Episode Transcript
[00:00:00] Speaker A: Eric, welcome aboard to the show. I am so happy to have you here today.
[00:00:04] Speaker B: It's great to be here. Thanks for having me.
[00:00:06] Speaker A: Eric, I want to jump right into it. You were. And keep me honest here, that I'm not mixing up my states. Pennsylvania, you were the CISO for, like, more than 10 years. What is the most memorable crisis event security issue that you had over those. Over that long period of time?
[00:00:24] Speaker B: You know, there's. So, yeah, it's about ten and a half years. And I think I'm this.
I'm not sure if I get this right. I'm one of two of the longest tenured CISOs in the country. Right. So usually state CISOs don't last more than two and a half years. That's probably the going rate of pretty much most CISOs in the nation. But I hung it out. I worked for three different. Sorry, three different governors. Yeah. Two different CIOs in that time period. Three CIOs. Excuse me. And so it was challenging, right? Every time a new administration comes in, it's always met with challenges. You're kind of starting over. You gotta, you know, here's what we're doing for cybersecurity. Here's what we do. And the fact that I lived through two different party changes, right? That's, you know, usually, again, I wasn't appointed, but my boss, you know, obviously you're in a different administration and it gets kind of odd, but I was able to live through that. I mean, they kept me on. So it was great to be able to continue what we started. And really, you know, starting the program back in 2010, you. I became CISO in 2010. I was actually deputy for three years. Prior to that, I'd been with the state for 16, 17 years plus. But having just gone through those transitions, very tenuous times because you don't know if you're coming or going, if they're going to keep you or not. So that was challenging. And to kind of build the team, start from nothing, really build the security program. So security's become a lot more. It's become kind of political. I shouldn't say it is because I. It's probably. Shouldn't be. But certainly in state government, you know, the CISO has risen to a level of, you know, where you're going to hearings, you know, you're testifying on behalf of cybersecurity, on behalf of the administration. And I certainly had that right. So I was. I certainly had to testify. And every year we would have what's called these Budget, budget, appropriation meetings we're going to. They want to hear about cybersecurity. So basically, we have some prepared remarks. We've handed our prepared remarks to them, so they have it in advance. You know, imagine this big, ornate state office building with this room which was filled with all these state representatives. And so I'm kind of, you know, on that hot seat. And so initial remarks, prepared remarks, talk about our cybersecurity program and talk about, you know, we've won many awards throughout the year. So I talked about that and some minor metrics as far as, you know, how many of. How many, you know, hits do we get on our network, right? And things like that that are kind of simple but yet interesting enough for them to. To hear about. And so those were all, you know, vetted, and we were prepared to talk about that, at least at a high level.
And we had a list of all, you know, who's going to be there. So somewhere in the middle of that hearing, and the hearing was about an hour, hour and a half. So somewhere in the middle of the hearing, one of the representatives gets up, and this is public, right? So during the hearing, this representative gets up and he says, Mr. Evakian. Now, as he's talking, I'm looking, and he's. He's like. I'm looking at his placard. I'm like, okay, because he's kind of loud. And so he says, Mr. Evakian, you were talking about all the awards that you've won and all the great things that you've done and all the hits on our network. So tell me, which are the countries that attack us the most?
And I. I'm looking at the list, and I'm like, who is this guy? He's. He's not even on this list.
And. And so kind of pause running through the question in my head. Did not expect this question. Look over to my left, and my boss says, whispers, answer the question.
So again, kind of again, like, I don't know how much time is actually going by in this moment. Probably not a lot of time. So I don't have a lot of time to think. I'm being told. Answer the question. I've got this question I really don't want to answer, and at least not in a public forum. My intuition told me, like, this is probably not a good idea. So I said, sir, we see attacks coming from all over the world. So he doesn't stop there. He presses, no, Mr. Evakian, I want you to tell me definitively. I want you to name the Countries that attack us the most.
I said, sir, we see attacks from all over the world.
So, anyway, funny story after this, so we. The hearing ends. He actually posted on Twitter that he asked me this question, but I did not answer. I think he wanted the sound bite. And I think the lesson learned there is if I had actually maybe if I was a young ciso, we kind of just new in the game and somebody telling me to answer the question, I don't know, like, would a young CISO actually take it literally and answer. And that would be a. Probably not a good idea. Like, so we want to make sure that we're not putting the network or our state at risk. We've got to use common sense and intuition, do care, due diligence, and really in the code of ethics to do what's right. And in that moment, we could always talk to him later in a private setting. But in that moment in the public hearing, I thought I did what was right. And again, feeling awkward about the question in general because I didn't expect it. So that was a really pressure moment for me that I will look back on my career, because it's moments like that that actually shape you as a person. It's adversity. Right. And getting through these, that was extremely adverse moment for me because you don't have time to react and you're being told, you're being asked something, you're being told something. You've got to really think quickly and feel that you're doing the right thing and still answer the question. And so that was a difficult situation, but I learned a lot from it. Again, I learned just feeling what's in your gut to do what's right.
[00:06:10] Speaker A: You answer that question the same if you were asked today.
[00:06:13] Speaker B: Absolutely.
And the reason is it's truthful. Right. So there's a way to work with our legislature in a private setting. Right. So certain information based on a right to know law is not public. And obviously to safeguard the network. I thought I did what was right, and it certainly was based on the laws that we have here in Pennsylvania. But, you know, thinking back, had I done that, not only would he have had his Twitter sound bite that could have been on the front page of the Pennsylvania paper. Right. Like that's the sound bite he wanted. And that could have been really bad, not just for Pennsylvania, but also for my career. Right. So that was a pivotal moment, but.
[00:06:54] Speaker A: That could have turned into a diplomatic incident right there. Right?
[00:06:56] Speaker B: It would have been, yeah. And so you never want to disclose certain specific information. So that Somebody. The bad actors could get reconnaissance, right? They're already doing kind of that kind of reconnaissance. And to give any information like that is just going to put us at risk and add to that and draw attention right, where. To us where we don't really want that need unneeded attention. So I'd be creating this kind of an incident.
[00:07:21] Speaker A: Let me capitalize on that point, because I don't think it's, as, you know, understood really by putting yourself out there on the news now, all the hackers, all the, you know, the black cats, so to speak, are like, Eric said this. Let's check how his security system is, right?
[00:07:36] Speaker B: And so you're thinking of all these things are going through your mind, right, all the time, because you don't know when these moments are going to happen and you don't have a lot of time to think, right? So a lot of it is just using your intuition that you actually, you know, you build all these tools in your tool belt as a ciso, as you grow and as you get through these. The adversity and persevere through these very difficult situations, and then you learn from that. And so I had learned. I had chalked up a whole bunch of stuff through my time, so. And was able to handle that situation. So we just. A funny story, the hearing ends, we all go back to the office. And so the leader of the organization says, and not the governor, but just somebody else. And they said, so we're all at the roundtable, we're kind of doing a debrief.
And he says, so you handle that question really well. So tell me which countries do attack us the most? And we all laughed. Like, everybody in the room laughed. It was like. And it was a needed laugh because that was a really tense moment. And to get the validation also in that moment was also good, right? So you did the right thing. But in that heat of the moment, that was extremely difficult, especially when he pressed and he got even louder in his. In his. The way he asked the question. So it's very, very precarious situation. So I would think that that's probably the most challenging that I had. I remember that like, as if it was happening yesterday. So I can recount it.
[00:09:10] Speaker A: I would probably need a change of underpants. I'll tell you that.
[00:09:12] Speaker B: That.
[00:09:12] Speaker A: That's. Some of these senators will, Will come at you like a. Like a dog, right? Rabid dog. It's incredible.
[00:09:19] Speaker B: And everybody's waiting, right? So you've got all these other legislatures, you've got media, you've got all these people, they're all waiting for you to answer the question. So it's very.
[00:09:28] Speaker A: Did it cross your mind to kind of educate him on why you can't answer that question, why it would be dangerous, or you didn't even want to say that?
[00:09:38] Speaker B: I think I did. I think, you know, to kind of clarify, I said, sir, you know, we. There's a lot of great information we can share with you in a private setting. Right. So I didn't want. I wanted to make sure he had that in case he wanted to do that. Right. So. So I did clarify after the private.
[00:09:55] Speaker A: Or did he just want the tweet?
[00:09:57] Speaker B: I think no. See, he never asked. I think he just wanted the tweet.
[00:10:00] Speaker A: Yeah, that sucks.
[00:10:02] Speaker B: He wanted the sound.
[00:10:03] Speaker A: So let me ask you this, right? This whole idea of cybersecurity and government is incredibly interesting to me. One of the things that I'm concerned about is that most of our representatives, they're not engineers, they're not software engineers, they're definitely not hackers, they're politicians. Is that gap in knowledge that they have is. Is that a barrier to, let's say, keep the American people and the American institutions safe?
[00:10:31] Speaker B: It really is. So you spot on. They are definitely. There's a lack of understanding. There's a lack of awareness and understanding. Now, however, what I will say is, I think back in 2013, when the target breach happened, you know, that was, to me, a pivotal moment in the world of cybersecurity, because that's when cybersecurity really became personal. You know, even they. Right. Were impacted by this thing. Well, what's this cybersecurity? I need to learn more about that. So I think that as bad as that incident was for everyone, it helped certainly in this. In this respect with, you know, our higher ups in the. And the. In the administration and the legislatures, to really understand, you know, what is cybersecurity. I think the challenge becomes, though, that a lot of young CISOs, you know, that might have come from technical backgrounds, they're still using acronyms, you know, they haven't connected to align cybersecurity as a business issue. Cybersecurity really is a business problem, and it's all about risk, and it's how we communicate so that we can educate them. One of the things that we did is we'd make the rounds to different legislatures, and we would do this and educate them in very simple language so that they would understand and they were interested to learn about it. So I think it's communication, and I Think it's how we communicate with our legislatures. They are interested. They, you know, they do want to learn, but they, there's a lot of information they don't know. And I think if we are able to convey it in terms that they talk in their words, then I think that's the best thing. And a lot of, again, young CISOs are still within the security land. They're talking about DLP and you know, DDoS and that's not going to work when you're talking to a legislature. They're going to, they're going to shut it off. They don't even know what you're talking about. So it's connection through communication. I mean that's a, that's something you learn over time, right? I mean you want to make sure you connect with people. But yeah, there's a definite gap. I think it's getting better. Right. Because of again, cyber's always in the news so they really have to know, they have to want to know. And I think there is a lot more of that going on.
[00:12:38] Speaker A: I think if there's one message that we could put out to every Single security person, CISOs included, is the skill to be able to explain and talk as if you're explaining it to your grandmother or grandfather or whatever or you know, a 12 year old child. That skill is incredibly, incredibly, incredibly important and we should all work on that. So I dearly, dearly appreciate your comment.
[00:13:05] Speaker B: I wanted to mention just one more thing on that note I wanted to mention. So there's what I've learned as a successful way to do that. And this is something that, where I was in a class once or I forget where I was, but it was a really effective way when you can, when you're able to take a known and kind of align it with an unknown and so it becomes easier. So I would say just like we lock our doors when we leave our house or we lock our car. So do we want to practice good cyber hygiene and kind of, you know, we don't leave our crown jewels on the kitchen table and leave the door wide open. So it's using that kind of, I think examples that they can understand because they all have houses and they all have homes, cars. And so I think using that kind of a comparison, using a known to an unknown, I think does help bridge the gap. I found that to be effective.
[00:13:55] Speaker A: You know, I heard one that I never heard before. Just recently this gentleman was talking about our digital borders. So he was comparing like this whole idea of securing your borders from criminals to securing your cyber borders from criminals. I thought that was also another delightful usage of comparison.
[00:14:13] Speaker B: Very much so, yeah, I would agree.
[00:14:16] Speaker A: You said, and I'm going to do a little bit of a pivot here. You said cyber security is a team sport.
[00:14:22] Speaker B: Yeah.
[00:14:23] Speaker A: Why is that?
We imagine the lone, you know, hacker trying to, or, or white hat who's trying to like, you know, save the day. Why is it a team sport?
[00:14:33] Speaker B: Well, so I can start just at the front line. So we all want our end users to practice good cyber hygiene, meaning not clicking on things and reporting when they do see something. Right. So we want them to practice those good habits so it's second nature. Just like we lock our doors, they are part of the team. They are actually our first lines of defense. There are incident responders at the front line because if they see something, they can notify us and we can get a handle on it. So they're part of the cybersecurity team. When I think about it. So it is everyone's responsibility, it's businesses responsibility to be aware, know about it and make high level decisions that can benefit the program. It's the responsibility of the CISO to make sure they're communicating that risk. But when I look deeper down into the cyber security team and how we build and organize teams, I think of it almost as a like, think pick your favorite sport. Baseball, hockey, football, we all have our favorite sports. But if you think about sports, everyone's got a position on the field, right? And so, you know, if I'm a pitcher and you've got a catcher, it's, they're probably not going to do both or they're not, the catcher's not going to want to pitch and vice versa. Generally, you know, there's multiple people that have multifaceted, multifaceted, you know, just ways about them, multitaskers, things like that. But I think, you know, assembling your team like a, like a, like a sports team, putting the right people in the right positions and drawing from what they, what inspires them, what is their passion. For instance, if I've got a forensics person that just loves forensics, then I'm going to put him in that forensics and I'm going to give him all the training that he needs. I'm going to make him a forensics rock star and he's going to love it and he's going to stay because he's doing what he loves to do. It's part of his DNA. Same thing with somebody that loves to write policy. See the Thing about cybersecurity is there's so many great different roles that. And some are so different. You can write if you like to write, then maybe you're great at policy, but the writer is probably not going to want to do forensics and vice versa. So I thought about it as assembling the team just like that. Putting the right people in the right positions based on how they tick, what makes them tick, what do they like to do, what drives them, what's their passion. And then give them the training and the tools they need to persevere. And just like a baseball team when you've got this kind of like a well oiled machine, everybody's working together for the common goal. Right. So in sports is to win the game. And cybersecurity, you know, for putting out an incident, whatever it is, we're all working synergistically. One of the things that my cio, former cio, told me, which I'll always remember, and it was a hockey analogy and it's brilliant because it kind of exemplifies what I'm talking about. He said we need to function like as a hockey team where everyone knows where everyone is on the ice at all times. Now think about that. Hockey is such a fast sport, so the forward knows where everyone else is. Like he's passing the puck. And that's why it's so seamless. In split second they're doing these amazing passes because they all know where they are on the ice. Same thing with a team, putting a team together so everyone knows where they are on the ice. And I think it's really that simple. And I think the retention problem goes away when you put these types of roles and aligning it with their personality.
[00:17:52] Speaker A: That's incredibly insightful. I think there's something about people enjoying working with people. Well, that means if you have that level of teamwork where it feels like you're playing a sport, it's incredibly fun. Even if you're doing very, very hard work. I mean it's almost a brilliant hack. Right. To get the work done and to let people have fun at the same time.
[00:18:14] Speaker B: Yeah. And in state government you really have to do that. Generally hard to retain folks because they can go to the private sector and earn a lot more money. So what, how do we motivate our staff to do and to work harder and to. For the common goal. Right. And it's just amazing when you put it all together what teams can do. So I'm proud of the team that we developed here and you know it's definitely, definitely the accomplishment that I'm proud of.
[00:18:41] Speaker A: Eric, I love that we have one scripted question, and this is a difficult question.
If you had to go back to, you know, 20 year old Eric, what would you advise him?
[00:18:57] Speaker B: That is a tough question. So 20 year old Eric, 20 year old Eric, I would say one of the biggest things, and this goes to anywhere in business. See, I think as cybersecurity folks, for instance, we go, we get our certifications and you know, maybe we aspire to be a CISO somewhere or we want to grow, but we take the technical courses, you know, we understand networking and we do all that stuff. But I think what's critical that we miss and this happens or we miss. We're not communications, right? So we're not learning those fundamentals and they don't really teach us that in school. So those are things we either learn along the way in life, but if we were able to learn it earlier, we wouldn't maybe make the same mistakes that we would have made along the way, which we learned from, but maybe we didn't have to make them to begin with. I think again, communications is by far one of the most important things for a good leader to be able to do and be able to communicate with different types of personalities and you know what, in language that they need, right? In ways that they need. And maybe somebody's visual, maybe you need a face to face meeting, maybe they like to communicate over email, text, whatever it is, all those little nuances.
If we had learned back in, you know, way back when, instead of maybe focusing so much on the technical side, I think that would really have gone a long way and I probably wouldn't have made some of the mistakes I made along the way.
[00:20:24] Speaker A: Eric, thank you so much for joining our show today. I appreciate you.
[00:20:28] Speaker B: Yeah, it's great to be here. Thanks for having me again.
