Podcast

Delivering Maximum Impact in the Public Sector

Posted: 28th September 2020
By: CAITLIN MATTINGLY
Delivering Maximum Impact in the Public Sector

Our guest is Michael Anderson, chief information security officer for Dallas County — the eighth largest county in the United States. He oversees the IT security program for over 6,800 county employees and the electronic records for over 2.6 million residents.

Michael shares his career journey, including 10 years served in the Army in the Intelligence Corp, and over 20 years of strategic and tactical expertise across a wide range of IT disciplines. We’ll find out how he and his team use modern tools to make the most of limited resources, the type of leadership style he uses to inspire and motivate his coworkers, and how he approaches hiring in a highly competitive jobs market.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 177 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest is Michael Anderson, chief information security officer for Dallas County — the eighth largest county in the United States. He oversees the IT security program for over 6,800 county employees and the electronic records for over 2.6 million residents.

Michael shares his career journey, including 10 years served in the Army in the Intelligence Corp, and over 20 years of strategic and tactical expertise across a wide-range of IT disciplines. We’ll find out how he and his team use modern tools to make the most of limited resources, the type of leadership style he uses to inspire and motivate his coworkers, and how he approaches hiring in a highly competitive jobs market.

Michael Anderson:

Born and raised in California, I served in the military after graduating high school for 10 years. And after successfully completing my armed service tenure, I became a civilian again. And unfortunately the rank that I held as an armed service member did not transfer cleanly into the civilian world. So, whereas I was a network manager in the military, I had to start all over when I became a civilian. So I did just that.

I began working at the desktop and a couple of years later, I'd moved into the engineer ranks. And after mastering that, I began working with small teams as a supervisor. Fast forward two, three years after that, I got my first manager role, it's been just an uphill climb since then. I want to say about seven years ago was when I first entered into the executive ranks. And that was a life goal for me to be at the top of a particular vertical.

Dave Bittner:

And so your position today, can you describe that for us and tell us what your day-to-day is like?

Michael Anderson:

Well, I can. Day-to-day is very, very challenging. Dallas County is the eighth largest county in the United States. We have 39 different departments and agencies that comprise the county. As you would imagine, there's a good deal of diversity. And so in one day I might be working with public works. The next day I might be working with the judiciary. The next day I may be working with members of the court. It's just a great deal of diversity. And I like that.

But my team specifically, we have responsibility for the County Cybersecurity Program and really what that entails is three different teams. The first of which is, we call them threat and vulnerability management. And we also have another arm, architecture and engineering. And then we also supply for the 150 or so folks that make up IT services, audit, and compliance so that we can make certain that we're firing on all cylinders with respect to our compliance mandates.

Dave Bittner:

Can you give us an idea of the scale of your team? How many folks do you have working under you?

Michael Anderson:

We have a total insource and outsource of 10 men and women that make up the team. We've been asked to streamline and keep things relatively small. And so we have a number of partnerships with outside entities that help us to complete the portfolio for the Security Services Program.

Dave Bittner:

Can you describe for us how that works? How do you balance that? I would hazard to say it is a relatively small team for the size of the organization that you're protecting and being able to work with outside vendors.

Michael Anderson:

Yeah. I tend to agree, Dave. It is a fairly tall order and a part of that called for us to take a look at everything that we had in existence, and then looking at how well we did and the areas that required improvement, what tools might we keep and what tools should we replace. And as we went through that exercise with the backdrop being, we're going to be small, we have to be nimble. Not only do we have to keep the lights on and work cross-functionally, but we also have to do programs and other projects, how can we do all of that and remain nimble?

And so what we came up with was an AI ML model, whereby we would replace just about everything with those types of tools so that over time, and with clean data entering into those systems, we could train those to only stop work for those analysts, those engineers, those architects, when it was absolutely necessary. And so that's been, I guess, an 18 to 20 month journey. And I will not tell you that we have arrived, but we're much better off in our day-to-day than we were when I first joined almost two years ago.

Dave Bittner:

Do you have any insights to share in terms of what that journey has been like, for other people who may be considering a similar approach? Any things that they should be mindful of?

Michael Anderson:

Dave, I have an opportunity because there's so many cities within my counties and because we're making, in Dallas County, a model for other entities of our size and larger, I get a chance to talk to a lot of practitioners, local to the 254 counties that make up Texas, as well as those that are outside of our state. And one of the biggest challenges that I see facing practitioners is that they don't really know where to start. So the person before them, maybe they were doing their best. The person before them, maybe they had a compliance focus. But with respect to growing the program, what I find most often is that they have not adopted a security framework and conducted a gap assessment against that, and then prioritized those documents, those findings to give them a solid roadmap going forward. That's probably number one without question. And it is on a day-to-day basis as I work with other practitioners, the very first thing that I prescribe that they should take a look at.

Dave Bittner:

And what does that do for them? What are the benefits of taking that approach?

Michael Anderson:

So I led in with, they don't really know what to do. There are so many vendors that have some fantastic products. You can very easily find yourself in a cycle where something new, something shiny with a large amount of promise comes in and you adopt that. And it works out and then something else comes along and you're perpetually in a cycle of trying out things that are new and shiny. But what I recommend people do is adopt a framework that's suitable for the size of the organization. I always advocate for the adoption of one of those first.

And then to your question, what this does is it really helps with where the program … Understanding at a point in time, here's where the program is. Here's where the program should go. And the findings should be if they've gotten a real good risk register, and I always tell folks that I counsel to make sure you get a good risk register, the findings should be categorized from critical to high, to medium, to low. And so now the whole selection process with respect to enhancing the program, it's unemotional doesn’t have anything to do with that which is shiny and new.

Dave Bittner:

You mentioned presenting to the board. How much of your job is that kind of diplomacy of having to sell things to those people who are making those tough decisions? No city, no town, no county these days has all the funds that they wish that they had. And so there are tough decisions to be made. How do you approach that?

Michael Anderson:

You have to have a story. So now you've done this gap assessment, you select the framework, you have the gap analysis, then you have to take your findings and you have to create a story behind those findings. And there's a little bit of artwork to that. There's the softer side with the PowerPoint presentation and how you show that. But then there's also the actual presentation itself where they get to interact with you, your body language and the cues that you have. And so for us, we have to go to the court for every single acquisition. And it's typically a very lengthy written document first. And if it crosses a certain threshold, you may have to appear in court to represent your particular request. And the court is made up of a judge and four commissioners that represent the four large districts that make up Dallas County.

I have to tell you, they are very, very astute. Two times a month, we're going through that cycle of building that story, building that presentation, if necessary, sending that out ahead of debrief that goes to the court and then possibly having to go into court or into closed session. Most of my stuff is closed session because it's security, to get the necessary approvals to move the program or the acquisition or the human resource requirement forward.

Dave Bittner:

And then how do you go about measuring success? How do you evaluate if the things that you put in place are working?

Michael Anderson:

That's a great question. It's a really good question. So we have dashboards and we have two different types of dashboards. First of which, really targets the senior management team. And then we also have one that is much more technical and that one is really tailored to the subject matter experts and such. And in doing so, we're able to take a look at a specific platform that we have brought in to deal with a certain set of controls. And through those dashboards, we're able to see how that particular tool is decreasing the risk to the county. And it just becomes more about the numbers and obviously in our world, the lower the numbers, the better.

Dave Bittner:

I want to switch gears a little bit and get your perspective on threat intelligence and the part that that plays in the work you're doing there day-to-day.

Michael Anderson:

Well, we're very, very fortunate. We have MS-ISAC and EI-ISAC, they provide us with a great deal of intel for no charge. I believe the public sector, there's a very, very nominal fee, but well worth it. They're sharing just about everything that you would want to know just as it's being found in the wild or just before it's being executed in the wild. And so anywhere from applications to operating systems, and that could be server, desktop, or mobile, all the way through all of the various types of hardware and appliances to include security appliances. They provide us with all of that data so that we can plug and patch as quickly as possible so that bad guys aren't able to exploit us. We have a dedicated threat team, and this is a function of what they do on a day-to-day basis.

But with the refinement I shared with you in our lead in, we're making certain that everything that goes into the SIM, into our security operation SIM, we want to make sure that information is clean and has as little flaws as possible. And the algos in our SIM, they do the vast majority of the threat triggering for us so that we know if something pops up on the dashboard, on our handsets with a certain severity that we've said, we should get this on our handsets or a phone call, then we know, hey, game's on, something's going on that should stop work. So we have dedicated analysts who perform these tasks along with a number of other feeds that enrich all of that threat intel together.

Dave Bittner:

What about the human side of things? Your own perspective as a manager? How do you describe your own management style?

Michael Anderson:

One of the first things I would try to do, Dave, is always be as transparent as possible, I always attempt over time to win the respect of my team. I find that when I'm able to do that, I get the absolute most out of them with the least amount of managerial effort. And so what that means is I show them that I care about the contribution that they make each day. I provide them with challenges so that their careers are enriched, enhanced, and I try very, very hard, and I think this is a success, not to be helicopter-like, and all over their shoulders, and scenarios where they feel like I'm breathing on them just a little too much. I give them space. I give them a charge. I assess what they understand, don't understand, they repeat it back. We make sure we have good communication. If it's an area that they don't know, I make them smart on it. I give them some of my firsthand accounts and how I've dealt with it in other organizations. And then I let them go do it.

And I act as the reference point for whatever the activity is. And so over time, what I always tend to find in this particular model, we call it democratic for the most part, I will change that a little bit if we're in a crisis and depending on the severity of it, I may be more hands on. But for the most part, I'm democratic and they absolutely love that style. Everyone really adjusts well to that style. The residual from that is I get the most from them with the least amount of managerial pressure.

Dave Bittner:

And what sorts of things do you look for when you're hiring? How important are, for example, degrees or certifications versus life experience or other jobs they may have had?

Michael Anderson:

In the Dallas Fort Worth metroplex, so from Dallas to Fort Worth, that's about 63 miles if I remember right. The unemployment rate for cybersecurity professionals is among the lowest in the nation. So there are an abundance of jobs always available for this profession. It used to be a time where I was very, very heavy on a collegiate background, coupled with some very, shall we say, industry certifications. But given the dynamic that I just shared with you and the cost structure for the type of talent that we need today, and my inability to compete at the same level as the private sector, I've had to do some unique things. I've had to look at non-traditional means. I have to take a look at bringing someone up through the ranks from maybe an IT discipline, but where they didn't have a strong IT background and training them up.

I have to look to programs within North Texas and the DFW that sponsor younger professionals who may not have the depth of knowledge, but they've at least had some foundational courses. I have to be willing now to do a lot more mentoring and training than I had to in time past. And so it's a much different landscape today, Dave, than it used to be specifically for this discipline that we're in.

Dave Bittner:

What sort of advice do you have for that person who's coming up through the system, who has their sights set on a job in cybersecurity? Whether it's coming up through school or maybe switching jobs from something else?

Michael Anderson:

I have a lot of friends, Dave, who are recruiters and I know this capability exists for them to move from an adjacent industry into ours. So something IT into security. It appears that it's still somewhat difficult to make a change from say, accounting to cyber. That's still somewhat taboo, but talking to my peers and listening to a number of different webinars since we're stuck here at the house, I've found that that's being relaxed more and more.

So I think to answer your question, if there are folks out there who desire to make a change, I think there are some foundational security certifications that open the door, and in the same way that I worked my way through the ranks, they should be willing and open to that. And I think in the day and age that we're in today, it doesn't take nearly as long to make some significant strides, in terms of upward mobility, in the security space, as it did say 10 years ago. With all that we see in the news and all that we read about, and the frequency with which we see cyber activity taking place right here near us and abroad, literally everywhere, we need in this craft as many people who are willing to come over and do this against the sick stigmatism that we sometimes face as absolute possible. Because we are shorthanded in every area of cybersecurity at the moment.

Dave Bittner:

Our thanks to Michael Anderson for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.

Related