Michelle Sutphin Shares the New Normal of Security in a Post-COVID World
Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog.
“Threats will be coming fast and furious – make sure everything is buttoned up tight.” -Michelle Sutphin
It was great to have a conversation with Michelle Sutphin about what she’s learning about managing security for an organization – and people – in a post-covid world.
(As a quick refresher, Michelle has 20 years of security experience, as well as nearly a decade in HR. She’s currently the CSO of SAIC.)
After the recap, check out the full transcript of the conversation as well as links to the resources she mentions. (Here’s the link to the full webinar.)
Here are three things I picked up from our conversation.
1. Things Won’t Be Going Back to “Normal”
Prior to the pandemic, there was a lot of “togetherness.’
So much time was spent in-person in conference rooms and vehicles because, of course, a fair amount of travel was part of the job.
Then COVID hit and everyone was forced to scatter to their homes. Some people loved the flexibility while others suffered from a lack of actual human interaction.
As we began to emerge from the largest threat of the virus, many assumed that it was time to go back to “work as usual.”
But it’s not happening.
Many employees have realized similar or even better productivity working remotely, while avoiding the stress and complexity of long commutes; many are no longer interested in roles that don’t give them flexibility.
Many organizations have found ways to save money by having their employees work remotely and the focus needs to shift to maintaining morale and dialing into the security basics that slipped during the pandemic.
2. Flexibility and Turnover
One of the issues that is plaguing every industry – not just the security space – is turnover.
We’re experiencing double the normal turnover rate and there are a few reasons.
- COVID forced people to take stock of what’s most important in their lives. Many people decided they weren’t happy with what they were doing and made a career change.
- Others realized how nice it was to be more available to kids at home, for example.
- Some employees were ready to make a move before the pandemic and the upheaval of life as they knew it caused them to stay put for the time being.
It’s not shocking that a high rate of turnover puts more of the workload on everyone else.
Take steps to retain people by being as flexible as possible, making them feel a sense of loyalty.
3. Security Awareness Training & Education Are Vital
And it starts with getting back to the basics.
During COVID, government inspections fell by the wayside and complacency slipped in.
Michelle advises organizations to put an emphasis on security awareness training and education in order to make sure the bare bones are covered. Inspectors will not be looking for the bells and whistles, rather they’ll be looking to see if you’re in compliance.
She suggests making sure all the security basics are in place and then you can layer on the extras.
Take a Note From Michelle
There’s so much more that Michelle Sutphin had to share and I highly recommend that you check out the webinar, if you haven’t already.
She talked about the fact that communication is more important than ever, as well as provided some great tips for connecting with your remote workforce.
Plus, she shared the procedures and processes that are working for her and that might get results for you, too, including the tech tools that are bringing everything and everyone together.
Here’s a list of the resources mentioned in the webinar:
- Self-Inspection Handbook for NISP Contractors
- Dare to Lead by Brene Brown
- Radical Candor by Kim Scott
- The Power of Vulnerability (Brene Brown on YouTube)
If you missed the webinar, you can catch the recording on our resources page. You can find the full transcript of the webinar below.
Transcript
John Dillard
Okay, everyone, welcome to the webinar. Happy to have you. Thanks for joining us for our conversation on innovative solutions for post COVID security challenges.
I am delighted to welcome Michelle Sutphin for this month's webinar. And many of you know Michelle. I'm thrilled to have her.
She is currently the chief security officer at SAIC. In that role, she's intimately familiar with how to try to fix some of these issues and is dealing directly with how to handle COVID.
I'm John Dillard. I'm the founder and CEO of ThreatSwitch. Many of you know us already. We build software to help companies solve problems around security and managing programs. We love to host you guys and share our thoughts and bring good speakers to the set and Michelle is certainly one of those.
Before we get started, just a few administrative notes, so that everybody knows how to get their questions in. You can submit questions throughout the webinar using the Q&A button in the Zoom tool. Everybody knows Zoom pretty well by now, I think. Hit that Q&A button, submit your questions and we will work through those. We'll actually get through a conversation first, and then we'll save the questions for the second part of the conversation. We will get to those. If we miss any, we'll do our best to follow up with you on those.
If we don't get to anything, we will, or, if there are pieces that you want to share with a friend, we’re going to record these, and it will be posted on our website so you can get to it later. So that's how it works.
And with that, I'd love to introduce Michelle, as I mentioned to you, CSO at SAIC. Michelle has also done a bunch of other stuff, as you guys know by now. She was industry spokesperson for the NISPAC for three years, which I'm sure many of us saw her for the first time speaking in that role.
She did a ton of that VP of security at VA. And, really, 20 years of experience in security and a starting point in human resources, which I think you'll hear in our conversation today, it’s going to weave in a lot of Human Resources topics.
Michelle, among many other things, has been Washington Business Journal's 40 Under 40. There are a lot of people under 40 in Washington. So, to get down to the top 40 is pretty cool. Which is neat. And I'm sure she's still under 40. Now, I can't prove it. But we'll just pretend she is. I'd leave that on your bio forever.
With that, you know, I'll stop sharing my screen so we can get into the meat of the conversation here.
Michelle, you know, I'd love to start the conversation by just hearing a little bit about how in the world you ended up doing this in the first place. That's often where we start most of the folks on this call, and certainly I'm no exception. It was a little bit accidental.
And I just love to start with the story. So how'd you get into all this stuff? What was the first thing?
Michelle Sutphin
Well, I think that a lot of people in security either fall in one of two buckets. I'd say 90% of us fall in one of two buckets. We either were former military, or somehow, some way throughout our careers, someone looked at us and said, “Hey, do you want to learn security?”
You don't ever have a four year old saying I want to be a chief security officer when I grow up. It's not a profession that is really talked about. We're either suckered into it, or it's through military experience.
I am the latter. I was suckered into it. I started out in human resources. I was an English major in college, I interned in the human resources department. One day, my boss said to me, “Hey, our FSO is going to be (inaudible) to HR. She's never had a vacation. Would you like to learn how to be her assistant FSL?” And I said, “Sure, it might be fun to learn how to open safes and get a clearance. Why not?”
Three months later, the FSO was let go. And that same boss said, “Hey, Michelle, do you think you can actually learn how to do the whole thing?” And I said, “Sure.” So, I was actually dual-headed for quite some time, because it's a tiny company – only 400 people. I was dual-headed, both HR and security, for a couple years after that, which was a great thing.
I mean, it taught me so many different things regarding personnel human experience, but also the security side. Then we were bought by Northrop Grumman. And when we were bought by Northrop Grumman, they said to me, “Okay, this is a really big company. You need to pick. Are you going to be HR or are you going to be security?” And honestly, I loved them both equally.
The reason why I picked security was because I honestly felt that I could make my way up the corporate ladder faster in the security profession than the HR profession. There are so many HR professionals out there and I felt it was less cutthroat than security. So I chose that route. And here I am. Here you are.
John Dillard
That tracks. For my part. It was both suckering and the military. So there you go. (Inaudible) navy and somebody said, “Dillard, you have to do this.” There you go.
Yeah, not uncommon, but you have a new role (inaudible) now.
So, one of the things that, you know, we talk a lot about, what different roles are in security in different companies. And that comes up in a lot of conversations. What does CSM mean for SAIC? And how is your, what is your new role about, and how do you, how are you seeing yourself? And where do you see it headed?
Michelle Sutphin
Oh, great question. So actually, the scope within SAIC is quite large under security.
Basically, the only security thing I don't have is the Cisco role. So within SAIC, Cisco reports to the CIO, and myself and the Cisco partner very closely together.
Everything else is mine. So, I have the isms and the isos. I have guns, gates, guards, I have the (inaudible) crisis management actually falls under me at SAIC, it doesn't always fall under security at all companies. Insider threat, obviously. And personnel security is really the meat of what we cover.
That's a lot of stuff.
It is in that context. I mean, I mean, the topic today is the post COVID environment. I mean, you're obviously in a leadership and management role over a VA before this. How you manage their while probably Kevin was starting, I guess was a little bit half and half. How do you view this transition of management from pre COVID to post COVID, given the scope of all the stuff that you have in the CSO job jar?
What are some of the biggest differences from pre COVID to post COVID from a managerial perspective, just from working with those disciplines, and the ownership of the functions and how you run it?
Great question. So I did have the lovely experience of changing companies in the middle of a pandemic, which wasn't easy onboarding, 100% virtually. In fact, I didn't meet my actual boss in person for five months.
When I got to SEC, the SEC is really virtual, which is great. But I would say when I worked at B he it was it was pre COVID. And it was during COVID. And everything was all about in person and touchy feely and in person meetings. And we spent all of our days in conference rooms or in cars. I was commuting three to four hours a day, I commuted about 40 miles. And so lots and lots of time on the phone and lots and lots of time in meeting rooms, zoom, we did some zooms, but nobody ever used their cameras. being on camera was weird. People didn't like it.
So it was it was everything was just phone and in person. It was a lot easier to manage your people obviously because you can reach out and touch them. And of course travel, emphasis on travel, I was going everywhere I was going to all my sites we were everybody was always on a plane, we were always talking in airports, and then COVID hits, right so at bat, it was myself and the Vice President of safety were really primarily responsible in the beginning for managing the crisis.
We were very concerned about international travelers at the time. And one of the first things I said was, do we have enough licenses, if we need to make 20,000 people all of a sudden start working remotely be he had actually just was in the middle, just coincidentally of upgrading their licenses pre COVID. So by the time we had to turn everything off and make everybody go virtual, we were ready. We were prepared and ready and that was a big thing.
Then, of course getting used to Zoom and cameras and you know, how do I look on camera and how do I work the audio and, and of course commutes and travels stumped. So what really became an emphasis was communication, communication, communication, how do we communicate? How do we talk to people? How are people feeling there was a big push where people were just depressed. There were lots of extroverts that hated being sequestered. And there were lots of introverts that were like, this is the greatest thing since sliced bread. So it was a complete flip of people personnel, their working styles.
So now that we're starting to kind of come out of this and your question is what does post COVID management look like? It's really a hybrid, right? So now companies, the focus is either return to work or return to normal.
I personally don't feel like we are ever going to be back to where we were pre COVID. Um, so we have to figure out how to work and function in this new environment. I would say one of my personal large focuses is maintaining morale. It's very, very hard to reach out and touch your people when you're not seeing them in person, when you're not going to sites, how do we maintain morale virtually?
And then from a security perspective, because I'm a manager of people, but I'm also a manager of security for a large enterprise. So from a security perspective, we can't allow complacency. And I think that that has started to happen industry wide, where the government wasn't coming to our sites to audit us.
So because we're not getting audited, we're getting a little more complacent. Because we're at our homes, we're not, we're not going to drive in and inventory. This saves as much as we used to. So we really need to watch out for that complacency piece, because as soon as we start getting complacent, that's when you're going to start getting insider threats and external threats, and all those other lovely things that we need to work through.
John Dillard
Awesome. That's a helpful context. I mean, pulling the thread a little bit on that workforce. And you're, you're one of the people that turned over, right. And the thing that, you know, we talked about a little bit in preparation for this conversation was General workforce turnover. And that's not just people leading it's also people joining and you having been on both sides of that. I'm curious how SAIC is viewing it, what you're seeing, what data you're seeing in your company and across the community, on turnover and what that means.
Michelle Sutphin
So I will say, I am dealing with this topic every day. One of the things that our HR department has warned us about and this is true industry wide. During COVID. Everybody froze in place, people were scared to move. And frankly, companies weren't opening racks. Everybody was frozen in time. So you could have had a lot of people in your workforce that wanted to be moving and changing jobs pre COVID but decided not to when COVID hit.
So now that we're starting to come out of this, companies are starting to post more requisitions and employees are starting to say okay, Now's my time to move. So not only are we getting all of the residual freezes of people not leaving from COVID but we're also getting the regular turnover on top of that. So we're experiencing about double normal turnover everywhere. This isn't just security. To compound that it's no secret that cybersecurity is the thing right now. And I'm no AI as well as a lot of other companies are having a really hard time keeping their cybersecurity professionals there isms there is those there are administrators, because they're able to get paid a lot of money.
And people are willing to pay whatever it takes. So these people are just moving and jumping ship. The other pieces COVID allowed us to reevaluate our lives and what's important. I had an employee when I got to SAIC, she was a phenomenal person. She was one of my directors, she had been with sec her entire life, she started in security right out of high school, been there for 18 years, one day, she came to me and she said, “Michelle, I don't want to do security anymore. I want to go be a dog trainer.”
And that's what she did. She left and she became a dog trainer. And, and we're starting to see a lot of that where people are reevaluating their lives, trying to figure out what works best for them. We have a lot of people that they're moms and they have kids at home and they want more flexibility. And they want an employer that's going to allow them to work from home.
And so, you know, it's very difficult in security to allow your entire workforce to work from home. But one of the things that I've been really pushing and SAIC in general has been pushing is a more flexible work schedule, a more flexible work environment, doing some in person work doing summit homework. I think if employers are not willing to do that and go to that model, they're going to see more turnover than the companies that are more flexible.
Yep. Yeah, that's amazing, and great anecdotal stories, too. Um, so. And I think there are a lot of folks who are the same ones. You mentioned the turnover in the security team, especially the cyber related roles. How does the turnover affect the security team's workload for you guys, or what have you heard stories about in terms of the changes in what we're having to spend time on as a community as a result of that turnover?
So I'm really going to focus on the isms and the Essos because this is where I'm really seeing the spike. I will say one, people don't want to work in skiffs anymore. And you have COI hitting you have 801 71 you have cmmc you have cleared people working in skips that could make the same money at home.
15:00
Supporting unclassified security stuff. And they're just like, sorry, this skip thing isn't for me. So they're leaving to go to these unclear security positions, and which to your point increases the workload of the people that are left. So again, that's where I'm going to morale, like, morale is tough. And especially in those types of environments, and we're trying to figure out how to how to fix that. You can't always throw money at a problem. I mean, paying somebody more isn't going to necessarily make them happy. having great salaries will help a lot with the recruitment piece.
But what I keep emphasizing to my team is we don't need to just worry about recruitment, we've got to be worrying about retention. retention is just as important because you can bring somebody in and if they leave three months later that does you no good, and you're back to square one. So I think we do in general, just to get better at being human beings.
As managers, we need to reach out to our employees and just say, how are you? What are you good at? What do you like to do? What do you not like to do? How can we best fit you where you belong, and enable you to be happier in general, not just in work, but in life, because employees that feel they're listened to, they're valued, that they're happy that they have the flexibility they need, they're going to be more loyal and more willing to stay with the employer. And again, I go back to employers that are unwilling to have that type of flexibility and are going to be treating employees like they were treating them pre COVID, they're not going to have very much success.
Well, that's my next question? Perfectly, which is, I mean, really digging into remote work specifically, I think there are a lot of folks, and some of them, I'm sure are on this call. And I know we have customers who have this perception that there's a sense that there's probably just a temporary blip, like, okay, you know, the markets are hot right now, COVID is going to die down. But, you know, a year from now, two years from now, three years from now, we're going to be back in our offices. And the sooner we can do that and get back to that model, the better. It'll be
John Dillard 17:17
I'm curious what your thoughts are on that. And whether you think this is it's certainly a temporary shift we have to deal with or if there's something structural happening in our workforces that is irreversible.
Michelle Sutphin 17:26
I truly believe that this is more permanent than not for many reasons. One, I think there are a lot of employers and SAIC is included, where they are looking at this as a financial set cost savings opportunity. And across the board SAIC is reducing facility footprint to save money on leasing spaces.
So we are asking is all of our non essential employees to permanently work from home? We're not planning on going back. I know there are a lot of other companies that are doing that. And there are some companies like Apple, it was just in the news, Apple is like, nope, we want you guys in person, because the water cooler talk is what sparks creativity. So I think you're going to kind of see this shift, and I think you're going to see this migration of people going to one employer or the other depending on what works for them and their lifestyle.
But I don't think we're going to have what we used to pre COVID. Um, it's, it's going to be very, very interesting to kind of see what happens. The other piece of this is you have to keep in mind, this COVID pandemic enabled all of these companies and governments to actually work crisis management plans on a large scale for the first time ever, really. And it got so much that we're all really good at it now.
So I have a feeling that anytime there's a new variant, or heck, even if there's just a bad case of flu, governments are gonna say, “Hey, let's declare a state of emergency for a week or two and let this stuff calm down.” And employers are gonna say, “Oh, yeah, that's easy, we can just turn on Plan A, B, or C to go with that state of emergency.”
So I think things are going to be flipped on and off a lot faster than they were before because we all got it down. Tokyo just announced today that they're declaring a state of emergency and that they may not even allow any spectators at the Olympics. Now, last year, they just canceled the Olympics, but now they're like, no, we're gonna hold it. But we're just going to flip a couple switches. And we're going to we're going to change things according to risk. And I think that's what we're going to start seeing.
John Dillard
Well, it related to those risks, especially as as as it relates to remote work. I mean, they're the ones that are obvious, right? So okay, if everybody's working from home, there is Comsat, kind of, you know, family issues where you know, you're worried about whether or not the working environment is safe, and I think everybody kind of knows that. But I'm curious what your thoughts are on other security risks that are a consequence.
Michelle Sutphin
Maybe below the service that we're not thinking about because of remote work that are important for this community to understand as we make this transition. So I think a really big one is going to be see why.
There are new storage requirements for COI, there are destruction requirements for C UI, you know, you have to have a classified shredder to destroy the UI. And I guarantee you, these hundreds of 1000s of people working on SEO at their homes are not going to have an NSA approved shredder in their home office.
Right. So things like that, that we're not even thinking about. I think that companies need to have formal work from home policies in place with agreements that employees say this is what I agree to do. I think security needs to play a big role in those policies. And being able to say, this is what we expect.
Also to you know, we talk about facilities and you know, I was having a conversation the other day, oh, you know, SEC has 180 facilities, and you know, 180 security, people walking the halls, and I kind of stopped that I'm like, No, we have 15,000 facilities, because we have 15,000 people working from home. And when you're working from home, you don't get to walk down the hallway and CSRF. So are your security manager and be physically reminded of these security practices.
So I think security awareness training and education is going to have to be part of the corporate culture, there are going to have to be a lot more than just open up a PowerPoint and click through some slides, security is going to have to be part of the ethics, the the behaviors, everything, and it's going to have to be flowing through the blood of companies with all these people working at home. And to your point, yes, and you could have foreign nationals in your home. You can have competitors in your home, right? I mean, you can be married to somebody that works for a competitor, and you're on this big zoom call and it's blaring through your office and your wife or a partner next door can hear it.
So I mean, it's all of those things that always existed before, but I think they're just magnified 10 times now. because more people are just avoiding the office. In that vein. I mean, in your view, I'm sure you've done both well and poorly. Are there specific policies, processes, or technologies or, you know, tech ways of solving problems that are just particularly poorly adapted to this situation that we might be clinging to, because we've always done it a certain way that, you know, we're really that particularly are ill served, or ill suited to serve our new workforce. I think that we are very careless with communications over insecure comms. We've gotten very, very careless with cell phone conversations and hack, you know, even as zoom call, I think we need to do a better job with encrypting emails.
I will say one major huge thing that all companies saw a spike of was employees for sending work emails to their personal email addresses, their Gmail, their Yahoo's because what employers did, they thought they were smart, and prevented employees from printing. So what employees would do is they'd send their work documents to their personal email addresses so they could print on their personal computers.
So not only are you having all of this gobbledygook in, in Gmail servers, but now you're printing sensitive not and this isn't classified stuff. But this is still sensitive stuff. You're printing this stuff, and now you have it hardcopy in your house, and your foreign national housekeeper is taking your trash out for you. I mean, this is this is nuts. This is nuts.
So I think that, you know, we all had to make these decisions on the fly during COVID. But now we really need to get down to brass tacks. And we need to formalize some of these procedures. And again, that's where I go back to. I think we really need to have some better agreements in place with telecommuters and employers to really let them know what our expectations are of them. There was no policy that ever said you can't email your Gmail like, no, no company is like, Oh, no, we need to write that policy. So I think we need to kind of get caught up. Well, speaking of policy,
Michelle Sutphin
You know, I in the vein of what, what doesn't work very well anymore.
John Dillard
You know, there, there are a whole lot of regulatory changes in the last five to eight years for this community, and you rattle off several of them. I mean, for me, it kind of started with the insider threat have been years ago and he's never stopped. It's just been something every single quarter. What in your view, are the are the weaknesses in the current policy structures that we have and which of these things are just don't work well, or even if they were designed two years ago just don't work in the new environment well enough that we might have to figure out how to how to handle it a little differently. Um, I don't want to necessarily say there's policies that don't work well, especially since I was a big part in helping formulate a lot of these policies sitting under this pack five years ago. I do want to say, though,
Michelle Sutphin
the policies, I worked alongside the government and provided input on those, I was at the National Archives, at least once a week talking to the policymakers on behalf of industry saying this is what's needed. This is what needs to be changed. I want to say they listened, they were amazing. And they made a lot of strides. And a lot of changes primarily because industry was saying to them, this, this really isn't working anymore. It was, but the problem is, those policies were rewritten five years ago.
So the seeds you're seeing now. And the new Nusbaum, you're seeing now was what I was working on five years ago in room, lots has changed in five years. So when I'm seeing this policy and legislation now, there's so many more things that I think we could change. But unfortunately, I don't think we're going to see that change for another five years. So I don't want to sit here and rattle off and say, all these things aren't gonna work. But instead, what I think we need to do, and what we really need to focus on is the fact we need to make sure we're complying with what's there today. And going back to what I said before, about, you know, we got complacent during COVID, and security professionals weren't in the office as much as they should have been.
And I'm concerned that, you know, the government's going to start converging upon industry to start auditing, they're going to be auditing to the newness calm, not the oldness phone. So the self inspection checklist, I think, hit the street this week, all that very exciting. So I would encourage every single person on this call, the very first thing you need to do is with a lot of enthusiasm is go through that new self self inspection checklist and make sure you're good, because the government's going to be walking in soon. And, you know, we've got to be in compliance with that municipal by August.
So I think I think that's the big thing, John, that's, that's one of the really big things. Um, and so the other piece is, um, when COVID hit, people who were sitting at government sites, you know, in a row and CIA and all these places, the government was locking down those large sites. So what they did instead was they pushed a lot of the government employees into contractor spaces. So for the first time, you have the most physically diverse classified workforce more now than ever.
And I think, because of that, they're going to be relying on classified communications, unclassified, secure communications, which is going to make cybersecurity professionals even more in demand than they already were. Because this, this whole backbone of classified communications is really, I believe, going to be the future in the heart of what we're trying to accomplish. You also got to keep in mind to the military, they're starting to put secret comms in their houses. And, you know, I think we're going to be seeing more and more and more of that. So our policies, and our procedures are going to have to adapt to that new type of workforce.
John Dillard 28:35
Yeah, that makes a ton of sense. I mean, in terms of the I want to pull the thread on the inspection thing that you raised. I mean, and we did, I got that new self inspection checklist, which, by the way, is very weird, but kind of neat that we all get excited about a self inspection checklist in this only in this community, right? Would people nerds like that? Totally. Um, I sent it out of my employees with a no, I'm very enthusiastic. So if you think about I mean, to me, it felt like a little bit of a warning salvo to say, Hey, we're coming, we're coming back. How do you think that that process is going to be similar or different? You have a lot of them right. And dcsa is not the only one. You have the third party auditors for CMC. There are other regimes that are agency driven. How do you think that that onsite inspection process changes? And I'm curious if you've heard me think because I know you talk to the government folks a lot too.
Michelle Sutphin 29:31
So um, you know, dcsa is also in the middle of changing their rating scale, and how they do ratings. And I haven't dove really deep into it yet. But on the surface, what I'm feeling is that they're going to be moving a lot more away from the bells and whistles, enhancement type stuff and they're really going to be wanting to focus more on? Are you in compliance? Are you doing the bare bones? Do you have the baseline security program in place, and I don't necessarily feel that's the wrong thing to do, um, you know, threats are going to be coming fast and furious. And I think we really need to make sure that we have everything buttoned up tight, and then layer on top, the bells and whistles and the fun stuff, and the security posters and all the other things that we do to get credit for our superior ratings
But we really, really, really have to understand what's going on in our companies, we need to understand our programs, we need to understand the threats, we need to have a solid understanding of the COI stuff, because that's UI stuff one day may become classified, you know. And we need to really have a better handle on on opsec. And kind of go back to basics in a lot of ways. And I think that the government is probably gonna be going in that direction, when they're coming out to see what we're doing and what we haven't been doing. I know if I was an auditor, and I knew a workforce hadn't been in the office for a year and a half. That's what I'd be doing.
John Dillard 31:07
Yep, yep. Awesome advice. That's good stuff. Well, I want to pivot a little bit, and really shift into solutions. And you know that that is, the title of the webinar is innovative solutions, you set the stage, and you sprinkle your answers here with a bunch of good ideas that and I've been jotting them down. But I do want to ask, you know, specifically, and I kind of think about this as people process tech kind of way, typically, what specific ideas or new practices? Have you seen work well, or are you deploying that you're very excited about. And we can start with the people or human capital, what are a couple ideas that you can share with this audience about, hey, do these things, and you might see some great results. So
Michelle Sutphin 31:54
when we're talking about people, I'm going to talk about me managing my security staff versus me touching my whole company. from a security perspective, that makes perfect, perfect. So there's about 180 people in the sec security organization. We, I think, do a really good job. And I'm not going to take credit for this because when I came into sec, they were already doing this, they do such a good job of communication and touching base with each other. We have zoom meetings, one to three times a week with various levels of folks.
We have meetings that are very tactical, like okay, this is what's going to happen. But the piece that I really started to add in when I got here is the human aspect of this, right? Like, we all get Zune fatigue. We are all tired of being on camera all the time. So there's a couple things that we did. First of all, I told my team, no internal meetings on Fridays, Friday, you can have meetings with other people, other functions are outside of security, but we're not going to meet with each other on Fridays at all. We need to give people a chance to rest, recoup, get their emails done. Because when you're on zoom eight hours a day, you can't get to your emails, Fridays or day to catch up. The thing is, we said, No meetings that are 60 minutes long meetings are going to be 15 minutes long. Or if you want to half an hour meeting, it's gonna be 25 minutes long to enable people a chance to take a break between meetings.
You know, when we were back in the workforce, we could walk down the hallway between meetings and you have that natural break. When you are sitting and planted in front of a screen for eight hours and you have meeting to meeting to meeting to meeting it gets exhausting. one on ones. I tell people, take them outside, take them on your deck. Let's do it on the phone. We're not going to be on zoom. Take a walk if you want to when you're doing your one on one with me. Like I'm trying to encourage people to just kind of get off their butts more just for health reasons.
The other thing that I did, one of my idols is Renee Brown. She is a great speaker author. She talks a lot about leadership and leadership soft skills. And the leadership soft skills is one of the things I've been really trying to ingrain in my folks. So I started a book club during COVID it was the CSO book club, we play have a copy of it or Oh, here it is. We read Brene Brown's dare to lead. We talked all about the different ideas of what makes effective leaders. We did it over about six weeks. One of the things that Brene Brown introduced is the concept of the rumble session. And a rumble is basically talking to somebody in a professional direct way, getting everything out on the table but being able to have an honest dialogue about core real issues.
So once a month, me and my team do a rumble and we don't talk about Tactical stuff. We have different topics every month, and we just kind of are brutally honest with each other. Our last rumble was about diversity and inclusion. How do you guys feel about it? Do you think we're doing a good job? Do you think we're doing a bad job? What more can we do, and we just have Frank, real raw discussions.
I think by bringing that humanity into the workplace and making people feel one valued, and being able to build that trust with their peers, all that does is increase communication, and, and productivity. And people just feel better about coming to work. Even if it's just sitting in front of a computer. I will also say that the CSO Book Club was so successful, I asked our CEO to come speak to us for our last session. Not only did she come, she spoke to us for over an hour, she was amazing. And she gave 50 security professionals just a great insight into her leadership journey. So this type of stuff is embraced, I would say corporate wide at SAIC, that's fantastic.
And by the way, just as a side note to the audience, all these things that are coming up and great ideas from shell books reference, we'll make a list of those, share them with both the slides and the recap blog post of this webinar after afterwards. So all of these nuggets will be easily accessible. So continuing on this on this vein of good ideas.
John Dillard 36:28
Those are fantastic people thoughts, process and procedure, especially post COVID. what's working well, what are the new ones that you've tried that have that seem to be effective? Or what are some things that you've heard of that might be particularly well suited for post COVID environment given all the trends we've talked about?
So I you know, I think of this isn't like any innovative thing I think this is we need to really focus on back to basics. And we need to make sure we are doing the bare bones. So much so that i i put in place a formal internal audit group within the Office of security, because you know, I don't like episodes drinking their own bathwater. Like it's great.
If an FSO sits down and goes through their self inspection, it's 10 times better if a peer comes in and sees what they're doing with a new set of eyes and says, Hey, did you remember to think about that? Or what about this, also to really like to leverage the new thought processes coming into the organization. I've had some some good hires from Boeing, and Northrop and some of these other great, amazing companies with solid security programs. And they're able to contribute and say, Hey, did you guys think about doing it this way? So I think,
Michelle Sutphin 37:41
to answer your question, not focusing on that's the way we've always done it, and being more open to different ideas, different aspects of Hey, did you think of this, and also making the government your partner? So many times we look at the government as our enemy, and oh, my gosh, you know, they're just nitpicking this, but look at most of our partners, they have great insight into threat information, and threat data and what's coming down the pike. And it's a good thing to listen to them. And they have some really great ideas of what we should and should not be implementing.
John Dillard 38:17
Excellent stuff. Good advice. Last piece, and then we'll we'll start to pivot and get some audience questions in here. Tech, and by technology. I mean, it really could be anything, it could be products, you're using practices partnership with the technology and cybersecurity team, what what's working, what are some things that seem to be taken off, especially given the remote workforce and some of the changes we're dealing with? So I will say one of the big things that most companies are starting to push is Microsoft Teams. Um, you know, I didn't even know what teams was six weeks ago. But you know, we're starting to implement it. Now. Now that I've started to see it in action, it makes a lot of sense. Um, you know, it's for those of you on the line, you haven't used teams, it's basically a combination of Microsoft Office Skyping, and aiming a calendaring, and email all mushed into one application. So you're, you're literally working and collaborating real time with each other.
Michelle Sutphin 39:23
And it makes things so much easier having everything in one place. And because it's called teams, you can have different teams working simultaneously. And you can pop in and out all the time. And I think from just figuring out where we are at any given time, and all the different projects and things that we have going I think it's a great tool, and again, a great resource. I think we're going the way of the dodo with you know, SharePoint and Access databases, and spreadsheets and all that kind of thing. I think the name of the game nowadays. As more ways in which we can collaborate, live, and how we can better work a synchronistically as well. Turning on your computer and seeing 500 unread emails is just not how we do work anymore. We really have to move away from that and figure out how to do things more efficiently and more collaboratively, while not also all being online at the same time. So we're also dealing with different time zones to.
John Dillard 40:31
That's awesome. And I like that last part is a software company. That's good news for me if you're right, right, so the email comment and you mentioned it earlier in the conversation, too. And internally, we happen to use slack and your customers using Microsoft Teams or Slack, I'm basically getting the hell off of email, excuse my language, because it is dangerous, and not very helpful a lot of the time. So that's that, that's pretty interesting stuff. Pretty cool. Awesome. So I want to be able to get some questions from the audience. And usually what we do here is we pause for a second, we will typically ask the audience if there's anybody who would like to hear from a threat switch about what we do and how we're helping solve some of these problems. So you'll see a poll question pop up? To answer that question, while that poll is running. I would encourage everybody to go to that q&a button, and submit any questions that you may have for Michelle, and we'll give you a little bit of time to get to do that. So with that, you'll see it all give you guys a few seconds, do it. Anybody who's already answered, type a great question for Michelle. I keep getting requests to sing Jeopardy music and I'm not going to do it. Refuse a bad singer.
Michelle Sutphin 41:49
Terrible, terrible. I can't sing or dance. That's why I do security.
John Dillard 41:57
There's good reason. We should maybe we should do a poll question on how many good dancers there are. I think it'd be a very poor result. But I can often say, actually, that's not true. Lynn McCann, who was one of people I worked with at the army on reforming personnel security was a national level, Irish national. So they're out there, they're out there. Alright. So thanks, everybody, for doing that. We'll close it.
Now let's get into some questions. The first one I have, not surprisingly, is about the things that have to be on site. And this is from Rick, how do you how do you handle the disciplines and security that simply can't work effectively from home? Or how do you balance that with certain functions like skip work? That is it mixing it? Is it simply having a different class of employee? I mean, how are you guys tackling this issue.
So when COVID hit and again, COVID hit before I got there. So this was kind of the process they put in, it was basically just mission essential, and non essential. And the mission essential came in every day. And the non essential we made it work. Now with a lot of even our mission essential employees, what we tried to do is help them as much as we could with their work schedule. There were a lot of dual income parents with little babies and daycares were closed. And so what we would often let them do is you know, hey, if a spouse gets off work at 6pm, you can go into the skiff at 7pm and work till you know 3am or whatever it takes.
We did allow that in circumstances where it made sense and where the customer didn't have an issue with that where you didn't need live support. Maybe like patching and stuff like that, or classified systems. But the other professions we tried to be as flexible as we could our personal security folks primarily got to work from home with the exception of the ones that had skiff work to do.
You know, the insider threat team got to work from home, our crisis management team worked from home, a lot of the fsos, who didn't have to be in skiffs a lot of them would split their time, partially in the office and partially at home. We just tried to make it work the best we could. But we don't have any hard fast rules. And I do that intentionally because every person's circumstances completely different. And I emphasize to my managers to be as flexible with their workforce as possible. And again, this is a team effort. This is a collaborative effort. The employer needs to be respectful of the employee and the employee needs to be respectful of the employer. The employee has to know that they're getting paid for a reason to do a job and I think when that respect goes both ways, and you can make it work that It's not as an impossible task as a lot of people think.
Awesome, good stuff. Really good question here on the new self inspection checklist, which by the way to remind everybody, I'll post a link to it in the follow up slides, so that everybody can link directly to it. So we'll get that out to you. But this one is on the self inspection checklist specifically, on the fact that the UI is in there, which is interesting. And the questioner here points out that that's not really in the scope of 32 CFR 170. So is there a slippery slope? Or are we going to see some overlap here between unclassified and classified? What are your thoughts on this issue?
This is the golden question. Right? So no, it's not in the new CFR. However, a memorandum was put out by God. Oh, gosh, I think it's about two years ago now. That gave cognizance to dcsa over COI for cleared contractors, so so that cognizance is there? So even though it's not in the this palm dcsa does have some authorities oversee why the big million dollar question is, what are those authorities? And how are they going to manifest and dcsa is figuring that out right now, I don't believe we have anything concrete that we can point to right now.
Michelle Sutphin 46:22
Here we go. Sometimes the unknown is the note.
John Dillard 46:27
Another question here on again, a people issue. Lots of turnover. And so a lot of companies are facing just gaps in the workforce. And it could be, especially in the security team, because of the issues you mentioned, especially with the cyber roles. What are your thoughts on how to support employees who are simply going to be overworked? I mean, there's really no way around it, security requirements don't change, you're down for people in your team, you got to cover how can we best support those people who are left holding the bag until we can plug the holes?
So again, this goes back to the human aspect, right? If you know your employee, and if you have a personal relationship with them. And if you understand how they tick and what makes them work, then it's not that hard to pick up the phone and call them and say, What do you need? How can I help you? I had that exact issue, we had a major problem at one of our sites. And we needed all hands on deck. I had six people working in an unaired condition conference room for eight hours solving a problem in the middle of COVID. And we were sending the pizza and like making sure they were properly fed. I personally called the one particular individual that was working like 60, 70 hours that week, I personally called him and I said thank you for what you're doing. What can we do? How can we support you, I assure you, a records open we're going to be giving you help soon. This is our plan of action for getting you help.
And I think just that goes a long way. If employees can see the light at the end of the tunnel, and just don't feel like they're being ignored, and they're just getting more and more work piled on them, then I think they're willing to kind of hang in there.
And then of course, when the crisis is over and the dust is settled, give them a bonus, give them a spot bonus, we made sure that we did that to like, “Hey, thank you, here's an extra $1,000 for what you did, we really appreciate it.”
Just treat people like human beings. Great advice. Thank you goes a long way. One of the first things you mentioned was you were talking about the scope of your role as CSO. And that you have a Sisa and that's you know, one of the things that we hear a lot in these conversations in the community talks about is the frequent disconnect between information security, and you know, traditional security or wherever you want to call our job jar.
What are the ingredients for you? Or well I really am a two partner one, why do you think that sometimes that division responsibility goes wrong? And what can we do as security leaders to help bridge the gap or what? What forms a really good csoc say, partnership?
Michelle Sutphin 49:07
how those are all great questions. Um, it's interesting, this is a really big topic. A lot of companies are merging the roles and making them the same role. And that actually happened at VA II, when I left VA II, the Cisco over at VA JC Dodson actually took over for me and maintained his role too. So he now has both. Um, so be he is kind of working both models.
They did it separated before I left and now they're, they're joined now that I've gone and I think a lot of companies are trying to figure out what is the right mix and is that appropriate? I think that if you have one person sharing, you know, with both those roles, you need a really amazing deputy. And because there is no CSO that knows the Cisco stuff, and there is no Cisco that knows the CSO stuff, there is definitely a line of delineation of duties. And it's two completely different backgrounds. So whoever is doing that role, their deputy needs to be able to fill in the gaps for them. I think that's really key and actually he did something very similar to that.
I'm also too, it's a lot of like, territory, like you're stepping on each other's territory, quite often you have a classified spill. A lot of times, it's both teams working together, you know, you have an insider threat, it's both teams working together, a lot of the policies impact both. So it's, it's just so important to establish that relationship and say, Look, I'm not here to step on your toes, I'm here to be successful with you, we work so much better together, if we can, can partner and be on the same team. But I think that takes very specific personalities, to be able to work that and make that relationship work. I also think too, it has a lot to do with the culture of the company.
Because sometimes the cultures of the company pit those two roles against each other, even if neither of those roles want it. You know, just the way politics works and the reporting chains. You know, sometimes the scissor reports into finance, sometimes it's into legal and you have, depending on who those bosses are of those people than it can create conflict. So I think what really needs to start happening more is there needs to be more conversation saying these two roles need to work hand in hand. I think when there are hiring opportunities, that the CSO should be involved in the interviews of the CFO and vice versa. So that they are brought in more as a partner to be able to be successful together.
But it's a struggle. I mean, you ask anybody in industry and people, especially at you know the CSO level, and people nod their heads and say, Oh, yeah, this is this is something we need to do better. Yep. Good stuff. A question on budget. I mean, this pretty one you've probably heard a bunch times out in the world, can we get that you know, our leadership to increase our budget? Or maybe a way to frame it is how, as especially director level, folks, because you're in a senior role, you may control your budget? How can security directors, leaders of all levels, do a better job of persuading leadership on investment because this stuff, you know it doesn't it, the return can be a little unclear sometimes and difficult to prove. So you guys, you guys, everybody on this phone? Listen to me, you have to have to have to make HR your best friend. And you have to enable HR to do compensation surveys, especially compensation surveys in your local area, especially with these isms, you need HR as your partner to help you go and say, Look, it is impossible for us to find an ism that makes 110,000 year market now in the DC area is 180 to 190. And if you're looking for someone for 110, all that's going to happen is you're just going to keep losing your isms.
So you need to definitely, definitely get HR on your side. And you need to know the statistics off the top of your head, when you are asked for justification you need to be able to say this is this is the turnover rate. This is the turnover rate and security. This is what's happening. This is why it's important. And this is what could happen if we don't fill this position. That's the other big thing, you've got to be able to be the Henny Penny and say the sky's going to fall if these security professionals are not enrolled. And also again, it goes back to morale. Every day, you're not filling those positions, you're putting more work on the people that are still here. And then those people are going to start leaving. So it's a very, very sensitive topic. And if it's not managed correctly, people are going to just start leaving
John Dillard
good stuff. Speaking of stuff we want them to spend money on in person events, which which comes from time to time, I've been wondering this myself, so I'm sorry. I'm glad I'm glad somebody asked about it.
Michelle Sutphin
When are we getting I mean for professional education because a lot of the folks that we attract on this webinar and we see it in CMS events in India, I mean, really, it's a professional education, community and development. Are we gonna see in person events soon. What are you seeing you speak pretty often what's the expectation for those kinds of things?
Well, as one of the main people planning the AIA NDA, I can tell you that we're having our virtual event next week. However, we are planning to do an in person in Chantilly, Westfields this fall with NDA never ever likes to do the DC area because we don't want people coming and going we actually want people to stay. However, we figured we would have a lot more luck getting government Speakers if they didn't have to fly. And that kind of to ease us into coming back into person that the DC area would be appropriate.
So I will say, we really do want to have more in person events. I, when I saw Lin's name Lin, the president of ncms. Now he may be able to speak to ncms. But I know we're really, really trying to get back into in person, or even just have hybrid options where we can have in person but also have some zoom meetings at the simultaneously at the same time. So people don't want to travel don't have too good to hear. Because I think, you know, we're all competing with each other.
John Dillard
I agree. Yes, we do. Awesome. That's the funnest part of being in security is being able to meet with everybody. Well, last question, and this one's for me, you and I've had some interactions, I think the thing that people notice about you is that you you've sort of taken on increasing responsibility of your career, you make it kind of look easy.
John Dillard
And, you know, the question I love to hear successful leaders talk about is if there's an ingredient for you, that you feel like it can help others experience a kind of fulfillment, success and passion, obviously demonstrating this kind of role. What's that ingredient for you? What is the thing that gets you out of bed every morning that maybe some of us could take a dose off to, to improve our development careers, advocate for yourself, and advocate for others. If you are constantly looking out for other people, as much as you're looking out for yourself, then the sky's the limit, be a great team member, and also make it very clear what your goals and expectations are to your leadership and what value you bring to the table. But also always look out for the little guy.
Perfect. That's an excellent way to close out, Michelle, I mean, always a delight. I mean, it's easy to have a conversation with somebody that I would just have a conversation with. So thank you so much. You know, the passion that you have for this profession, just you know, comes through in spades. And I think it gets everybody excited to get back and do stuff.
So thank you so much for taking the time to talk to us. As a reminder for everybody, we will be sharing all the materials and slides. In fact, we'll reference some of the things like some of the cool books and ideas that Michelle referenced, we will make sure we send all those out to everybody, including the self inspection checklist, which I swear we got 10 questions about, I promise, we'll send it out. We'll get that out to you.
Our next webinar is August 12. We're going to dig into training specifically, we tend to alternate with sort of a demonstration of how some of that stuff works with a speaker. So mark your calendars for that. And by all means, go check out our website will post the summary of this very, very soon. usually takes us a couple days.
But you can also see some of the other great speakers and resources that we've had the privilege of hosting over the last couple of years on this webinar series. So thank you, Michelle. Thank you, everybody, for attending. And please have a wonderful week.
Michelle Sutphin
Thanks, john. I'm going to go read emails now. All right.