Robert: I think people...you know. All of that disruption, yes, there's economic stuff that happens as a result of it, there's, you know, maybe mergers or companies going under, shrinking or what have you, the stock markets are tumultuous. But on the other side of all of that are people who are essentially nervous, who are scared, who are just kind of frantic about, you know, are they gonna be next? Are they gonna be part of one of these headlines of, you know, such and such a company does another 10% slash and the CEO just sends out a vague email, and their access is cut off?
And so I think security leaders owe it to themselves and owe it to their teams to be in touch with what's going on in their businesses and really investing in their teams. Because, like, that sort of, like, feeling of safety and feeling of security in a personal human sense really matters. You know, there's nothing that's gonna, like, cause somebody more anxiety, which we do not need in this field. Like, there's enough going on in this field already than, you know, a constant worry of, are you gonna be next?
Caroline: From Cobalt at home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. I am so excited to be here with my friend and former colleague, Robert Wood. Robert is the CISO for the Centers for Medicare and Medicaid Services. He leads enterprise cybersecurity, compliance, privacy, counterintelligence functions at CMS and ensures the agency complies with secure IT requirements while encouraging innovation.
Prior to his role at CMS, Robert built and managed several security programs in the tech field, including top security roles at Simon Data, SourceClear, and Nuna. We met when he was a principal consultant for Cigital, where he advised enterprises about their software security programs. He built the Red Team Assessment practice at Cigital, helping organizations identify and manage risks from alternative perspectives. I am so excited, Robert. Welcome.
Robert: I am also super excited. Thank you so much for having me on again.
Caroline: My pleasure. I think you might be our first repeat guest. You and I did Episode 2 together. "Humans of InfoSec" now has more than 80 episodes, and our last episode that we did together came out in March 2018. Some stuff has happened in life and career since then. I would love to hear about it.
Robert: Yeah, so I had another baby, which has, you know, been amazing. Life is all good on so many fronts on a personal level. Our little humans are five and two at the moment, and they're just awesome. Since then, I have joined the federal government, so I'm with CMS now, and I just crossed my two-year anniversary back in November. And so about two and a half years in now. This is my first federal role actually, so there's been a definite learning curve for me on that front, but it has been...
Getting into some kind of public sector work has always been a goal of mine. And I've looked at doing stuff with, like, the reserves and the guard and just, like, volunteering and engaging with think tank nonprofit organizations. I have wanted and been seeking an opportunity to try to bring together the perspective and experience and such from my world in the private sector, and bring that into the public sector and just try to do some good. And this particular role has been so personally and professionally rewarding on that front. So, you know, I'm very thrilled, very blessed to be in this particular spot. So, I mean, the last five years have been awesome.
Caroline: That is awesome. I am obsessed with your babies, and wow, two and a half years, but they are so great, oh, my gosh. And actually, I don't know if you know this, but my dad was a public sector guy, and so just hearing the way that you talk about it, I can really feel the warmth and the compassion for the work that you do. So, speaking of what it is like to lead security at a federal organization that helps millions of people, what is behind your drive to work in such a high-impact, high-pressure environment? And specifically, what's the experience like compared to having worked in tech for so long?
Robert: What drives me is really when you think about what's on the other side of all the choices you make, the decisions you make, the work that you do, the hours you put in is people are able to consume and benefit from healthcare services. So, yeah, CMS is, of course, in the healthcare space. We are insuring some of the most vulnerable people in the U.S. through Medicare and Medicaid, and, like, children-focused programs. And so, you know, those people need the things that we do, they need the services that we provide. And so that's a huge driver in terms of doing security work and cybersecurity, privacy, counterintel, you know, all of that sort of related risk management-like stuff is all centered on protecting and serving those people.
I mean, you know this about me, but for anyone who doesn't, I have a little bit of a Batman complex. And so this, for me, was...you know. I am attracted to that kind of role. I want to help out and pour myself out for people and teams in that way.
And so one of the other things, so I got recruited into this role. I did not apply, in the traditional sense, as the team that I was managing at the time. I was at Simon Data, which is a marketing company, and I was running a team of three, and I was one of those three. And now I have a much bigger team, as you might imagine. And I think we're, like, over 400 in total between contractors and fed. And it's just a totally different landscape. And one of the things that the CIO, who I met with and who is the gentleman who hired me, and he's still here and we have an amazing partnership, is he was describing for me the kind of things that they were looking for in their security program or who they were really looking to bring in the changes. You know, they wanted somebody to come in and be a cultural lightning rod.
They wanted somebody with a background in technology, good tech chops that could set a vision and think big and bold and translate that vision down to technical people, but also to non-technical people, to other executives or partners in the agency. And also somebody who just had some energy, who wanted to kind of stick it out through the inevitably challenging times that come with working in bureaucracy and red tape.
I definitely wrestled with some amount of imposter syndrome leading up into it, and I still do from time to time, but I really tried to look at it as factually as I could. But I feel like I would be a good fit across those three particular criteria. And so if this team wants to put their confidence in me, then I'm gonna put my confidence... I'm gonna do the same and try to do some good with the role and the opportunity.
Caroline: Phenomenal. I have always known you to be a cultural lightning rod. You and I met professionally before we got to know each other and became friends. And what I've seen you do is you build functions and you make things happen and you get stuff done. And I am delighted that you are doing this work for the United States. Thank you.
Robert: Yeah, of course. I mean, I should say it's definitely not just me, you know. I'm in it, I'm part of it, and I think huge credit also goes to all the awesome team players that we have in our team because it's this big, massive...you can't steer an aircraft carrier. Yeah, it's kind of, like, what CMS's security program is in many respects, and you can't do that all on your own. You know, you gotta get people aligned and people have to understand it, and people have to then take it and run with it. It's like this massive relay race that's being run in a million different directions. And it's really quite awesome to see the team dynamics that have been unfolding at the agency over the last couple of years. It's super exciting.
Caroline: Very cool. I have always considered some of the organizational and people and team-related complexities of the work that we do to be some of the most interesting. Robert, I wanna get your thoughts on something I've been thinking about recently, which is that I think when we're leading security teams, there is this frequent frustration in that sometimes our teams feel like they're working yet treated as an afterthought after big organizational decisions get made. What do you think we can do to be more of a part of these conversations and make sure that a security perspective is really heard and represented?
Robert: I think one of the first things we need to do is humble ourselves and recognize and appreciate and accept that our function is not the most important one in the room. Our function is there to support all the other things. And so if the decision that got made, even if we weren't at the table, if it's a good thing for the organization, it's a good thing to do for the stakeholders or the mission or what have you, then, you know, we need to celebrate that. And I think we can do more within our function by focusing more on how we support and serve others. You know, taking that servant leadership kind of mantra and mindset to heart.
Because if you're trying to convince somebody that your job and your needs and your stuff is more important than their stuff, then, you know, that might work for a short-term kind of argument or short-term quick tactical decision, but it's unlikely to work for the long run. People need to feel like you are there for them. And if they also have a mutual respect and understanding for your needs and what you're trying to bring to the table is gonna help them or could help them, then I feel like they're gonna be more willing to engage you and invite you in because your perspective is more valuable. You're not there to make demands, you are there to help and be of service and move the mission forward. So, I really think that it starts with that at its core.
Caroline: I love that. I mean, one of the things that I'm really hearing is that it's sort of, like, us against the world and not us versus them. I do think that, you know, in my years working in this field, sometimes when I meet security professionals, they're so passionate about what they do, and they're often so sharp and so opinionated. And I think that sometimes there's an opportunity to just kind of point all of that energy in a direction that says, hey, we and the decision makers, and we and the business, and we and the organization, we and the engineering teams, like, we're on the same team, you know, and let's put all of our effort kind of towards solving the problem together. I love that.
Robert: Yeah, I mean, you think about it, there's a lot of very brilliant people in our discipline, but I've met a lot of very brilliant lawyers, and contract people, and software engineers, and product managers, and marketing people who do things that I could only dream of doing right now until I sit down and try to learn the craft and do it myself. And that's probably not gonna happen in some of those cases. And I think if you look at all of these pieces of the organizational puzzle and strategy coming together to make the whole, or to make a sum that's greater than its parts, we have to recognize that we are a part of that. We're an important part of that, but so are they.
And it's a common trope, but you could build the most amazing product in the world, and if nobody uses it because nobody knows about it, then it's pointless, you've added no value. And so other people are expert and "technical" in their own rights, in their own way, in their own discipline. And so us really taking that humble approach to our work I think will get you really far. And just kind of working to change and shift your mindset in that way will help you understand and appreciate who you're talking to and engaging with and who's on the other side of some of these conversations and what they might be going through. And you'll see things that I think you otherwise wouldn't see if you were just focused on these security-related outcomes.
Caroline: I really like that. Sometimes I kind of think about an organization as being, like, a human body with different parts. And if you decide that you're gonna take this human body and you're gonna run a marathon within some time period, then you need feet that work, and you also need a heart that works, and you need eyeballs that work. And your heart can never be your eyes, you know, your eyes can never be your feet, but you really need these things working together to get you over the finish line.
Robert: Yeah, 100%. And using that metaphor, too, you couldn't have gone and treated your body like an amusement park the night before and drank a bunch of alcohol or smoked a bunch or ate like crap or, whatever it was, and then expect to wake up the next morning and knock it outta the park in your marathon. You know, all of these things have to work together, and you need the parts and you need to tend to them well.
Caroline: Yeah, absolutely. Maybe there's an idea for a future blog post. And actually, why don't we just go there? You know, I had planned to ask you this question a couple of questions down, but let's just go there, which is to say, Robert, you recently launched an initiative called The Soft Side of Cyber. Can you tell our listeners more about it and what inspired you to make it a thing?
Robert: Yeah, absolutely. So, this has been on my mind for years now, just having worked with, you know, that situation I've just described, having worked with brilliant people who couldn't communicate their ideas or who were abrasive, or seeing people who weren't super sharp technically, but able to just get insane amounts of things done or bring people together, what have you. I've just grown to have this amazing appreciation for the more human-centered side of this discipline.
And even once I started getting into these leadership roles or management roles where...When you're pentesting or threat modeling or looking at code, nobody ever teaches you how to do budgeting or team building or strategic planning, or manage a portfolio of vendors. You're just kind of expected to know that stuff when you get to these roles or to figure it out, and you can really mess things up, it could be really stressful.
And so I've sort of been growing to appreciate this yin and yang symbiotic relationship between these two domains of skill. And so a friend and a colleague of mine, Frank Damazio, we started this thing earlier this year, Soft Side of Cyber. It is all about trying to focus on and bring awareness to, and resources to support and learn and grow to help people in any role they may be working in cyber, whether you're in forensics, pentesting, sales, leadership, architect, engineer, whatever, to help you grow in the non-technical aspects of your job, and to help make these things relatable and give you a place to start and a place to go so that you can be more effective in your role.
I mean, if you were to break it down where there's let's say just for whole numbers' sake 50% of the skills that you need to be in any particular role are technical, 50% are not technical. Even if you get amazing at the technical skills and you're incredible, then you're only, you know, 100% at 50%. And if you don't invest in another 50%, then you're gonna be doing this life, doing this career with one hand tied behind your back. And so what we are really hoping to do is help people become more effective in their jobs and ultimately just raise the bar for our field as a whole through that particular angle.
Caroline: Well said. I love it. I think it's really important.
Robert: Thank you.
Caroline: I think that's gonna be an incredible resource for our community. And, you know, super funny thing, I just did a Google Search to remind myself of a talk that you and I gave together a very long time ago at BSides Las Vegas in 2017. Can you believe? Like, it was really a long time ago. And that was called "Hacking Office Politics for Cybersecurity Leaders." And that's just, like, one little component I think of this much broader discussion that you're really bringing to the forefront. That is so cool.
Robert: That was a fun event.
Caroline: Oh, that was so fun. Oh, my gosh, we must do it again. Let's definitely plan to do something like that again. Can't wait. Also, fun fact, I've never been to DEFCON, and I'm thinking about going one year and bringing my daughter because I think that she would have so much fun.
Robert: There you go.
Caroline: So, that's a fun thing to explore.
Robert: I'm sure she would. DEFCON is so fun. You know, DEFCON gets kind of a bad rap sometimes because it's almost like a cult classic of conferences, but it is a lot of fun. Like, the people there are... There are so many good, humble, incredible human beings that are in that part of the community, and it's just a lot of fun. You should totally do that.
Caroline: Oh, I love that. I'll be coming to you with questions.
Robert: Let's do it. I'll bring Bruce.
Caroline: That's gonna be so much fun. Oh, wonderful, wonderful. Cool dude. So, another question for you, you know, when we did Episode 2 of "Humans of InfoSec" in 2018, whoa, that was pre-pandemic. And here we are now, and not only was there COVID and remote work and, like, all these different things, so here's a question I've got for you. Right now, organizations and humans are going through major changes in order to survive and find their place in the bigger economic picture. And sometimes you get these operational pivots that throw large chunks of security work out the window, especially around risk and vulnerability management. And so what do you think that security leaders can do to try and manage all of this disruption that we're experiencing?
Robert: I mean, first and foremost, you know, all of that disruption, yes, there's economic stuff that happens as a result of it, there's maybe mergers or companies going under, shrinking or what have you, the stock markets are tumultuous. But on the other side of all of that are people who are essentially nervous, who are scared, who are just kind of frantic about, you know, are they gonna be next? Are they gonna be part of one of these headlines of such and such a company does another 10% slash and the CEO just sends out a vague email, and their access is cut off?
And so I think security leaders owe it to themselves and owe it to their teams to be in touch with what's going on in their businesses and really investing in their teams. Because that sort of feeling of safety and feeling of security in the personal human sense really matters. You know, there's nothing that's gonna cause somebody more anxiety, which we do not need in this field. There's enough going on in this field already than a constant worry of are you gonna be next? So I think that's first and foremost.
Another thing that I think security leaders should really be focused in on right now is trying to seek continuous ways to challenge the status quo because as organizations keep changing and evolving, there's opportunities, I believe anyways, to bring in other parts of an organization into ours. One key example of an initiative we have going on right now at CMS is we're referring to it as the security data lake.
And this is basically taking the status quo of what used to be a bunch of bespoke silos security data living in different tools, in different teams who owned it, and collapsing all of that into one data plane, basically into a data lake. And we can have different aggregator services for S-bombs and asset management and vulnerability data and logs and all of that sort of stuff. And then everything kind of goes into this backend. But as part of that there's work to be done on the consumer side of it, so people who are taking data, building things on top of it, dashboards, reports, analytics, tools, etc., or that are doing the producing of data, the managing the production part, so managing Kafka clusters and APIs to do, you know, focused ETL data ingestion and enrichment, that sort of thing.
And so we're starting to bring these other parts of the organization together to work alongside of us. And so we're basically through this project changing the makeup of the organization to support its needs in a more effective way that the normally very siloed hierarchical org structure quite simply just doesn't really support.
And there's this organizational theorem called Conway's Law that basically posits that anytime that an organization produces something, be it a product or a service, it is a mirror of the organizational structure that builds it. And so by trying to bring teams together, we are trying to work against and kind of, like, directly address that particular theorem so that we don't end up with this big jumbled mess.
And really, I mean, we're bringing a lot of capability and trust and collaboration into the cybersecurity orbit just by virtue of doing this particular project. You know, we're talking more seamlessly with Ops, we're talking more with HR people, we're talking more with the training folks, with, you know, compliance and operations and insider threat. People are talking like, you know, "This sort of stuff is making our organization I believe more resilient and more effective at the same time." And so that's another thing that I think leaders can start thinking about.
And, like, you don't necessarily have to take this idea and try to make it happen in your own organization, but thinking about ways that you can change the nature of your work to bring in more resources or functions or teams or specialties across organization because that will make you I believe more resilient in the long run.
Caroline: That is really cool. I feel like every time I speak with you, I learn about something new. And, of course, today is no exception. I am new to this concept of Conway's Law that says organizations that design systems end up mirroring their own communication structure. What cool food for thought, and how amazing that you and your team are actually putting some of this data architecture into place. Thank you so much for sharing that with us.
Robert: Yeah, well, I do have to give credit where it's due. So, I got this idea, or some of this was sparked by me reading this book, "Team Topologies." And Conway's Law plays a big feature in that book. It's basically about how to organize teams around value streams and crafting team APIs to make them more effective and communicative and collaborative and such. And I've brought so much away from reading that book and I've probably read it three times since I first got into it.
And so, you know, the data lake effort... Like, a big part of how I end up doing my work is I kind of take these ideas and these concepts and these mental models from all these different places in my experience, my learnings and all that, and I start just, like, assembling them into different things. You know, it's kind of, like, I posted a picture on LinkedIn, I don't know, a couple of months ago when my older son basically just dumped out all of his Legos on the floor. Like, that's kind of what the inside of my brain looks like. And I'm just kinda putting things together in these weird combinations, and sometimes it works.
Caroline: I love it. It's going on the reading list, "Team Topologies." Robert, thank you so much for joining me today. I find that when we get a chance to connect, whether it is a text chat or a personal call, or a professional call, I always just have so much fun and I feel like it could go on forever. I wanna say thank you so much for spending your time with us today and sharing some of your mind Legos with our listeners.
Robert: You are very welcome, and thank you again so much for having me. So much fun as always. And we're gonna make that DEFCON thing happen.
Caroline: And I think I'll get to see you in San Francisco even before then.
Robert: RSA. Yes.
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @humansofinfosec.
