San Diego CyberTECH Annual Planning Meeting Comments

The San Diego CyberTECH Annual Planning Meeting early today was very productive. Six hours later we created a set of activities to guide the organization going forward.

Some of the next steps for the Directors and we Advisors to the Board are to help standup the committee for the organization’s 2016 goals, develop the strategies and tactics to manage those deliverables. This setting lets me practice my leadership and project management skills.

Also, I was appointed as a second Co-Chair for the Internet of Things Meetupsthroughout the coming year. It’s a great opportunity to help shape this very important element of this large CyberTECH organization.

Blog written by Don Larson, Co Chair Internet of Things (IoT) Meetups, CyberTECH.

CyberTECH to Launch 4th Incubator and Shared Workspace, NEST

On February 1, CyberTECH will launch NEST, a co working, incubator and startup collaboration space in San Diego.  Perched with amazing views overlooking downtown and the San Diego Bay, NEST is 5,000 square feet of full service co working space with a full kitchen, gym, showers, a meditation and relaxation room, and many work options.

The new co working space is part of CyberTECH’s 15,000 square feet network of work spaces located in the Manpower building in Bankers Hill just adjacent to downtown and Little Italy. CyberTECH’s work spaces in Manpower include a coffee shop, 4 kitchens, 3 conference rooms, 2 telephone rooms, a meditation and relationship room, a gym, 2 patios, a live music and DJ stage and many other amenities.

NEST will have 20+ reserved and non reserved “hot” desks accessible on a daily, weekly or monthly basis. There are also numerous private offices suitable for 1 person to entire 12 person teams.  “Our CyberHive and iHive co work and incubator spaces are 100% occupied, so we are opening NEST (and xHive announced late last year and currently under construction) to accommodate additional Members” says Mohammed “Mo” Rahseparian, CyberTECH’s General Manager.

Pricing for NEST starts as low as $200 per month and private offices range from $600-$3000 per month. Membership to NEST provides access to the all of CyberTECH’s incubators. CyberTECH is a global cybersecurity and Internet of Things (IoT) network ecosystem providing cybersecurity and IoT resources, strategic programs and thought leadership events across the nation. Our membership includes business and financial leaders, academic and research institutions, government and non-profit organizations.

CyberCalifornia: The Epicenter for Commercial Cybersecurity

Acknowledging the truths about cybersecurity, protecting critical infrastructure, addressing the importance of information sharing and collaboration, and developing the cyber workforce are just a few examples of the many initiatives top of mind for California’s cyber leaders. 

In a recent United States Cybersecurity Magazine article, “California Gold: Cybersecurity’s Emerging Epicenter”, members from the California Governor’s Cybersecurity Task Force and CyberCalifornia’s Advisory Board discussed current efforts that support the Golden State’s position as a beacon of leadership in cybersecurity. 

As the most populous state in the country, and home to hundreds of startups, emerging automation technologies and ever expanding critical infrastructure, California is an example where the universal need for cybersecurity takes on interesting new connotations and challenges. Many of the State’s disruptive companies are focused on the Internet of Things (IoT), leveraging the Internet to boost speed, convenience, and productivity. 

“A lot of traditional industries…have never been faced with the need to create secure devices, because their products haven’t been connected to the internet and therefore they’ve never worried about those devices being hacked,” said Darin Andersen, founder of global cybersecurity and IoT community, CyberTECH, cybersecurity consulting firm, CyberUnited, and the CyberCalifornia initiative. “It’s one thing if you get a blue screen on your computer; it’s another thing if a bad guy can maneuver your car off the road into a ditch, or hack a pacemaker.” 

As for solutions, information sharing was high on the list for the cyber experts suggesting that the best way to prevent future compromises is to provide organizations with fast, advanced, and secure frameworks to facilitate the exchange of information. 

The development of this type of exchange is the focus of the Information Sharing Subcommittee of the Task Force, “working diligently to promote cyber hygiene and situational awareness by streamlining the exchange of cybersecurity information,” said Justin Cain, Cybersecurity Coordinator for the Task Force. 

Gary Hayslip, CISO for the City of San Diego, CyberTECH Co-Chair, and member of both the Task Force and CyberCalifornia stressed that “cybersecurity is a team sport. You can either collaborate with your peers to better defend your organization or get eaten.” 

Plans for protecting the present and securing the future were discussed by several other Task Force and CyberCalifornia members including Alberto Yepez, Managing Director at Trident Capital, Oliver Rosenbloom, Co-Chair for the Cyber Task Force’s Economic Development Subcommittee, William Britton, Director of California Polytechnic University at San Luis Obispo’s Cybersecurity Center (CalPoly), and Bob Ackerman of Alleges Capital.

CyberTECH Launch New Incubator and Shared Workspace for Emerging Technologies

This week, Gartner confirmed that 21 billion Internet of Things (IoT) devices will flood the market by 2020 and that IoT devices will encompass more than 6.4 billion connected objects in use by 2016, a 30% rise from this year. According to the Internet of Things 2015 Report released by Business Insider this month, nearly $6 trillion will be spent on IoT solutions over the next five years. The report confirmed businesses will be the leading adopter of IoT solutions with goals to lower operating costs, increase productivity and expand new markets or develop new product offerings to improve their bottom line. Governments are not far behind businesses when it comes to adopting the IoT with focus on increasing productivity, decreasing costs, and improving their citizens’ quality of life. Consumers will lag behind businesses and governments but will still invest in IoT ecosystems.

Approaching its fourth year, CyberTECH continues to lead the IoT and innovation community with plans to work with another 20-30 companies in 2016. With software-defined everything on the frontier, along with robotics, 3D printing, drones and other advancing technologies, CyberTECH will launch its third incubator and shared workspace, xHive, in February 2016.

xHive will provide a collaborative environment to drive the innovation that leads to the development of advanced new technologies including devices powering the IoT, software and app development including robotics, 3D printing and drones.

According to CyberTECH Executive Director Shirley Adams, “xHive is our fourth expansion in the Manpower building in Banker’s Hill. This will increase our floor space by 40% and add new parking space options and other new member amenities.”

Additionally, xHive has partnered with SD3D to construct a highly automated medium production 3D printing studio inside the expansed facility. There will also be a new Robotics and Drone Lab and a full service coffee shop, shower facilities and a new second outdoor patio area will provide CyberTECH Members with exciting new workspace options.

Opening in February 2016, xHive will offer shared workspace for as little as $100/month, options for dedicated desks and/or private offices, access to conference rooms, robust connectivity, and a variety of other benefits that can be found here. Members gain priority access to mentorship and other resources including 100+ fellow cybersecurity, high tech and IoT incubator and shared workspace companies.

Interested in xHive? Contact us today to visit the new space, discuss partnership opportunities, and learn more about how you can join.

Think Nationally, Act Locally

“Technology experts believe 2016 will be remembered in years to come as the tipping point where emerging technologies like driverless cars and virtual reality finally went mainstream.” – Neil Keene, The Daily Telegraph.

Neil Keene was among the 6,000+ members of the media who observed the 2016 Consumer Electronic Show (CES), the 1,278,870 mentions of the #CES2016 hashtag and 15.2 billion total potential social media impressions from January 5-9.

With approximately 3,800 exhibitors and more than 170,000 industry professionals gathering in Las Vegas for the world’s biggest technology showcase, CES is one testament to the tens of thousands of ways that technology is changing the world as we know it.

While emerging technologies like those observed at CES are considered more “mainstream”, the reality is technology is already considered to be “everywhere”. According to the Internet World Stats, there is an estimated 3,366 million Internet users worldwide – almost 50% of the world’s population. As modern technologies like the Internet of Things (IoT) continue to flood the markets, it is becoming increasingly difficult to keep up with evolving technology landscape and the cyber attacks that follow.

A Global Cybersecurity and Internet of Things Network, CyberTECH has made it our mission to stimulate innovation and advance the adoption of cyber, IoT and emerging technologies, locally, nationally and globally.

CyberTECH understands information sharing of best practices, trending technologies, and the latest threats is essential to individuals and businesses looking to better understand, manage and consume emerging technologies. Because technology, and cyber threats, are not confined to one location and many of the best minds in technology don’t live in one region, state or even nation, CyberTECH is expanding efforts to produce thought leadership events both locally and across the nation.

We invite you to travel with CyberTECH in 2016 as we bring together the world’s top industry experts and cyber professionals to lead discussions around emerging technologies, IoT security, privacy, innovation, the influence of policy and to provide forward thinking and actionable intelligence in an evolving, competitive marketplace.

Visit the CyberTECH Events website to learn more about our local and national efforts.

Children of Light: Riding the Insecure Internet of Things

During a middle school field trip to my hometown power utility, the Plant Manager and our tour guide for the day, made a statement that stuck in my mind, “our customers are children of light and when they flip a switch, they expect light.”

The notion that we are “children of light” has served as a kind of guidepost to me about the nature of human expectation and the relationship we have to the technology that powers our daily life.

The Internet of Things (IoT) phenomenon brings convenience and new capabilities via smart devices and gadgets but at a cost; namely IoT devices are susceptible to the same malicious hackers that have plagued computer users for decades.

Connected drones are an emerging technology that will play a central role in the IoT ecosystem.  Drones can communicate images and audio, sense various conditions including chemicals and certain radio frequencies.  They are relatively cheap and simple to operate and can also carry payloads such as a package for or an explosive for military purposes.

Recently, we have seen rash a of incidents involving drones whereby they have interfered with police and fire operations, buzzed (and crashed) on sports field and violated the privacy of average citizens.  With a million customer drones expected to be sold over the Holidays, drones hold both great potential and some danger.

The fact is most Internet connected devices including vehicles, medical and fitness devices, cameras and drones have been successfully hacked for years.  A recent study by Hewlett-Packard showed that 70 percent of Internet connected devices are vulnerable to some form of hacking.

Our societies, comprised of children of light, are becoming heavily dependent on IoT devices. As such, it is important that we continue our efforts to secure these devices while protecting privacy and delivering expected improvements to the quality of our lives.

Blog written by Darin Andersen, Chairman and Founder, CyberTECH, President and CEO, CyberUnited, Co Chair for Economic Development Subcommittee on California Governor’s Cybersecurity Task Force.

CyberFlow Analytics Wins First Place at the Cisco Innovation Grand Challenge

It has been a long but exciting journey for CyberTECH Member, CyberFlow Analytics, a San Diego-based cybersecurity company specializing in “anomalytics”. In successive rounds since June competing against more than 3,000 entries from more than 100 countries, CyberFlow Analytics took first place at the Cisco Innovation Grand Challenge at the IoT World Forum in Dubai for securing the IoT with Anomalytics, taking home the Grand Prize of $150,000.

The Six finalists from Canada, Finland, Germany and the United States delivered Shark Tank-like pitches and demos before a live audience and finalist judges – themselves a “who’s who” of IoT industry leadership.

Beyond the cash prizes, the winners earned VIP access to industry, investment and business experts, including Cisco’s global Innovation Centers and Cisco investments team for potential business acceleration and joint go-to-market strategies.

A big congratulations to CyberFlow Analytics!

CyberTECH to Partner with Cutting-Edge Hybrid Service Provider ScaleMatrix

CyberTECH is partnering with ScaleMatrix to bring our Resident and Community Members the world’s most cutting edge data center technology. By partnering with best of breed technology providers like ScaleMatrix, we are able to provide the diverse CyberTECH community with the right platform and performance criteria based on their needs.

As developers of ground-breaking data center efficiency technology, ScaleMatrix delivers an array of cloud, colocation, managed services, data protection and connectivity options under one manageable umbrella. The company has developed a revolutionary high-density, high efficiency Data Center driving down the cost of cloud, HPC and colocation services.

“CyberTECH and ScaleMatrix share the same spirit of innovation and drive to stay ahead of the evolving technology landscape,” said CyberTECH Founder, Darin Andersen. “ScaleMatrix understands the importance of robust, reliable and secure IT infrastructure. Because the companies working with CyberTECH all have different objectives and problems they are solving, uptime, scalability and security is extremely valuable. We are looking forward to building a long lasting relationship with ScaleMatrix.”

USD Center for Cyber Security Engineering and Technology

The University of San Diego recently launched its first Cyber Security degree program, a fully online Masters of Science in Cyber Security Operations and Leadership. In keeping with their strategy for a robust cyber security education program, approvals for their next degree, a Masters of Science in Cyber Security Engineering, is scheduled to launch in January 2016 as a fully on-ground program.

This degree is accelerated and focuses on the engineering aspects of cybersecurity.  It is designed for those with computer science, electrical engineering, or computer engineering bachelor degrees.  While work experience will certainly be considered in admission decisions, because of the rigor of this offering, it is very important to have a fundamental background in order to succeed.

The program will consist of 30 units of coursework and is designed for the working professional.  It will take 5 semesters or approximately 20 months to complete.  It is an extremely specialized degree of the Shiley-Marcos School of Engineering – not only is it the engineering school’s first Masters degree, but it is part of USD’s first center (CCSET).  While the term is often overused, students in this program will truly be pioneers at USD.

The program is being led and developed by Dr. Winnie Callahan, an educator with 20 years of experience at the University of Nebraska and the University of Southern California. She brings together experts in national defense, business, information technology and education to train a new generation of cybersecurity professionals.

“It made sense to me with the things I was seeing that we needed to address this national problem at a couple of levels, including better trained cyber professionals,” said Dr. Callahan.

CyberTECH Executive Director, cyber professional and program champion, Shirley Adams stated, “The center will play a key role in San Diego’s regional efforts to be recognized as the National Center of Cyber Security Excellence. Working together we can help produce the high quality cyber security engineers that our nation so desperately needs.”

Confessions of a Social Engineer: What Every Business Needs to Know

While the global media consistently churns out a deluge of reports about “sophisticated” hacks against prominent individuals, organizations and institutions, the Social Engineer uses well known tactics and techniques to “hack the human” leveraging “bugs” in human phycology.

Exploiting these “bugs” allows the Social Engineer to gather information, implement fraud to further a purpose, agenda or actually access a government or corporate system. The Social Engineer typically uses non-technical methods to gain access to sensitive systems and platforms by tricking one or more people into breaking normal security polices, procedures and protocols. It is one of the greatest threats facing organizations today.

There is a lot that organizations can do to defeat the Social Engineer. The best defense is to create a “security culture” inside your organization. Security culture is all about building awareness, common goals and best practices around protecting sensitive and confidential information. It teaches everyone in an organization to develop situational awareness and begin actively looking for the tell-tale tactics of the Social Engineer.  Further, your organization can conduct security assessments, determine your Cyber Value at Risk and prepare for a sensitive data breech before,during and after it occurs to build organizational resiliency.

Blog written by Darin Andersen, Chairman and Founder, CyberTECH, President and CEO, CyberUnited, Co Chair, Economic Development Subcommittee for the Governor of California’s Cybersecurity Task Force.

Protecting the Internet of Things and living in Smart Cities

Last week both the FBI and the Department of Homeland Security warned of risks associated with the emerging Internet of Things. The term IoT often refers to devices that are readable, recognizable, locatable, and controllable via the Internet. Gartner estimates there will be around 26 billion networked devices on the Internet of Things by 2020. Certainly, there are many risks inherent with so many objects connected to networks, but there are also many smart technologies that can enhance security and DHS’s mission to protect the nation.

In public safety, sensors, embedded security systems and surveillance cameras that can monitor public behavior are becoming a norm. In 2005 in London, closed-circuit TV cameras helped lead to the identification of those who carried out the attack on London’s subway and bus systems. More recently, the identification of the prime suspects in the Boston Marathon bombing came in part through security-camera images. Because of the limitations of personnel to constantly patrol areas of cities, surveillance monitoring by video and acoustic devices have enabled law enforcement to magnify their reach and also keep an electronic record of forensic evidence.

The integration of sensors, networks and data analytics is what composes a “Smart City”. Smart Cities integrate transportation, energy, water resources, waste collections, smart-building technologies, communications, and security technologies and services. Frost & Sullivan estimates the combined global market potential of these smart city segments to be $1.5 trillion ($20 billion on sensors alone by 2050, according to Navigant Technology.)

The IoT for Smart Cities has received much attention from DHS, especially from the under secretary of science and technology,Reggie Brothers. His S & T Directorate is continually seeking, developing and sharing innovative technologies. In its own words, “S&T is looking for your best ideas on how we can mobilize and repurpose cutting-edge smart technologies to strengthen the safety and security of our nation. Focusing on wearable tech and Internet of Things, this discussion is a ‘call to action’ to challenge you to think differently about the role science plays in preparing for future threats and risks. S&T envisions a future where mobile sensors, communications, materials, and visualization technologies seamlessly work together to enhance the safety of the public and our responders.”

For DHS, this mission directly correlates to incorporating technologies for shared situational awareness and enabling integrated operational actions to prevent, mitigate, respond to and recover from cyber incidents as well as crime, terrorism and natural disasters.

Specifically for DHS and law enforcement, there are a variety of key areas of IT, Smart Cities — or in the case of homeland security, “secure cities” — component roles:

  • Physical and cyber security;
  • Intrusion prevention/surveillance;
  • Resilience;
  • Public safety services (first responders);
  • Sensors, detectors, biometrics, wearables;
  • Drones, robots;
  • Data analytics, urban informatics;
  • Cameras;
  • Command & control centers;
  • Interoperable communications;
  • Crime mapping;
  • Social media monitoring.

The primary focus of DHS has always been to detect and mitigate weapons of mass destruction. The defense against chemical, biological, radiological, nuclear, and explosive threats will continue to be priorities of DHS because of the asymmetrical terror consequences they present From its onset, the agency has been working with sensors and networks that detect the presence of toxic gas, pathogens, radiation and explosives. The automation, deployment and analytic derived from these systems continues to be enhanced as components are integrated in to smart and secure cities.

Wearables is on one of the newer promising technology areas for DHS. The S & T  Directorate recently announced a business accelerator program named EMERGE! That is aimed at developing new interoperable wearable technology for the public safety community. Future first responder technologies will likely include headset systems with cameras for visual awareness with embedded, computers that will analyze visual data. They will have sensor technologies for sharing information in real-time with hospitals that will be invaluable for rescues in disaster. This summer, S &T launched  the Incident Management Information Sharing (IMIS) Internet of Things pilot to apply IoT to the challenge of vastly improving responders’ situational awareness during emergencies.

I would be remiss if I did not mention DHS’s role in cybersecurity. DHS is responsible for overseeing the protection of the .gov domain and for providing assistance and expertise to private sector owners and operators. Because the IoT touches both government and private sector networks, DHS in an integral part in deterrence, ameliorating risk, and ensuring resilience to the IoT networks. As a society on the verge of unparalleled exponential connectivity, DHS’s role is in cybersecurity is a critical one.

New risks, privacy issues, and unforeseen issues will no doubt confront us as the Internet of Things continues to evolve and expand. DHS will be at the forefront of addressing those developments and will continue to fulfill a vital role in its mandate of keeping citizens safe by harnessing new technologies for secure and smart cities.

Blog Written by Charles “Chuck” Brooks, Vice President of Government Relations and Marketing, Sutherland Global Services.

Path to a Career in Cyber

When I started my career in the US Navy, almost three decades ago, I originally went into the field of advanced electronics. It was close to what I wanted to do, which was work on computers. However, in the mid- 1990’s, I read a book that changed my life.

The book, “Information Warfare,” was written by Winn Schwartau and after reading it I became fascinated with not just computers, but the idea of global networks and how computers could be used as both an offensive and defensive weapon. The book started me down a long twisted path full of curiosity and after 25+ years of walking that path I find I am always curious.

Information Technology (IT) today permeates every facet of our daily lives. We would be very hard pressed to find a place in the world where some type of IT is not being used. With that said, because this technology is such a multi-faceted tool, it can be used in an exponential number of ways for both good and evil.

So, over the years as I have walked this twisted path in IT I have sought to expand my knowledge into the field of what we now call Cyber Security. I have purposely worked in many positions to learn new ways to use computers and increase my understanding of enterprise networks and how to protect them.

Over time I even built a lab in my garage, to the dismay of my wife, made from way too many shopping sprees on eBay and Fry’s. Before you knew it I had a full rack of Cisco equipment and several rows of Windows and Linux desktops and servers (pre-virtualization days – I feel old). I used this equipment over many long nights to teach myself networking, a little hacking – who am I kidding a lot of hacking, and computer forensics. I also used this lab to help me study for my first certifications and as I changed jobs I would reconfigure the lab to study for new certifications.

This lab would teach me that to work in the field of Cyber Security you need to start small. You need to figure out what you don’t know, lay out a plan for where you eventually want to be, and then put your head down and get to work.

I used the lab to experiment and increase my knowledge, I used it to break things and then figure out how to fix them. Sometimes, humbling that it may be, I learned I was not as smart as I thought I was and I would have to ask for help after breaking something. In spending this time, over several years, working in that lab and taking any class I could find at the local colleges and junior colleges I developed what I called my Cyber Career Map.

This map consisted of a certification tree, a tree where I mapped out what certifications and experience I would need to eventually be at a certain skill level. The hope was someday I would have an interesting job in Cyber Security. As I look at where I am at today I would say that plan worked very well.

So fast forward to today, I was recently asked to describe how I developed my map and to write an article with some mind maps as a visual tool so readers would better understand my process. There are three tools that I used to develop a Cyber Career Map, those are the Certification Maps, Employment & Networking Web Sites, and Education & Cyber Web Sites. This article is centered on Cyber Certification Maps and its three sub component areas:

• Certification Maps
o World of Cyber
o Cyber Career Map
o Cyber Career Map – My Career as an example

Before I get started, I want to say I am by no means an expert. This article is just based on what I learned from experience over the last 25+ years as my career has progressed in both IT and Cyber Security.

I believe my experience in having moved through multiple disciplines within the IT and Cyber Security fields gives me a unique perspective on the experience and insight a senior cyber security professional gains from having a broad range of IT knowledge. So with that said I plan to describe some of the tools and web sites I used to help me in my career and why I used them. Let’s get started.

Continue reading…

Blog written by Gary Hayslip, Deputy Director and Chief Information Security Officer for the City of San Diego.

Before there Were CISOs – Part 2 (Into the 21st Century)

In Part 1, I covered my first two decades of ‘growing up’ in Information Technology (IT) and cybersecurity before the Chief Information Security Officer (CISO) title existed. I left off with the early stages of implementing security measures at the birth of the World Wide Web (WWW) and the explosion of connected computer usage that we know today as the Internet. In reality, the Internet existed years before the WWW, which took advantage of new graphical user interfaces (GUIs) to make the user experience easier and friendlier; because, after all, the Internet is just a network of networks interconnected across the globe.

In Part 2, I continue with my third decade, breaking out of the “IT box” into aspects of security for operational systems, industrial control systems (ICS), and underlying information assets, as well as the transition of cybersecurity becoming a recognized business function with newly defined areas of responsibility. The technology changes that seemed to be happening so radically during those earlier years (e.g., moving from a mainframe, text-based environment to desktop PCs with graphical interfaces), slowed down during this next period. While new technologies were still being released frequently, they weren’t major shifts in the paradigm (yet).

To me, the most important characteristic to have in this type of position is integrity – always speak the truth, say what you’re going to do, do what you promised you would do, and maintain confidentiality.
During this time, the private sector was taking steps toward identifying what was ‘cybersecurity’ and the roles associated with it; this, sadly, was not the case for municipal government where I was working. I found that municipal, regional, and even state governments were not yet concerned with creating formal cybersecurity roles. Instead, they were still using a single job title to cover a dozen different roles, such as my general umbrella role as “IT Manager.” During the early part of this time period, we were all dealing with resolving the Y2K date issues (to this day, I still write my dates as mm/dd/yyyy). I became involved with control systems and other embedded systems which were, at the time, not considered within the realm of IT – they belonged to the process control engineers. These systems had two positive things going for them; (1) the systems were on a closed, internal network located at each facility and not connected to any office network or the Internet, and (2) work crews would simply take over manual operations of the equipment in case of a system failure. However, with Y2K approaching, we performed the Y2K assessments on these control systems and the results revealed some potential security issues which needed to be addressed. While the latter condition (taking manual control) remains true, the former condition would change in the years ahead, by enabling secure, remote access into certain control systems. In addition to the ICS located in major facilities, we also had Supervisory Control And Data Acquisition (SCADA) systems to monitor small (and often remote) pumping stations. These systems were mostly secure, based on the fact that they were used for only monitoring the local process controls and not managing them (the “supervisory” function being disabled), and they were not connected to any network. The SCADA systems communicated through either dedicated telephone lines or across point-to-point, restricted frequency radio signals, and later used licensed, spread-spectrum radio frequencies. While I provided recommendations, SCADA security was handled by another division. As you can see, at this time, security was not centralized or managed, it was spread out among many divisions and was still not a formal discipline within municipal government.

Soon afterwards, my view of system security took a new twist for several months, as I was unexpectedly pulled out of my regular job for a special assignment – overseeing city-wide electronic discovery (eDiscovery) in response to a federal subpoena. I managed 15-20 IT technicians & analysts, taken from a dozen different departments for this task. I was assigned a system administrator and network security analyst who helped modify user rights for the eDiscovery team members, as they went into numerous work sites in over 15 departments to collect data from local PC systems. Another small team had the task of searching for and retrieving data from dozens of departmental file servers. We had to manage “just-in-time” security rights to give team members access to the specific workgroup data when they went to collect potential evidence, and then remove that access when they were done. We also had to coordinate physical security for access into closed office spaces, including having security guard escorts in restricted work spaces (at least they preferred having my team come ‘visit’ them, rather than the FBI). Needless to say, this brought the whole data security issue to the forefront for almost all managers and executives, because their files were the primary focus of the investigation. In addition, while many of the IT analysts had some previous exposure to system security, this was a new area for them as well, especially having to log and track their activities. In my administrative group, we had online system logs to maintain and keep secure, and we had to document which team members were given access to specific server or workgroup data, when it was activated and terminated, and a summary of the files retrieved.

Later, when I returned to my regular job assignment, I was fortunate to become a Department Information Officer (department-level CIO) which brought all of the technology functions under one central division. I managed four sections which were responsible for control systems engineering design (planning new control system installations), control systems administration (setup, management, and ongoing maintenance of the systems), SCADA & telemetry support (managing & administering SCADA systems), and IT services (Help Desk & technical support, application management, network administration, and security). It was during this time that the ICS designs started including cross-over access points between the control systems network and the operational (office) network, so that data could be exported out of the control systems for administrative reporting purposes. My staff worked cooperatively in both the planning and implementation of necessary security controls, at first making this a one-way connection to get the data out, and later providing secure connections for specific remote access into the control systems by designated and authorized system administrators. The team also coordinated integration with physical security systems, so that certain control systems alarms would display at the facility security guard consoles.

It was at this time that information security became a recognized service area and we had to start reporting monthly and annual performance metrics to senior management. I’ll digress for a moment – how many of you had the discussion (some may consider it an argument) with senior management about how to report attempted intrusions? They wanted to know how many attempts were blocked each week or month and didn’t understand that the volume would normally fluctuate from 10s of thousands in a week to 100s of thousands, because it depended on who was targeting our local government or any “dot-Gov” domain. I told them the performance goal should not be blocking X-number of attempted intrusions, the goal needs to be zero actual intrusions. After two years, they accepted my goal, but still wanted to know how many intrusions were blocked. One benefit of having more visibility of security metrics, was being able to use them as part of the business case for our budget. While there wasn’t a line item in the official budget for security, the underlying documentation outlined the security-related costs (i.e., staff, hardware, software or third-party services); however, I still had no designated security positions.

Now that we were finally growing a departmental security program, organizational changes were made, in the name of “streamlining government,” resulting in my position and my boss’ position being re-engineered out of existence. Fortunately, the teams I was leaving behind were now established and self-sufficient, and I moved into a position as city-wide Enterprise Architecture and Infrastructure Manager (which included security functions). During my last five years, there was further turn-over in senior management and the city changed from a City Manager to a “strong Mayor” form of government. My new role morphed into IT Operations and Security Manager, where I worked under three different CIOs and, when there wasn’t one, I reported to the Assistant COO and was responsible for operational management of the IT Department. At that time, I was also responsible for managing data retrieval for confidential internal investigations, including senior management, locking down user accounts, and impounding hardware.

Over the last several years, I had made a point to create working relationships with department directors and other senior management, offering assistance and guidance to support their IT functions. I believe these developed relationships were critical for me in my new position, because, when it came time to interact with them on a regular basis as part of the IT governance process, I already had their trust and respect. To me, the most important characteristic to have in this type of position is integrity – always speak the truth, say what you’re going to do, do what you promised you would do, and maintain confidentiality.

One of the last tasks in my position was helping implement a new IT Strategic Plan, which included forming an Information Security Committee. Committee members were appointed from a minimum of twelve departments by their directors and at least half the members were from operational management positions, not IT functions. This was a strategic requirement in forming the committee, to ensure that business needs were being addressed as security measures and solutions were proposed. The committee’s first task was to update the incomplete set of security policies and procedures. We obtained the current ISO/EIC 27000-27005 set of standards and used applicable ones to incorporate into a detailed set of information security guidelines and standards to augment a new set of information security policies.

As I ended my career with the City, I convinced the CIO and COO they needed to create a specific position for security, and relegate my other job functions to other IT managers. In the end, I was able to define an “IT Security, Compliance, & Risk Manager” position – which a few years later would be formalized as the Chief Information Security Officer (CISO) role with overall responsibility for cybersecurity on all City networks. This was especially important because the city’s IT services transitioned from a hybrid, internal/external service model, to one that was almost all outsourced and having a cybersecurity role to provide overall governance would be critical for the City of San Diego. The CISO position has since been held by two very competent professionals – first, Derek Sandland, and currently, Gary Hayslip.

Blog written by Alan Watkins, Cybersecurity Consultant, Adjunct Professor for MS-CSIA Program, Member of InfraGard San Diego. 

Before There Were CISOs – Part 1 (The ‘80s and ‘90s)

Some close friends and colleagues in cybersecurity encouraged me to write about ‘growing up’ in Information Technology (IT) and cybersecurity during the computer era before there were CISOs (Chief Information Security Officer). I’m sure there are other Baby Boomers out there, who have similar stories to tell and understand what it was like as technologies rapidly advanced and became business assets that needed managing (the “Rise of the CIO”) and, much later, securing those assets became a business risk management concern (the “Rise of the CISO”).

My point of view is from public sector experience; although, I have had much contact with my private sector counterparts. My public service started in high school as a volunteer swimming instructor and lifeguard, then working in a public library in a small southern California city. My professional civil service history covers over 36 years with the City of San Diego, California, including over 12 years in law enforcement as a sworn officer and almost 25 years in positions related to IT. My last 10 years were in IT management, retiring as the city-wide IT Operations & Security Manager.

The intent of this two-part article is to share how information security needs and functions existed before the roles were defined, as has been the case when new inventions cause shifts in business operations (i.e., the industrial revolution). What follows in this Part 1 is the first two decades of my cyber evolution, climbing the career ladder while ‘growing’ IT staff, and the requirement for open communication, cooperation, and collaboration between both IT operations and business operations. In Part 2, I will continue with my third decade, breaking out of the “IT box” into the strategic aspects of security for operational systems, industrial control systems, and underlying information assets. It is in the second article where I will discuss how the rising cybersecurity functions become identified as major roles created to manage newly defined areas of responsibility.

As I look back over the decades, a couple of sayings come to mind – “what goes around comes around” and “what’s new is old” (or vice versa, “what’s old is new”) – meaning that the underlying security needs in today’s environment really aren’t new, they’re just using different technologies (which will continue to change).

So with that, let’s get started – in my last two years in law enforcement, I got hooked on technology and developed some simple applications to issue and track certain permits and accident data. While I was not consciously aware of performing any security measures at that time, I realized not everyone should have access to the data being collected, so these simple applications did require a user ID and password. To keep this in a technology perspective, these were all mainframe-based, using ‘dumb terminals’ (some of you remember – the ones with black screens and green text). To be honest, the mainframe seemed mostly secure – you needed an ID and password just to login to the host system, then a different password for each application (usually assigned by the System Administrator) – long before the days of Active Directory® (AD) and Single-Sign-On (SSO).

After leaving law enforcement, I took an administrative position in a six-person division, which would, over the next several years, become a major department with over 1100 employees, plus hundreds of contractors. [A note of reference for those in the private sector – the city structure consists of departments (e.g., police, fire, library, water, etc.) which are comprised of several divisions. This is generally opposite of a private corporate structure where divisions are the larger business unit.] In my first six months, I was given the task for our first staffing growth to purchase and outfit 100 employees and contractors with new “personal computers” which had to be networked to a MicroVAX server. The mainframe team said, “these personal computers are just a fad, stick with the tried and true…” A few months later, while starting to configure the new PCs on an Ethernet network, the existing network team said, “why are you testing that Ethernet technology, you should stick with the standard token-ring technology…” We all know the outcome of those statements (can you say, Sony Betamax?). In that first growth spurt, our IT budget went from $150,000 in the first year, to $1 million in the third year and, needless to say, the designated security budget was zero. As the department continued to grow each year, I was able to justify hiring more IT staff, and, as a result, getting myself promoted to oversee the new staff. How did that happen?

While I was given mostly free reign in the area of new technologies, I had close working relationships with senior management and also the operations supervisors, engineers, scientists, facility & field maintenance supervisors, and administrative staff. I needed to understand their basic job functions and operational requirements in order to obtain the necessary technology to meet their needs. This is nothing new (today) for a customer-centric approach to IT services. At that time, executive management understood the need for new technology, without understanding the technology itself. They trusted that I didunderstand what was necessary to maintain and improve work efficiencies by implementing appropriate technologies. I had to earn that trust by demonstrating system capabilities (usually a live demo) and providing cost-benefit analyses in selecting a product for purchase. Keep in mind that, with government budget cycles, I was justifying the technologies and costs about 14 months before the budget would be approved. In those early years of having PCs, products mainly included desktop productivity tools for word processing, databases, and spreadsheets, well before there were any integrated “office” packages. Email was still based on the mainframe for several years.

As we added department staff, I was able to find several national surveys describing the recommended number of IT staff to adequately support a specific number of users for desktop support. I started with a ratio of 1-to-200 when I was the only IT person, then as we grew, I changed the ratio to 1-to-100, which was still nearly double the national average. At this time, I justified and added the first two new IT positions, and I became a lead IT Analyst. In the following year, the department would experience explosive growth and expand to nearly 600 employees at five sites. Of course with this growth I was able to justify four more IT staff, and have my position elevated to an IT Supervisor. This was achieved partially through the rapport with senior management, who were not focusing on the technology itself, they were relating to how the increased use of technology required skilled IT support technicians to maintain efficient business operations – a very novel concept at that time. I believe I helped influence this executive support with internal and external help desk call statistics I had collected. I used those collected metrics to provide an estimated cost impact of employees’ lost productivity due to system degradation and the average mean time to resolve, in relation to how many IT staff were available to provide critical support services. The projected reduction in costs were used to more than offset the cost of increased staffing, and I was able to justify the four new IT positions, while now managing an annual department IT budget of nearly $12 million.

One critical viewpoint I believe assisted me during this time, is my understanding that management, engineering, and operations needed to be fully “in the loop” when moving ahead with new technologies and their companion security measures, so I made sure to provide them with this visibility. However, it should be noted, that with these new technologies came increased responsibilities for my growing IT section. The IT staff had to meet increasing operational and performance requirements. They also had to ensure the security of its systems and permit public access to records when necessary. At the time, this was a daunting task; remember this is in the early stages of enterprise IT and there were no published functional frameworks on how to manage large, distributed networks. To get this far in building out the IT program and continuing its forward momentum, in retrospect, I now find that I was (unknowingly at that time) following most of the steps described by my good friend and colleague, Gary Hayslip, in his LinkedIn article, “So you want to be a CISO” (Jan. 17, 2015), and his five related, follow-up articles (Jan. – March 2015). I was actually executing the steps of a CIO and CISO before anyone knew what these positions were – it was definitely the wild, wild, west in IT back then.

So, now that I have given you some idea of the explosive growth in IT that we were experiencing, let’s discuss the security side of technology during this time period.

It was during this time, in the early-1990s, when we implemented our first Local Area Network (LAN) with 30+ PCs and one server. We had to design file structures to segregate different work groups and we had to manage user accounts and access rights. Since the city staff already had assigned user IDs, we had to create a naming convention for the contractors. Remember, at this time in the world of IT, there we no written policies or procedures related to IT management or security. The combined experience of myself, a network analyst, and a contractor’s system administrator, we proceeded to build our first network infrastructure. We defined user and group naming conventions, server directory structures & naming conventions for groups, user security groups, group access rights, system login requirements (including two-factor authentication, minimum password length, and password age/expiration – no ability to require or enforce password complexity), and system logging requirements (only for performance monitoring, not security). We also set up system administration tasks to be done on the server using its Unix-based VMS operating system, while the desktop PCs ran on MS-DOS with no client/desktop security software. It’s amazing, at that time, that we built this out with no industry guidelines and it actually worked!

Later, during another staffing expansion, which included multiple sites, the single MicroVax server was replaced with Novell NetWare servers at each location. This new network operating system provided several built-in security features, and also required IT staff to understand the platform and how to manage the five LANs across our new Wide Area Network (WAN). It was during this time of expansion that the first version of Windows was released; so, needless to say, the IT staff and I had to take new training classes, because again, technology changes proceeded to speed up and we had to support our users. I want to mention that at this time when Windows came onto the scene, we concurrently had a contingent of Macintosh systems, used for technical drawing and graphical rendering. It was at this point in my career, I started creating written internal procedures, documenting current practices for consistency across the IT staff, so expectations were set and system administration was standardized. I now had two staff dedicated to security and system management; still primarily concerned with internal security issues (i.e., someone gains access to another group’s files without proper authorization), and still no official designated security budget. In addition, we did create procedures for how and when a modem could be connected to a networked PC, including security precautions which would hopefully prevent unauthorized people from dialing-in and connecting to our computer or internal network. This was the birth of our cybersecurity efforts, on the cusp of the World Wide Web!

So it is here, as we are about to step into a new era of online computing, that I will defer the remainder of my article about how I have observed the progression of cybersecurity into today’s current cybersecurity paradigm. As I look back over the decades, a couple of sayings come to mind – “what goes around comes around” and “what’s new is old” (or vice versa, “what’s old is new”) – meaning that the underlying security needs in today’s environment really aren’t new, they’re just using different technologies (which will continue to change). Stay tuned for Part 2 of this article…

Blog written by Alan Watkins, Cybersecurity Consultant, Adjunct Professor for MS-CSIA Program, Member of InfraGard San Diego