to solve cyber security problems.
Best advice ever received
People who get to the top often receive good advice along the way. We asked Renata Spinks what was the best advice she’d ever been given. In a nutshell, it was ‘stay grounded and don’t look for accolades’.
“You’re not here for praise, you’re here for the mission,” I was told. “If I got nervous over the next step and got worried I’d mess up, I was told to relax, to focus, and just do what was best for the mission. So, the best advice I got was to always stay grounded, and never be driven by personal gain. Always be focused on what is the best thing to do for the mission – and if you keep your sights on that, you’re good.
“That is what I always go back to. When I’m in controversial healthy technical debates, I stay focused on the mission – and with the information I have right now, here’s the best decision. Sometimes that’s controversial, so I stay grounded, knowing I’m not doing anything for personal gain, I’m really putting the Department of Defense mission and the warfighters’ need at the forefront of my decision making.”
For Kevin Brown, his best advice was learned from a situation rather than given in words. For years, he ran a cyber security firm, totally immersed in the profit and loss side of business. But he decided he wanted to get back to being more involved with the technical side of cyber security, and moved to Boston Scientific as CISO.
“When I got there, and I started meeting with the leadership, there was palpable concern over the impact – the negative impact – cyber security may have on the business.” Having just come from a business background, Brown understood these concerns.
“I think the best advice that I had was simply acknowledging business leadership’s worry about cybersecurity,” he said. “I think as a CISO you have to be a business leader as well. In today’s world, I think that that’s just key, right? You must be proficient in cyber security, must understand the technology, understand the threats and the risks and things like that. But to be successful, you also need to be a business leader. And so, you know, it really comes down to that: be a business leader as a CISO as well as a security leader.”
Advice is a two-way street – given as well as received. Brown’s advice to emerging leaders comes in two parts. The first builds on what he personally learned: to be a successful CISO you need to be a business leader as well.
The second is to be courageous and to empower the team around you to be similarly courageous. “You must understand the parameters of the business and understand the threats that exist – and always do the right thing. It takes courage to stand up and be the person to say, ‘I understand the concerns, but these are the threats, and this is what we must do to mitigate those threats.’ If you really feel strongly about something, you must have the courage to speak up.”
Spinks’ advice is unequivocal. “A support channel,” she said. “You must get a support network; you must have people to talk to about what you’re going through – people who’ve been there and can give you great advice and empower you and keep you encouraged.”
The second part of this is to stay encouraged, to have the will to push through. “Don’t give up on your dream,” she continued. “If it’s to be a security advisor or an executive in the security ranks, or in the chief ranks, then you must be persistent. You must put in the time and increase your expertise. As long as you have a great support channel, and you reach out to the mentors that you need in this space, both male and female… I think that’s probably the best advice that I would give you – you must have that great support channel; you must build that.”
Future security threats
The final question we ask all our CISOs in this series, is ‘Where do you see the biggest threats to your environment over the next few years?”
For Spinks it is twofold. “I think our biggest threats for the next few years are already on us. The first is the supply chain – that’s a big challenge with vendors providing the military with equipment, software and services. SolarWinds was a big test of our resiliency to supply chain threats. I think that’s our biggest challenge – working with industry, being provided by industry, and making sure that things that are introduced into our environment by industry are as secure as possible. With no degradation of capability to the warfighter.”
The second threat, she continued, “lies in our ability to manage identities in a distributed workforce. We have people working from home, no longer coming into a building that is secured, and a network that is managed, by our own people. Now we have unmanaged devices, we no longer have boundaries, and access is coming from pretty much everywhere.”
For Brown, the threat is somewhat related. “I think the challenge we always have is despite how much education we do, it’s still our employee or user that provides the biggest risk. We call it the ‘insider threat’, but it’s just the uneducated user. We need to find better ways of continuous education – which, with remote working, must now include the entire family. I know there are lots of nation state actors and hacktivists out there,” he continued, “and it’s a challenge to keep up with them. But I think the biggest single impact we can have is on the user, and we really need to keep focusing on that.”
Related: Raytheon and BAE Systems CISOs on Leadership, Future Threats
Related: Princeton, Cal State and Ohio State CISOs Talk Higher Ed Cybersecurity
Related: Verizon, AT&T CISOs Talk Communications Sector Security
Related: Intel, Cisco Security Chiefs Discuss the Making of a Great CISO