Aspiring Chief Information Security Officer? Here are some actionable tips from San Diego city’s Deputy Director of IT

Today we’re bringing on board Gary Hayslip — a CISO for the City of San Diego.

Gary advises the City’s executive leadership — mayoral, city council, and 30+ city departments and agencies — on protecting city government information resources. (They average about a half million attacks per day… it definitely keeps them busy.)

If you want to get into the field of cyber — or you’re an aspiring Chief Information Security Officer — today’s episode will get you excited.

We brought on board Gary Hayslip — a CISO for the City of San Diego.

Paula:

Today I’m with Gary Hayslip, hi.

Gary Hayslip:

How are you doing?

 Paula J:

How’s it going?

Gary Hayslip:

All right.

Paula J:

Thanks so much for coming. It is is an absolute honor. I don’t know what should I start with. First of all, you are a Chief Information Security Officer of the city of San Diego.

Gary Hayslip:

Yes.

Paula J:

This is absolutely impressive. This is the eighth biggest city in the United States.

Gary Hayslip:

Yes, it’s the eighth largest city, about 1.8 million citizens.

Paula J:

All of these guys you’re protecting?

Gary Hayslip:

Yes.

Paula J:

Okay, that’s absolutely interesting. We’re going to be talking today about different challenges that you’re facing at your job. And also a couple of things that you guys should know about if you are about to be hired in the particular cybersecurity field, what kind of skills are important to be successful in this area. Gary, basically you wrote also a couple of books.

Must read book: CISO Desk Reference Guide: A Practical Guide for CISOs

Gary Hayslip:

Yes.

Paula J:

Can you mention what they are?

Gary Hayslip:

Sure.I wrote one book, I’m partnered with two other CISOs. The book is called: The CISO Desk Reference Guide. We’re in the process of writing part two, writing the second book, which will be published in July.

Paula J:

It’s a quite hard job to write a book, isn’t it?

Gary Hayslip:

Yeah, I have to admit it was quite interesting when we first decided to go ahead and write it. It was really all about, in San Diego the cyber-community is very close-knit. We collaborate and we work with each other and we all know each other, but there’s also a lot of junior CISOs. There’s a lot of new people that are coming into the cybersecurity field who are now in senior management.

A bunch that we were dealing with didn’t have experience in certain areas and so we decided to go ahead and write a couple of books to walk people through the process of what it is to be a CISO and how CISOs build their security programs, write policy,  look at risk and how they help their organizations. The first book we thought to sell about 100 copies. The book is in 15 different countries now. We’ve had universities purchasing it. I’ve had companies buy it and give it to their board of directors to help their board of directors to understand this is what a CISO does. It’s been a lot more successful than what we thought. We were really surprised.

Paula J:

Amazing.

Gary Hayslip:

Book two is really written for people who are coming into the cybersecurity community and they aspire to be a CISO. Or maybe it’s already somebody senior who’s in the community and they’re hoping for their first CISO position, their first director position, being in charge of security – but they don’t really understand how to do it. That’s how the books are written for, we walk you through and explain to you how to do it. Myself and my two co-authors, Bill Bonney and Matt Stamper, the three of us probably have close to 100 years of experience. We bring that apart in the books.

Aspiring Chief Information Security Officer? Take this advice from Gary Hayslip.

Paula J:

What kind of skills should someone have to be a CISO according to you?

Gary Hayslip:

The thing about it is that there’s a misconception that cybersecurity is a technology thing. You go ahead and you buy a device and boom! Everything is fixed. Cybersecurity cuts across many domains. In the city of San Diego, I have about 40 departments their range in everything from the water utility department, the parks and recreation. There are so many different types of departments but they use technology in different ways. They’re providing services to our citizens. You look at technology and how it’s used, you look at the data that’s being created, you look at people that you partner with and people that you work with, and it’s integrating all of these things together to reduce risk. I look at cyber as really enterprise risk management on a large scale. It just happens to involve technology.

Paula J:

Absolutely. Well, talking cyber-crime at that level, we are talking city level, yes?

Gary Hayslip:

Yes.

Not only technology skills but also soft skills…

Paula J:

So all these infrastructures that you mentioned, they all can be affected, right?

Gary Hayslip:

Yes. Back to your previous question, when you look at skills obviously you would look at somebody who has some type of technology skills, but you’re also looking at soft skills. They have to be able to work with people and teams. They have to be able to collaborate with their peers and be able to share information and work together. You have to deal with people who know nothing about technology and take a very highly technical threat vulnerability discussion and break it down and flip and turn it into a business discussion.

Turn it into a discussion about risk, about the loss of services, about the impact to revenue. There are some CISOs that have never had to do that before. I actually went and did my MBA and I did a whole degree in business, a master’s in business, and partnered and worked with a lot of startups just so I could understand that mindset and that framework because I knew at the executive level I needed to be able to speak to it.

Paula J:

But originally your background is IT.

How Gary Hayslip has started his career in cybersecurity?

Gary Hayslip:

Yeah, originally I started as a software developer, then I was a network architect and then I got into security and then I got into forensics and then I was doing an audit and then I was running security teams, and I was running network teams. I’ve been a CIO, I’ve been a CISO. I’ve done a little bit of everything.

The Path to Cyber

Paula J:

Yeah, absolutely. What do you think would be the best way to gain such skills? Is there something particular that you can recommend?

Gary Hayslip:

On my LinkedIn profile, I’ve written a lot of different articles, which I’ve posted up there for people to be able to download. There’s actually a series of articles that I wrote called: The Path to Cyber. I actually document in there how I got started, how I got into it. I originally was in the military, I was in the US Navy. They actually were training me in electronics and everything, and working with weapon systems, but I became fascinated with computers.

I drove my wife nuts because I was very interested in how to hack things and computers worked and how networks worked. I actually bought about $10,000 worth of equipment off of eBay and built a lab in my garage and taught myself how to hack and be able to pay for my own certifications. Because to me, it was this driving thing that I just needed to go ahead and do.

Paula J:

That’s the way I am.

Start with basic certifications

Gary Hayslip:

That’s one of the things I look for when I talk with people. I bring it out in these articles. I started with basic certifications. I started with Network+ and Security+, and then I did my Cisco certification so I could really understand how networks were put together. Then I got into security certifications. In my articles, I break it down. I made some of the mind maps, some of the certifications mind maps I’ve built, to show people where you start, to give you a place so that you can figure out – start here, and here are some professional organizations you might look at joining so you can meet peers, so you can meet other people who are on that same journey as you who maybe have already started taking some classes.

Maybe they’re already doing some stuff on Udemy or they’re already up on lynda.com doing stuff. You can share information back and forth. The biggest thing I’ve learned even after doing this 30 years as a CISO is that I will never know everything and I have to be willing at times to understand that I need to reach out to my peers, I need to be able to talk with other CISOs and other engineers and ask for help. Even to this day I’m still constantly working on stuff. I’m working on certs. I’m doing stuff at AWS right now because I’m fascinated with the cloud. I know my city, we’re transitioning, we’re moving things to the cloud and so from a risk perspective, I need to understand that environment.

Paula J:

Yeah, absolutely. Regarding knowledge, as you mentioned the more we know the more respect we’ve got for the other stuff that we’ve never seen.

Gary Hayslip:

Yeah, but the thing about it is the more I know the more I like what I don’t know.

Paula J:

Absolutely.

Gary Hayslip:

The more I start learning the more I’m like, “Crap, now I’ve got to look at that.” Then I find things that I become really fascinated about. I start collecting books on that, I just don’t have enough time in the day to read, or to setup a lab so I can play with it. Then I’m also a hardcore gamer so I tend to play video games a lot too.

Paula J:

That’s cool. Yeah.

Gary Hayslip:

A little bit of everything.

The big city’s security challenges

Paula J:

What kind of challenges the does city face from the security perspective? Because you see it all, yeah? What is out there right now that is hot that people should pay attention to?

Gary Hayslip:

I can tell you that when it comes to the city of San Diego, I look at as the city of $4 billion business. We provide services and some of them are critical services such as the 911 system for police for help, or whether our clean water or transportation on the freeways.

Paula J:

Someone needs to be able to call using their mobile phone when there’s an emergency. We’ve been actually doing the pen-test of the emergency systems like that. It’s a challenge, it’s a different type of a challenge.

Gary Hayslip:

The thing about it is that when you go ahead and you talk to people city networks don’t exist in a box. What you end up finding out is that cities don’t have one network, they actually have a collection of networks. For the city of San Diego, we have over 24 networks. We have technology that ranges decades. We’re in the process of replacing apps in our portfolio and we’re upgrading our backbone so we can start handling a lot of fast moving high definition video. We’re a smart city.

We have a lot of intelligent IoT infrastructure projects going on, but that generates a lot of rich data. Data that your networks may not have been built for. We’re having to upgrade fiber, there’s a lot of things that we’re having to do. Then we’re looking at too that if you look at ISO 37150 framework for how cities are going to become smart cities by 2030, where they’re estimating about 80% of the world’s population is going to be in smart cities. That to me would be like the city of San Diego going from 1.8 million people to 3.5 million people.

Paula J:

Yeah, that’s a challenge too.

Gary Hayslip:

You still have to provide services. You’ve got to have to house, you’ve got to have streets and education and all of these things. The people have to go somewhere. Cities don’t put technologies in like corporations do. You can rip and replace. A lot of our projects can take a decade to plan and implement and actually get up and running. If you’re going to have things in place and have networks that are going to be flexible and resilient, where you can plug and play new technology.

Paula J:

It’s scalable, yeah.

Gary Hayslip:

You need to be doing it now if you expect to have it by 2030. There’s a lot of cities like San Diego, Barcelona, London, Dubai, Singapore, there’s a lot of them that are already doing it. We’re already taking that, and what we’ve been doing with the city of San Diego is we’ve been partnering with a lot of cyber startups. We’ve looked at it as, “Okay, we’re going to do this with technologies and with sensors and with data, but we’re going to marry it with cybersecurity. We’re going to use cyber as a framework to build on.”

Our thing that we actually talk about is, we want to go ahead and make data available to our personnel and to our citizens anywhere, anytime, on any device securely. There’s a lot of infrastructure and things you’ve got to put in place to be able to do that. That’s what we’re working really hard on now. We’ve got city workers that are out in the field that are on mobile tablets, how do you make sure that they get access to the infrastructure but that connection’s encrypted, that connection is secured so they can do their work.

Paula J:

Based on what you said there’s a lot of guys needed for implementation of the things, right?

Gary Hayslip:

Yeah. You’re working with companies that go ahead, they implement and build by themselves You’re working with men and women that you’re bringing in to go ahead and be part of the teams, to go ahead and manage it and to be able to run it, and it is. We look at it from a city environment, we’re under constant attack, we’re a large target. For us it’s continuous. We’re continuously scanning. You’re continuously monitoring, you’re continuously remediating.

A lot of the security suite, a lot of the technology that we use, we’re integrating it all, we’re tying it together to where we want to have automated alerts and automated response. We want to be able to pull reports every morning where we’re looking at which desktops have been infected that we’ve got to pull, or if we see traffic on our network that looks like it might be some type of an attack. We want the solutions that we’re using to be able to alert and tell us and to be able to go ahead and isolate so that then we can take a look at it and see if it’s a false positive or not.

Paula J:

Exactly, to recognize the pattern.

Gary Hayslip:

We are doing it now. We’re working with one of our startups actually got purchased by Webroot. This solution that we’re using called Flowscape, it actually does it’s behavioral mapping of IoT.

Paula J:

That’s interesting.

Gary Hayslip:

We’re looking at all of these IoT devices and clusters to each other and sharing information. It’s fascinating stuff, I would never have thought that I’d be a CISO of an organization where I’m looking at HVAC systems talking to each other, or I’m looking at intelligent street lights and stuff. And it is, it’s some really cool stuff that you don’t get a chance to do in a normal environment.

Paula J:

Unless you are in such environment, exactly.

Gary Hayslip:

Yeah.

Ability to work in the team is a must

Paula J:

This is something that brings a lot of experience, but what about people that want to start to do what you’re describing? What would you recommend? What kind of skills should this guy have? Because there’s a lot of customized solutions, but on the other hand if you soak them then you just have to learn. What would you expect from newcomers?

Gary Hayslip:

I can tell you, and I look at hiring staff and I actually mentor and work with other organizations that are building teams. I can tell you some of the things is that you have to be used to working with people. You have to be used to working in teams.

Paula J:

Socialization is the first thing

Gary Hayslip:

Yeah, it’s very big. You’ve got to have social skills. You don’t really work by yourself. That means that yes, you have to take a bath more than once a week. You’ve got to think of the fact that you’re impacting working together closely, to be able to go ahead and get things done, the work on projects and stuff. There are some people that really lack social skills and they’re very hard to be employable, even though they may be a great programmer or something. I’m looking for people that can work with a team that can go ahead and change out and be in charge of a project, they can be a leader, or they can be a follower. They can work together.

Paula J:

Do you have also this kind of geeks that are isolating from the rest of the team but they’re so smart that they are out there?

Gary Hayslip:

I’ve had people like that. They were extremely smart, but I need them to be part of the team.

Paula J:

Yeah, this is very important.

Gary Hayslip:

There are times where you’re going to be troubleshooting and working on an issue and again, not everyone is going to have all of the knowledge. In large environments that are very, very integrated, where all the pieces tie into each other, you’re not really going to always understand how that data flows and how the pieces are connected. You need to have other viewpoints, to have other people working together so that you can figure out, “Okay, this is how this works.”

Because sometimes if you have legacy networks and you tie legacy networks with new technologies you’ll have cascading effects when you do updates and stuff. You’ll have things that are not in any kind of user manuals of paperwork that will happen and you’ve got to troubleshoot that.

You have to do it together.

Paula J:

Do you LOVE technology?

Gary Hayslip:

I look a lot for being able to work in teams. I look a lot for being able to work in high-stress environments. I look a lot for independence. I’m giving you an issue or a project, do you go out and research and already start pulling information together? Are you able to go ahead and plan and start breaking things down into pieces to figure out, prioritize, what you’re going to go ahead and work on? Some of these things are not taught in school. You learn these things by working together. A big thing that I go ahead and I look for is curiosity: do you love technology? Are you curious about it? Do you take it apart? Do you go ahead and work with it?

People with passion

I’m looking for people that are passionate, that know more than one language, that like to game and like to go ahead and use technologies in all kinds of different types of facets. Because our enterprise networks that we work with within a city environment have an amazing array of different types of technologies. I need people that are using different parts of their brain, that can function and think like that.

Paula J:

Yeah. I’m on the same page, even though we are a little bit smaller.

Gary Hayslip:

Yeah.

Paula J:

We are also searching for people like this, and that’s not an easy thing to do.

Gary Hayslip:

No, honestly it isn’t. That’s what I’m saying in the articles that I put up on LinkedIn –  “Okay, these are some of the certs that you can start working on. These are professional organizations that you should go and meet peers.”

Paula J:

That’s a great set of tips.

Gary Hayslip:

“These are some classes that you should start taking to get you started,” but understand that this is just the beginning. This gets you started. Myself, when I started and I got into IT and started getting my certifications, I needed experience, and so I actually started volunteering for non-profits. I would go work for free because I just wanted the experience working on servers and working on different things until I could go ahead and start building my experience up.

The thing about it is that even as you start training and you start learning how to do things and you go to hack-a-thons and you go to code days and you start learning from people and stuff, you want to volunteer, you want to be active in the community, you want to start meeting people that can be mentors for you, that can help you, even help you get your first job. Which may suck, because you’re starting at the beginning and you’re not always going to be a high paying job. But it’s the experience with other people.

Paula J:

Absolutely.

Aspiring Chief Information Security Officer? Here are some actionable tips from San Diego city's Deputy Director of IT

Gary Hayslip:

Working with users that may be driving you crazy, or working with other work personnel who have unrealistic ideas. You’ve got to experience that.

Paula J:

Yeah, you have to go through that.

Gary Hayslip:

Yes.

Paula J:

That’s a very, very good recommendation. Let’s summarize our discussion, yeah? We’ve been talking about:

  • different types of tips, skills, resources and challenges that CISOs have,
  • What to do if someone wants to be in that particular field in cybersecurity,
  • that there’s a lot of challenges to face every single day.

The final thought: cybersecurity is not a one-man’s job, you have to cooperate

I absolutely agree with you with the teamwork factor. Cybersecurity, it’s not like a one-man’s job, you have to cooperate within the teams to share knowledge, exchange ideas because there might be many different points of view, different perspectives. Especially in the cybersecurity fie, d it’s important because someone might look in this attack, for example, for certain types of patterns and the other person may see something else. Then at the end we come into conclusion.

Gary Hayslip:

Yeah.

Paula J:

Yeah, so this is very useful. Lovely, it was great talking to you.

If you have any comments or questions, leave them below the video.

Comments