CISO Conversations: USMC and SAIC Security Leaders Discuss Organizational Differences
In the latest installment of SecurityWeek’s CISO Conversations series, they spoke with Renata Spinks, CISO of the United States Marine Corps, and Kevin Brown, CISO of SAIC. The former is ‘in’ government (military), whereas the latter is ‘to’ government (military). Their goal was to compare and contrast a security leader in government with a security leader in a related private enterprise.
Renata Spinks was the acting CISO for the Marine Corps reporting to the CIO at the time they spoke, but she was also the cyber-technology officer for the Marine Corps Forces Cyberspace Command – the hub of the marines’ cyber operations. She was on the defensive side of cyber and the offensive side of cyber.
Spinks is a stalwart military lady. Outside of government, she is the managing director of Rising Footsteps. “That bothers a lot of people,” she said. “Even the Marine Corps legal team dislikes the fact that I have a consultative firm.” Part of this reflects a key aspect of her approach to cyber security: information sharing and collaboration with the private sector. “I’m all about information sharing,” she said, “and I don’t think you can do a good job, from a security standpoint, within the Department of Defense if you don’t grow partnerships with industry.” There are just so many things we don’t understand and where we are slow to adapt.” It also serves as an escape route. “If I don’t want to stay in the military and go into private industry, I have a place where I can land quickly, because… bureaucracy sometimes gets the best of you.” If I’m being honest, there are times when I just want to go do my own thing because you guys don’t listen.” Because Spinks describes herself as “married to the mission,” this is a hypothesis rather than a certainty.
The skill shortage
The lack of funds in government extends to recruitment. According to Spinks, the recruitment problem is more of a financial one than a skills one. She would like to hire ready-made experts but is unable to provide a competitive salary. “I’d like to find some cloud security engineers – those who are already building cloud technology – because they know the best ways to secure it.” However, those individuals are frequently paid in excess of $200,000, and the government simply does not have that kind of money for salaries.”
The security team is diverse
Recruitment diversity is important everywhere, but perhaps nowhere more so than on the security team. “When we build a team, we look for specific competencies as well as a cohesive range of personalities,” Brown explained. “I believe that a good spread of diversity within teams is critical — a mix of technical and business skills.” You don’t want everyone on a team to be exactly the same because you’ll become too focused on one area and lose sight of the bigger picture.”
Best advice ever received
People who rise to the top frequently receive sound advice along the way. We asked Renata Spinks for the best piece of advice she’d ever received. In a nutshell, it was stay grounded and don’t seek recognition.’ “You’re not here for the accolades; you’re here for the mission,” I was told. “If I became anxious about the next step and worried that I would make a mistake, I was told to relax, focus, and do what was best for the mission.” So the best advice I received was to stay grounded and never be motivated by personal gain. Always focus on what is best for the mission – if you keep your sights on that, you’ll be fine.
Advice given
Giving and receiving advice is a two-way street. Brown’s advice to aspiring leaders is divided into two parts. The first builds on what he has learned personally: to be a successful CISO, you must also be a business leader. The second is to be courageous and to empower the people around you to be courageous as well. “You must understand the business’s parameters as well as the threats that exist – and always do the right thing.” It takes bravery to stand up and say, ‘I understand your concerns, but these are the threats, and this is what we must do to mitigate them.’ If you truly believe in something, you must have the courage to speak up.”
Future security risks
Spinks sees it in two ways. “I believe our biggest threats for the next few years have already arrived.” The first is the supply chain, which is a significant challenge with vendors providing military equipment, software, and services. SolarWinds put our supply chain resilience to the test. Working with industry, being provided by industry, and ensuring that things introduced into our environment by industry are as secure as possible, I believe, is our most difficult challenge. “With no loss of capability to the warfighter.”