What's it like to be the CISO for the state of Connecticut?

Chris Sienko: 0:00

Today on CyberWork, I have a big guest for you. Jeffrey Brown is the Chief Information Security Officer for not a company, not a healthcare org, but for the entire state of Connecticut. Jeff walks me through the scope and reach of a statewide CISO, a countrywide move towards a whole-of-state strategy and, frankly, I spend an awful lot of time just talking to Jeff about where he finds the time to do all the things he does. This is a really wide-ranging and inspiring episode. Whether you're slogging through search study or hitting a wall trying to figure out your next career pivot, my talk with Jeff will absolutely give you some new perspectives. So please keep it right here for today's episode of Cyber Work.

Chris Sienko: 0:40

Hello and welcome to this week's episode of the Cyber Work podcast.

Chris Sienko: 0:43

My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends, the way those trends affect the work of infosec professionals, and leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry.

Chris Sienko: 0:58

I've got a really cool guest today. As a cybersecurity executive with over 28 years of experience, jeffrey Brown's mission is to align cybersecurity strategies with business goals. The journey has taken him across diverse sectors including finance, insurance and government, culminating in his current role as the first CISO Chief Information Security Officer for the state of Connecticut, where he's pioneering its quote whole state cybersecurity approach. Jeff's experience lies in understanding complex business needs and delivering tailored cybersecurity solutions that balance both the risk and the opportunity. So a while back, I was looking around for people who could talk to about security in state and local government capacities, and to find out that there is a CISO for the state of Connecticut. I absolutely jumped at the chance to talk to Jeff here, and so, jeff, thank you for joining me today. I'm really looking forward to this. Welcome to CyberWork.

Jeffrey Brown: 1:48

Oh, it's my pleasure. And what a great topic.

Chris Sienko: 1:50

Hey, all right. So, Jeff, to help our listeners get a better sense of your background and how you got into this whole thing, can you tell me about your earliest interests in computers and tech and security? Was there like an initial draw? Was it in school? Was it just at home? Did your family have a home computer Like where did you get started?

Jeffrey Brown: 2:07

Yeah, great question. And you know it's funny because 27, 28 years ago this wasn't really a profession for many. So you know how did I get started and, frankly, I have a non-traditional educational background so I didn't study computers in school or anything like that. However, key decision points there used to be something called word processors, and that's all they did was word process. Both of my parents were IBMers, so they said you don't want a word processor, you want a computer that does word processing.

Jeffrey Brown: 2:37

So that was a very early decision in my career that had a lot of influence on me. You know, I think back when you're a kid you want to be a writer or something when you grow up and it turns out later on I did that. But you know, when you don't really have that kind of experience, it's really easy to just sit down with a computer and just start messing around with it and you know you're starting with a blank page.

Jeffrey Brown: 2:57

you don't really feel like reading, and then you just start learning the computer, you get in trouble and you have to figure it out and how to fix it, etc. So I spent a lot of time on computers. Never really even occurred to me to study computers in school, because I was kind of studying them all the time. So I actually my educational background was actually in communications and publishing and journalism and that's a background that's actually served me really really well in this industry. That's actually served me really really well in this industry. You know, I really it started in cyber specifically by somewhat by accident, like many people did, and this would have been in the late 90s. Cyber really first of all. It was called information security back then.

Jeffrey Brown: 3:37

So I think things have changed a little bit, but I was between two different companies that I was looking at and I ended up going over to Merrill Lynch, which is now part of Bank of America, and it was my very first job in cyber. I didn't really know a lot. I mean, if you really look back then it was all Unix and mainframe and stuff that I just didn't really have. But what I did have was something called Windows NT and it was just starting to come on strong. The Unix guys didn't want to touch it. The mainframe people didn't think it was worth their time. So that was the opportunity. The opportunity was really being able to come in and I ended up helping Merrill Lynch roll out their very first Active Directory in year 2000. So just had a really interesting and very technical start to my career.

Chris Sienko: 4:23

Yeah, so NT is that sort of between 3.1 and then like seven. Is that where? Where? Where does it stand?

Jeffrey Brown: 4:29

This would have been the very first version of of of Windows NT 3.1.

Chris Sienko: 4:35

Okay, okay, yeah, yeah, which is right up there.

Jeffrey Brown: 4:39

And what was happening was there was a business problem and that's that's something we always want to keep our eyes on as professionals was the business problem was suddenly brokers are trying to use this stuff. There's now applications that will only run on Windows NT and, you know, the security folks knew that they needed to understand that stuff better, but nobody really wanted to spend the time to actually do it. So that was my in, that was how I got in the door.

Chris Sienko: 5:02

Yeah, yeah. I feel like that's probably still a pretty good bit of advice if you're trying to sort of make yourself distinguished in the job pile is to find a thing that no one else wants to do and get really, really good at it.

Jeffrey Brown: 5:15

It absolutely was.

Chris Sienko: 5:17

Now, as a fellow person with a background in communication and the publishing industry can you talk about? You said that it was very, very helpful for you in your kind of cybersecurity track of your career. What were some of the takeaways that you got from those particular areas of learning that you apply all the time now?

Jeffrey Brown: 5:33

Well, it was very interesting. I mean, I actually started working at a publishing house, harpercollins, and what happened?

Chris Sienko: 5:40

was.

Jeffrey Brown: 5:40

I ended up the internet was just starting to come on strong. It was still pretty much dial up for everybody back then. But I got pulled into a lot of the IT stuff again because of Windows NT. So everybody wanted to see something called Java. Java would, only it wouldn't even run on Macs back then. I mean, it would only run on Unix and it would run on Windows NT. I happened to have Windows NT, so I got really pulled into that and it was boy. There was a lot of potential for distance learning and subjects like that and I started to realize that if I was going to do something for free it would be IT and, by the way, there's a big calling for that and you don't have to work for free. So I decided to make the jump and I actually made that first jump over to Dean Witter Reynolds a long, long time ago as just an IT analyst and I was thrilled to be working in IT.

Jeffrey Brown: 6:26

I was like now I have an IT job and I'm going to be just doing this stuff all day. And then later on I made that shift over to cyber, which is a really interesting way to sort of specialize in one thing without really specializing in anything, because cyber covers everything. So it's a really interesting way to not specialize at all.

Chris Sienko: 6:44

So, in comparison to before, where your big claim to fame was that you were doing Windows NT when no one else wanted to, now at this point in it you're able to sort of have your hands in a whole lot of different things, but in not quite like as an extensive kind of way. Is that right?

Jeffrey Brown: 7:00

Yeah, that's absolutely right. I mean, if you think about what we have to worry about in security it's databases, applications, networks, people, right, Like people that comes into play quite a bit. It really it's very big and very broad and we have to go deep on a lot of subjects, but we also have to go very wide on a lot of subjects as well, which makes it kind of an endless challenge. I mean, you know, you don't stay in an industry like this for almost 30 years, three decades, with doing the same thing day in and day out. I mean, this is something that is very dynamic in this industry.

Chris Sienko: 7:31

So I remember a professor in high school telling me the better part of knowledge is knowing where to look it up, and it's like if you can feel, you can feel your way through a lot of different things that way and get a lot further than you would if you just try to commit every single thing to memory and what have you. So, yeah, I was going through your sort of background. We've talked a little bit about this already, but that's my go-to move is to go to the LinkedIn experiences tab for our guests and see what you've done. In your case, though, this is kind of an embarrassment of riches, honestly, jeff. So you've served in CISO or VP, information Security Functions for everyone from GE Capital to AIG to Citibank. You serve on the advisory board of several high-end curriculum development groups, as well as your research with IANS, and all of this is before we even talk about the CISO Connecticut part. So my question is where do you find the time or, more plainly, what's your time management strategy?

Jeffrey Brown: 8:41

I mean, it sounds like you've had so many different things going on. How are you able to kind of called Leading the Digital Workforce? It talks about peak performance, it management and not just security but IT in general, and it's like we have a really tough job in IT because things change so much on us and there's so many moving parts and complexity. But when I think about time management specifically, we all get 24 hours. Time is the great equalizer. I mean, that's something that you know. Whether you're a billionaire or whether you're just making $20 an hour. Everybody gets 24 hours a day and you can do with it what you like.

Jeffrey Brown: 9:15

People overestimate what they can get done in a year, but they underestimate what they could get done in three years or in five years. You know they just don't really look at things the right way. One of the things is just understanding what some of your goals actually are. So I'll give you an example. I have sort of a process. I always have three for the year, three big ones for the year, three big goals. Then I have three for the month, then I have three for the week, then I have three for today, like, what are your big three? And I'm starting to learn even now, even this late in the game, that it's like, well, what's the number one? Like, if you're going to get through today and call it a win, what's the one thing that has to be done by the end of the day and make sure you're working on that stuff.

Jeffrey Brown: 9:53

And you really can't, you really can't trust your brain on this kind of stuff, because you open up email, you get sucked into things like incidents can happen, all kinds of stuff can get you distracted. So, having some sort of system where you know, every time I get up out of my desk, I have an idea of, like, this is what you were working on, here's where we left off, and now I can come back and it doesn't take me 20 minutes to just reorient myself. I know exactly where I was and I can pick up right where I was. Just reorient myself. I know exactly where I was and I can pick up right where I was when, when we talk about things. Cause I mean, on top of this, I've been writing books and stuff too, right, you know. And and there's a couple of ways to do that. One one with the communication book that I wrote it was cramming and it was you know.

Jeffrey Brown: 10:35

It felt like I was working a day job, and then I would cram all weekend and try to catch up with writing, catch up in quotes, right. What I learned was that it's not a great way to do things, but what is a great way to do things is just write for like even half an hour a day every day, and, whether it's quality or not, you showed up, you did the work. Now you have a process and you'd be surprised at how much you can get done just doing like even 30 minutes a day every day, even 10 minutes. Show up for five minutes, just write anything and keep things moving, and that that applies to whether you're studying for an exam or a certification. No matter what you're doing, no matter what goals that you're that you're following, make sure that you have a process. You know, sleep in your gym shorts so that you're ready to go work out in the morning. You know, just make it gym shorts so that you're ready to go work out in the morning.

Chris Sienko: 11:22

You know, just make it easy, Remove the friction Right.

Jeffrey Brown: 11:23

That way you don't have to kind of talk yourself into it. People say, like, where do you get motivation? Or how do you get motivation to do things? I don't. I try to just facilitate processes that make it easy.

Chris Sienko: 11:38

Yeah, yeah, it's so much easier.

Chris Sienko: 11:39

I mean, it's the law of entropy it's easier to keep something in motion than it is to like push it into motion uh, endlessly.

Chris Sienko: 11:43

Like that, you know, like once it's once it's already moving, you just keep it moving. And uh, yeah, my, my wife's a writer as well and she analogizes. She has that same thing about a couple of minutes every day, but she analogizes it to like turning on, like a bathtub, like the water's cold for a while and you feel like, oh, this is never going to get warm. But like if you just turn it off and forget about it for a week, like next time you turn on it's going to be cold again. But if you just let it go every single day, you're going to have a warm bath soon enough and it's going to feel more natural and whatever. So I don't know, that's a little abstract perhaps, but yeah, no, absolutely true. And you know, as someone who's working on a search study right now, I think you really do have to keep in mind that it's better to do 15 minutes a day than three hours every two weeks.

Jeffrey Brown: 12:28

Exactly and also eliminate distractions. I mean, we all have our, our kryptonite right, whether it's watching YouTube videos or Netflix or stuff like that.

Chris Sienko: 12:37

The whole world's a rabbit hole these days. It's just a series of rabbit holes and our attention span is pulled in so many different directions.

Jeffrey Brown: 12:44

I mean, like you know, when I do writing, as an example, I have notifications off, I put the phone away, sometimes I even revert to pencil and paper. Just because it's distraction free, I can really focus on one thing, and you'd be amazed that, like if you just even take an hour of dedicated time, no distractions, you would be amazed at how much progress you can make even in just an hour.

Chris Sienko: 13:06

Yeah, some, some book I read I think it was, it was. It was one of those habit books. But they said that like the 30 seconds of panic that you have when you start to do a project is so, is so chemical that it like within 45 seconds it washes out of you and goes away Like it's. So many people get stopped on that 30 seconds of panic of like starting something new. But if you know, if you know enough that like this always goes away very quickly and then you get into flow, you know in a few minutes like it's just easier to keep doing that every single day.

Jeffrey Brown: 13:32

So I think you know it's funny because neuroscience is kind of interesting in this space too. But I mean, when, when we have big, lofty goals like write a book, that doesn't, that's not helpful. What you really need to do is break that down into very little tiny things, right?

Chris Sienko: 13:45

My goal is to write every day yeah, exactly yeah. Or my goal is to pick a subject.

Jeffrey Brown: 13:49

right, I'm going to start by picking a subject and then maybe start with an outline, and I mean, that's just a lot more concrete than write a book.

Chris Sienko: 13:59

Write a book is undoable, I agree, and and and. Similarly, studying for the CISSP, uh, sounds a lot more huge than, if you like, open that book every single day and look at it for 20 minutes or whatever. Eventually the pile goes down. So, uh, uh, so, yeah, so, so, moving on, but thank you for for for that. That was all I think very helpful. Like I said, we have a lot of students, uh, who are, are, who are, you know, listeners and stuff like that, so I think that's always worth reiterating. But, yeah, I wanted to have you on the show because obviously I'm very eager to find out about your role as chief information security officer for the US state of Connecticut. So I want to ask like is this? It sounds like in the bio, this is kind of unique. Is there, is there, a CISO for every US state, or is this kind of a pilot thing?

Jeffrey Brown: 14:38

No, that's a great question. At this point it's actually there are about, I think, 53 CISOs, and the three being, you know, virgin Islands and places like that that are traditional states but US territories. However, four years ago, the state of Connecticut did not have a traditional CISO. We had some people who were dedicated to security, but not really like that traditional CISO role. So, yeah, now this is a very, very big subject at the states.

Jeffrey Brown: 15:05

My understanding, as much as people come into a CISO role like for a state government and that sounds a little bit daunting my understanding is that there's an awful lot of people who are actually the governors and there's an association called the National Governors Association and they, you know, you end up in the governor's role and your background could be any number of different things and then all of a sudden, they're, they're kind of scared about that. It's like, well, wait a minute, I'm on the hook for cybersecurity and, by the way, the nation states better, potentially after you. It's like you know they're, they're, they're hearing that message now and they're very, they're taking this job and this role a lot more seriously, just because the stakes have never been higher.

Chris Sienko: 15:45

Yeah, well, I mean, to that end I you know. I think if you're an ambitious person, it's not that surprising to get up to a level like that. But, like for someone like me who doesn't wouldn't necessarily think to even look for something like that. What were, what was it about your, your background and your experiences that prepared you for a job like being the CISO of an entire state?

Jeffrey Brown: 16:06

Yeah, that's a very interesting question too, because one of the things I spent about 24, 25 years in finance, you know, and the reality is is if you took the tactics that work at Citigroup and you come in and you try to do this at the Department of Motor Vehicles, that's not going to work. You have to be able to adapt to the situation. You have to be able to actually observe and to listen to people and to help them understand what some of the cybersecurity concerns are. I mean, you know, 20 years ago it was very common to have the kind of conversation of like, well, why would anyone want to attack us? That would never happen.

Jeffrey Brown: 16:43

You know, now, all of a sudden, we have to worry about, like you know, the San Diego Zoo was ransomware. I mean, it's just really the zoo, you know. You have to start kind of thinking of, like you know, nobody is immune to this, including individuals at home. You know, you see people losing their family photos and stuff like that. Cyber is now very much everyone's problem. One of the things that really people ask this all the time, like, oh, aren't you too much bureaucracy and state government? It's like you should try some of these financial institutions.

Chris Sienko: 17:12

Yeah, true, yeah.

Jeffrey Brown: 17:19

They operate at a whole different level of bureaucracy that you might not even imagine, you know. But I think the number one thing for me was to just make sure I'm not coming in with some tired playbook and just trying to re-execute what worked in another company, even in finance. I mean, I've worked in custodial banks and consumer banks in insurance. Ge Capital is like an industrial with a bank embedded in it. I mean, you know you have to go in with a new set of eyes every single time and really work with the culture, because you know, as they say, culture eats strategy for breakfast. So you may have a great playbook, but if you don't work with the culture, it's not going to work.

Chris Sienko: 17:51

Wow, yeah, no, I mean, was that a big changeover for you then, like you didn't really have a lot of like state and local government experience before that, right, you didn't really have a lot of like state and local government experience before that right.

Jeffrey Brown: 18:01

I had none, you know, and there's a leap of faith involved in that right.

Jeffrey Brown: 18:04

Like I, mean you have to say I'm going to make this work and we're going to go do it. And that's exactly what I did. You know, I think being a first CISO is interesting. One of the things that why was the state even interested in hiring me was because we were in the midst of optimizing IT, which means like really taking things and pulling them to the center into the executive branch of government. Think of it as centralizing IT at a large company. Suddenly, like the game had changed quite a bit. So now, you know, in the past you used to have people embedded in the business and now we're going to centralize all of that stuff. And somebody needed to build that enterprise class program, you know, and build that foundation for a program that's going to be able to actually take care of everybody, not just an individual agency.

Chris Sienko: 18:51

Yeah, no, that makes that makes perfect sense. And yeah, like you said you've already, you already understand large bureaucratic hierarchies very well, so that's certainly not the impediment. So well, I want to sort of break apart your actual job role. We've sort of mentioned a little bit of it and, like I said, a lot of our listeners have kind of being CISO of a company in their sort of like wishlist where they want to go or whatever, but it's usually for like an individual company or a branch of the government or the military, and so I think this might be kind of new for folks. So I guess, like, what does the CISO for a state actually do and or supervise? Like, how big is your team? What's your reach? What is your sort of larger agenda?

Jeffrey Brown: 19:33

Oh, I love it. Yeah, and I mean, what do CISOs do all day? Yeah, it's an interesting question because there's not really an industry definition. So I think even there's a saying in the state government where it's like if you've seen one state, you've seen one state. Every single one of them is a little bit different.

Jeffrey Brown: 19:50

A lot of them have grown organically and people have done what they thought was right for their state, and what you'll find is that no two states are alike. There's some common themes and things like that, but they're not really two identical states, which is very interesting. We have a lot of you know. First of all, we have a huge network of we all talk to each other. We've met many of our fellow compatriots in person at events. You know we have something called NASEO, which is the National Association for State CIOs, so we actually meet up in person.

Jeffrey Brown: 20:24

We all have that lifeline and I think that that's really that's incredible in state government.

Jeffrey Brown: 20:29

You sort of have that a little bit in finance, but not not to the extent because at the end of the day, Citigroup and JP Morgan are competitors and there's a little bit of friction there. I'm not in competition with Colorado or Florida. We can. We can be very candid with each other. We can work together very closely. But in terms of just the day-to-day, you'll find a lot of stuff just like in a company, we have to do patching, we have to do third-party risk.

Jeffrey Brown: 20:53

We have all of the basic kind of stuff that you have to do, but that we also have to work a little bit harder, because state government is very unique in that it's like being in every single industry.

Chris Sienko: 21:05

We have financial services.

Jeffrey Brown: 21:07

We have Department of Revenue Services. We have the Department of Banking. We got that. That's great. We also have hospitals. We have a power plant.

Chris Sienko: 21:13

We have healthcare.

Jeffrey Brown: 21:16

We have just all of this different stuff, and you have to really be able to work with the agencies, because that's what puts security in context. Yes, putting security in context is a lot more important than people give it credit for. People think like, oh, it's a vulnerability and you have to patch it. It's like, well, what is it a vulnerability on? What could it? What's the business impact? Right, if something happened, what's that business impact?

Chris Sienko: 21:39

And being right. If something happened, what's that business impact? Or even what's the path to get to that vulnerability? Sometimes there's just vulnerabilities that you're like well, that's lower on my list because there's no real path in or out of it.

Jeffrey Brown: 21:50

No, and a lot of CISOs don't like hearing this but in some cases it's like you know, this is some legacy system.

Jeffrey Brown: 21:55

We're transitioning off of it, but we can't do it right now and you're just going to have to live with that vulnerability for a little bit. And then we have to start looking at how do we mitigate that, how do we put some you know, how do we manage the risk. And it's funny because 25 years ago, in finance I mean, we had to manage risk all the time, not only because financial services is a risk management function, but because we also I mean back then you just couldn't hire the people, I mean back then you just couldn't hire the people.

Chris Sienko: 22:21

I mean, there was no one to hire.

Jeffrey Brown: 22:25

Now you sort of fast forward. There's a lot more people, but the problem got a lot bigger. So now every industry needs somebody. You know, I feel bad for some of the small medium companies. They try to attract and retain these people, and sometimes even the price tag is a little bit too difficult. They end up with things like fractional CISOs and stuff like that, whereas they might be served better with a with full time. But they can't afford it and even if they could, they might not be able to find the right person. So it's, it's a big challenge for a lot of people.

Chris Sienko: 22:49

Now, what is your sort of reach in terms of like having like a staff or a team, like do you, do you sort of have people in sort of local municipalities or whatever that report to you, or do you sort of send down like directives or like and also like? I guess my question is is there any percentage of your work that also is about defending or improving the security of, like, the citizens of Connecticut, or is this mostly all about the kind of like government and infrastructure security? Not enough of?

Jeffrey Brown: 23:17

it is about citizens, but let's talk about that a little bit. So, number one, the primary focus of this role is really the executive branch of government. So I mean, when you look at government, it's also legislative and judicial right, and they're separate. By design, they're supposed to be separate from each other. That said so, my team is, you know, I have a great team of about 15, 20 people now, and boy they're just, you know, fantastic in the amount of work that they get done and just the way that we get things done too, and partnering with the business. That's been really incredible, you know. But you know, in terms of our scope and our reach, we are just now starting this, what they call the whole of state strategy, and that's where there's some federal grants coming. That's new for pretty much all CISOs, all state CISOs, because usually the municipalities are largely independent, largely on their own. When the state comes and asks, you know, hey, I'm from the state, I'm here to help things like that.

Jeffrey Brown: 24:15

You end up kind of not sometimes you get the cold shoulder it sort of depends, but I mean usually when we're there to say we're here to help things like that, you end up kind of not. Sometimes you get the cold shoulder. It sort of depends. But I mean usually when we're there to say we're here to help with cyber, a lot of people will listen to that. You know, not too many people think, well, we've got that covered already. You don't hear that very much. So usually people are quite open to that.

Jeffrey Brown: 24:36

We're in the midst right now of working through some of the grant process. So we do anticipate some centralized services in the state through something called Connecticut Education Network or CEN, where we'll be able to offer services across all municipalities. They already service a lot of the education in the state, so almost 100 percent of public schools and, let's say, 95 or so percent of the private schools. So all of that traffic all flows through one place that we can actually protect centrally, which is a huge opportunity in Connecticut, and it's not like that in every state, but a few others and we're really looking to. You know again, make it easy. You know, what will happen is that you may go into a municipality. Maybe there's a head of IT, maybe not.

Jeffrey Brown: 25:22

There's almost assuredly not a CISO. A few do. City of Norwalk is a good example. They have a CISO, but even some of our bigger cities do not have a dedicated cybersecurity person and that's all that they do. So getting on their radar is sometimes very difficult, and our job is to make it look. There's stuff available for you it's easy to tap into and you'd be crazy not to do it. That's how we try to change things.

Chris Sienko: 25:50

Well, the whole of state strategy that you mentioned, that sounds like that's kind of new and being sort of mass implemented across all the states. What's the sort of before and after on that, like what was the approach before that and what is changing with this whole state strategy approach?

Jeffrey Brown: 26:10

Yeah, unfortunately, the before approach was they were on their own. Very few states were doing anything. New York is an exception. I think they did an interesting deal with CrowdStrike. I guess it was where they put aside some money and made it available.

Jeffrey Brown: 26:19

That's the kind of stuff everybody's trying to do right now is try to get some very specific things that are really going to move the needle but that don't also dry up. Because one of the big challenges we have in government in general is that if we're going to pay for things by grant money, what can happen is, you know, hey, there's an administration change or the grant runs dry. What you don't want to do is you don't want to say like, well, we're going to deploy all these security controls and then if we run out of money, I guess we're going to tear them down. That's not what we want. We want sustainable controls that really help move the needle.

Jeffrey Brown: 26:53

Very basic things patching, multi-factor authentication, even third party risk, things like that. That are just some of the just basic blocking and tackling kind of stuff. The scarcity in some cases I mean it'd be great if we had a blank check and we could do trillions of dollars and you know that's fantastic. But on the other hand, it forces us to really think about what are the most important key controls for anybody to get in place. And some of it's free, like patching right, like I mean, patching is not something that costs a lot of money. You may need to buy some products to help facilitate it if you have a big environment, but most municipalities aren't huge. Especially in Connecticut there's 169 towns. Some are bigger than others, for sure, but you know most of them are not going to have to buy. You know enterprise class tools to do patching and stuff like that, but patching is free.

Chris Sienko: 27:41

Yeah, yeah, and and yeah, it makes a huge difference and uh, yeah, and it's right there waiting for you. So, um, yeah, so um. So I. But last couple of weeks I've been talking to quite a few guests in the industrial control system and infrastructure security sectors, so I feel like local and state government has been sort of partly in the conversation. But from your perspective, like what are the state, specific cyber attacks and challenges that you're facing right now, are there problems for the state that are front and center in your mind at this point?

Jeffrey Brown: 28:08

Yeah, I think the big ones are kind of the, I guess, fairly obvious. You know, we have obviously nation state attackers. It's an election year, so I mean I think those kind of things come into play. You know, a lot of it is really about like, how are we going to, you know, protect our networks? We own a lot of different kind of things. Connecticut owns a power plant, things like that. I mean we have to, you know, really be able to think about what are we using, where are we using it, what could cause a lot of harm if something were to happen, and where would the most impact be? And that's sort of, while a lot of people complain about, you know, sort of the scarcity of resources, that scarcity makes you really think about what's the most important things.

Chris Sienko: 28:49

Oh yeah.

Jeffrey Brown: 28:50

And I think it's actually a good discipline. I mean, I think in financial services, you know, we have people. We could hire people to go police spreadsheets in the business, like that.

Jeffrey Brown: 28:59

I mean you can throw a lot of people a lot of money at it, but I mean, that's not what we need, right, like we need to be able to make sure that we have the basics in place and that we have enough people to get those basics done. You know, and for the first time we have more visibility now. We didn't even have that visibility four years ago of what's out there. We didn't have the right tools in place and a lot of it was just communication. I think we touched on communication being important. I don't think it had ever really been framed on, like did you realize that we can't see all of our vulnerabilities because we don't have the right tools in place? When it's put in very simple English like that, suddenly we got funding, we got everybody's attention and we started making a lot of progress in not that much time. We've moved the needle quite a bit over the last four years.

Chris Sienko: 29:47

Yeah, there's those communication skills coming to the forefront. You got to make your case. So, yeah, I've talked with guests who are tasked with like K-12 school district security and higher ed security. Do you see common attack vectors and targets when looking at things from a state level? Is it like these kinds of things mostly phishing and social engineering, leading to ransomware, or are there other elements in the mix? Are people like really sort of like brute forcing into you know networks, or where is it coming from?

Jeffrey Brown: 30:18

You know, it's interesting.

Jeffrey Brown: 30:19

I think in the very early days of information security, we were worried primarily about some very technical attackers and some very sophisticated threats. Now, especially in the age of AI, right, I mean, it's like you know, now the bar has been dramatically lowered for everybody. So that's unfortunately for attackers, but also for defenders I see that email is still probably our number one threat vector. Just because everybody has email. Everyone knows how to use email. Phishing works right Like I don't need everyone to click on it, I need someone to click on it. Unfortunately, that's a pretty easy game to win and a very difficult game to defend on. We're also seeing people are getting more clever. We have some really great email controls in place right now, and we're going to start sending SMS messages or discords any number of different things coming from there.

Jeffrey Brown: 31:12

The one thing I would maybe add to that list, though, is third party security risk, and I file that under their breach your problem. So we've had several incidents like that, where we've had a third party. They suffer a ransomware attack, and then we scramble to say like hey, who is this third party? Do we use them? What do we use them for? We had an instance at one point where there was a payment processor who had been compromised and we had to start really thinking about, like, if we can't get these checks out, this is needy families. This is, this is a very big problem for us.

Jeffrey Brown: 31:50

And it wasn't because of anything we did right, it was our third party. So I would definitely keep third party risk on that list as well, because it's the one that always seems to surprise people.

Chris Sienko: 32:00

Yeah, yeah, and yeah, I mean ultimately it's. You know, assigning blame is always the hardest part anyway and doesn't generally help very much. But yeah, I mean. Well, you know, everyone has email and everyone clicks and a lot of people check their email when they're tired or not thinking closely. But, as someone charged with the online security for the state of Connecticut, jeff, what part does security awareness learning and training play in the process? I mean, some of our guests claim security awareness training is insufficient or done wrong, or others say it's the best way forward. But do you have any thoughts on that?

Jeffrey Brown: 32:31

Yeah, you know, I actually unfortunately know a few CISOs who think that awareness is a waste of time, and I'll respectfully disagree with that completely. The challenge is, and just because awareness and training isn't perfect doesn't mean that it's not important. So, as an example, we do self-phishing exercises. We do, you know. I'll give you an example. We were in a tabletop. This was outside of the state. This was a previous company. We were in a tabletop exercise and this business actually had what they call a BISO or a Dedicated Business Information Security Officer. So this is like the business's IT security person. We're sitting in a tabletop all day long and nobody's engaged the BISO, nobody's talked to him at all, in fact. I mean, it just was really puzzling and we're sitting there trying to understand it and it turns out that the business didn't know that they had a BISO, they didn't know how to report a security incident and it was like wow, I can't buy a tool to scan for that I can't do that I have to actually get out there and.

Jeffrey Brown: 33:31

I have to be able to do some awareness activity and it's like hey, if you don't remember one single thing from today, please remember how to report a security incident when you see one.

Chris Sienko: 33:41

Yeah, no, I was going to say that's a whole other level of asset detection. We talk a lot about asset detection out here, but if you don't even know your human assets, boy, you're in for a hard road to hope.

Jeffrey Brown: 33:53

I think, at the end of the day, you can't expect people to do the right thing if they don't know what the right thing is. That's where training and awareness comes into play, and that's why I think it's a key component. You can't just say like, well, we're not going to do that now. That said, I think a lot of people check the box and they buy these computer-based training and it's like oh, here's a half hour worth of training for you and people are just they cringe, it's like I'm busy, I don't really want to do this. Get something more engaging. If you have to get out there in person, go out there in person. Show them a demo of here's how people get in. There's more engaging and shorter types of training and awareness.

Jeffrey Brown: 34:27

We had, I think, a not fit for purpose training tool before, and that was a not fit for purpose training tool before, and that was a. It was a high priority for us to replace that tool with something that people could actually kind of stomach and digest a little bit better, as well as one that just had a better fishing component to it, because, again, fishing is just so prominent that it's like you can't stick with a tool that's not doing anti-fishing correctly.

Chris Sienko: 34:48

Yeah, yeah, and you know it is that it is easy to get into that kind of all or nothing mentality because, like you said, it only takes one person clicking to like make a big problem but at the same time, that you get less of that one person when, like, a larger portion of your workforce understands, like what they're not supposed to do, like you know, you get a lot less errant clicks that way.

Chris Sienko: 35:07

And also, I would love to see in security awareness programs just a little more discussion around what you said knowing how to report something when it goes wrong, and also just telling people like it's okay. You know what I mean? It's not okay, but it's like don't, don't panic, don't hide this, don't pretend like it didn't happen, don't think it's going to go away. Like you know, this is, there is an actual you know. I think you're right. I think there's really a big lack of understanding, like if something really did, you know, hit the fan, like what? What do you do next? And and realizing that, like keeping a calm head is going to be a lot more beneficial.

Jeffrey Brown: 35:46

That hits another interesting point too, which is that sometimes these programs are done a little bit too punitive, especially anti-phishing programs. So I send you a fake fish, you click on it and we're going to come down on you like a ton of bricks, like why did you do that? For you know that's a bad day at work, right? So what can happen is that you know people feel like, well, I'm stupid, I didn't mean to do that, I don't want to get in trouble again. I mean, you know, when these programs are overly punitive, what happens is that when the next fish comes and it might be a real fish and they click on it again by accident, it's like they don't want to tell anyone, they're scared, they're going to get fired and they don't tell anybody.

Jeffrey Brown: 36:23

That's exactly the opposite of the behavior we want. We want the behavior like the data lives with the individuals, and if the individuals don't know the right things to do, we can't be everywhere over everybody's shoulder. We have to get people trained that here's how you protect information, here's how you report a security incident and some of the basics. So you know we can't teach them everything that we know, but we want to be able to teach them, like here's how you spot a suspicious fish or how do you report one, and some of just the basic kind of stuff, I mean you can't educate everybody on everything and some people try to do that and it's overwhelming for somebody who just isn't part of security.

Jeffrey Brown: 37:00

This isn't part of their day to day.

Chris Sienko: 37:02

And again going back to what you said at the beginning about, like you know, learning to write 15 minutes a day or learning to write for five minutes a day, or whatever like, like. Having you know this in your head on a daily basis, even if it's for 30 seconds, you know, is a lot better than that one time a year where you have to sit in two hours worth of videos and then and then it all kind of goes away again.

Jeffrey Brown: 37:22

Sometimes it's annual training and that's all it is, and people just want to get through it and they fudge on the exams and they keep clicking buttons until it just says you're finished.

Chris Sienko: 37:31

Yeah right, exactly so. Yeah, so I want to go back to sort of our podcasts Overall all goals here. Obviously, we're all about helping students and new cybersecurity professionals enter the industry, and also people who are looking to change careers later in life, which I think also fits with what you're talking about. Given your background or you know backgrounds in non-tech you know discipline. So, for those wanting to make a mark doing this kind of work at like a state or local level, jeff, what are the most important skills or experiences or types of training or certifications or soft skills that you think they need to actively pursue to do this type of work well and demonstrate their excellence?

Jeffrey Brown: 38:08

Yeah, one, I would say, and the most important one is just a deep level of curiosity. I mean, the way I learned security was by just being so fascinated with it and very curious. I would spend my own money, I'd buy books, I'd buy magazines, I'd do everything I could to just kind of get immersed in it and just learn. I don't think anybody was born knowing cybersecurity. You have to learn it. And a lot of people sit back and just say like maybe I'll get training or my boss will come to me. It's like no, you've got to do that yourself. I mean you can ask for training and you want to maybe support that, but I mean you know, in absence of that, you know what are you doing personally.

Jeffrey Brown: 38:43

This is a great day and age now, where I mean you can find Harvard and MIT classes online for free. The resources are all out there. You can roll your own degree to a large extent, but without that curiosity, that spark of hey, I want to know more about this. You're just not going to have the engagement.

Jeffrey Brown: 39:04

This is a funny industry where you may spend a lot of time learning something and have to throw it all away because this has changed and this is new and you're going to have to learn new things. Lifelong learning is definitely something we look for in our hires as our soft skills, and I think that that's an important one. In fact, I think it's so important that both of my books kind of touch on the soft skills component, because you can't really especially if you want to be a leader you can't do that in a vacuum. You're going to have to work with peers, you're going to have to work with people who maybe don't support you know the well we're trying to get all this security stuff done, but we have our job to do and this stuff gets in our way and you're going to have to be able to work with them and help them understand.

Jeffrey Brown: 39:45

Why is this important and how can I help you get this done? Those are important, important soft skills. Working on a team also very important. I mean, we can't even a star performer. You can't have a star performer come in and all it's doing is dragging everybody else down. You need a fully functioning team and that means teamwork. That means being able to work with other people and being able to communicate, because that's how we work with other people is by communicating.

Chris Sienko: 40:11

Yeah, I mean, I feel like it's pretty easy to explain to someone like how to get better at tech skills. Do you have any advice in terms of you know, because it's one thing to lead a team but it's another thing to get better at learning how to lead a team via communication Do you have any like advice in sort of like taking an active role in doing that, rather than just kind of clocking hours?

Jeffrey Brown: 40:31

You know that's a great question. When I wrote Leaving the Digital Workforce, that book was a very interesting journey for me because I mean, if you think you're going to learn a lot from reading a book, try writing one.

Chris Sienko: 40:45

You know and you really do learn a lot from that.

Jeffrey Brown: 40:47

But one of the things I would say is that you know, just being able to you know, kind of focus on the right things, being able to just not only learn right. I mean, here's a good question why isn't there a management certification? Why can't I be a certified manager of this, that or the other thing?

Chris Sienko: 41:04

Exactly.

Jeffrey Brown: 41:04

Yeah, aside from certifying.

Chris Sienko: 41:06

MBAs, I guess Security manager, CISM, but it's not really like.

Jeffrey Brown: 41:10

oh, if I have CISM, I should be able to be a manager of people. It's like, well, not really. You now possibly know about management, but not how to manage.

Jeffrey Brown: 41:20

And it's not really until you take those skills. You know what does Mike Tyson say? He used to have a great quote of you know, everybody has a plan until they get punched in the face. Right, you know, and it's true. You know, I can learn about management. I can learn how to give feedback and then, if that feedback is like well, unfortunately the business is bad, we're going to have to let you go or your salary is being cut because, you know, times are hard at the firm. Those are really hard conversations and you're just not going to be able to read a book and do that. Right, it takes practice, it takes failure, it takes uh.

Jeffrey Brown: 41:54

I have a saying in the book there is no failure, there's results, right, like I mean, if you do something and you get the results you didn't expect, it's not failure, it's just how do you? How are you going to change your approach next time? So some of this is really just getting out there in the field and just trying to do it and and and iterating and learning from it, and unfortunately, some people never learn from it. They just do it, they do it badly and they don't get any better at it. The best of us are ones out there who look for opportunities to grow Like.

Jeffrey Brown: 42:21

I'll give you a couple examples. I used to take on just about anything that would help me grow. I mean, I took on business fraud at AIG, I took on the privacy at BNY Mill and things that are kind of similar that helped me grow personally and also give me more practice working with diverse sets of people that are not always just cyber people. Cyber people love talking to each other, but when they get out into the business and they start talking to the business leaders, they don't know what to say, and they don't understand what they're saying either.

Jeffrey Brown: 42:52

So I mean a lot of us end up in the boardroom and even big time CISOs, that big time financial institutions, some of them feel like imposters and you go into the board of directors some of these guys are ex-CEOs, cfos you suddenly feel a little bit out of place. And you should, but those are the kind of experiences that grow you as an individual and the ones that really help you keep going. You know, and again, you don't stay in this business 30 years by staying stagnant.

Chris Sienko: 43:20

Yeah, yeah. Now, going to your position here, can you talk about your favorite parts of the work that you do? Are there any aspects of what you do that makes you excited to keep pushing and learning? I mean, you seem like you're made out of 98 percent enthusiasm and 2% water anyway, but uh, uh, you know, like what, what, what, what are your favorite parts of this? Like what, what? What's made it worth it to hit this particular spot?

Jeffrey Brown: 43:41

I love making a difference. I think that's that's probably the key one. In fact, there was a big shift in my career where, uh, I I've been through interviews myself where it's like, you know, things didn't go very well and it was because I was so busy, focused on me and look at what I've done and instead of listening and hearing like, what's, what are your problems, how can I help you, you know, really being able to shift things around so that that you know nobody wants to hire you because you're just a superstar. They want to hire you to fix their problems. You know, and the more that you can focus on here's how I can come in and help you fix your problems. That's a great connection. People totally get that and every who doesn't want to hire that person, right?

Chris Sienko: 44:19

Yeah, yeah, yeah, no, absolutely. I mean, you know, you always hear the the sell me a pencil thing for salespeople and no one ever thinks to ask what do you need in a pencil? They just start start talking about the color or the shape or the one you know the color or the shape or the one you know. So, yeah, that's, that's all excellent advice. So you said that it's not as big a part of your job, but for listeners who might be citizens of Connecticut or you know states in general, are there resources available to citizens that they should know about to improve their cyber hygiene that they might not know about now?

Jeffrey Brown: 44:47

Yeah, there, sure are. I mean, I would. I would always start with some of the. Some of our federal partners spend an awful lot of time on this, and that might be the cybersecurity and infrastructure security agency, cisa. You could also go to StaySafeOnline, which I think is just StaySafeOnlineorg all one word. Well, org is the other word, right, right. But yeah, those are, I think, great places to go for Connecticut.

Jeffrey Brown: 45:13

We do have some material on ctgov, but we are in the midst of trying to expand that a lot more.

Jeffrey Brown: 45:20

That's, unfortunately, one of those kinds of things that you just don't have as much time as you would like to see, but we also do in the state of Connecticut. For companies in Connecticut who signed a nondisclosure agreement, we have monthly calls. We have a lot of that kind of outreach and that's been in place for a long time, where we partner with our water utilities, as an example, and our energy utilities and stuff like that, where we're making sure that they hear what's going on out there, that they know that maybe there's a big vulnerability that's in the wild. We do threat reports and updates like that, not as much down to the citizen level, and I think we need to get there, but that we're not really resourced to do that right now. So I think you know we're certainly hopeful that more federal grants will be coming our way and that we'll be able to funnel some of that money all the way down to individual citizens, because at the end of the day, that's what we're here for. State government exists for its citizens.

Chris Sienko: 46:14

Yeah, yeah, absolutely so. As we wrap up today, jeffrey, I mean, this is definitely an area that I know that you think about as a multiple author, but can you tell our listeners like the best piece of career advice you have ever received?

Jeffrey Brown: 46:25

Yeah, you know I'm going to actually share some anti-career advice that I got, but it had a big influence on me.

Chris Sienko: 46:33

Beneficial yeah.

Jeffrey Brown: 46:34

I think it's important. But, um, you know, when I was a kid, I had some, some, some struggles, uh learning uh, just due to various health conditions, things like that. Um, and then some of those headwinds went away. But I mean, at one point I had a guidance counselor and no disrespect to guidance counselors, I'm sure some of them are fantastic, mine was not and I was sort of told you know, maybe some people aren't really cut out for college, you know. And then later, I have a master's.

Jeffrey Brown: 47:00

I have about five, six, seven industry certifications. Obviously, it sort of lit a fire under me that never went out. So my advice would be get your fire, get your spark from wherever you can get it. Um, if everybody's giving you negative energy, turn it around, turn it into something positive. But I I think that had a big influence on me.

Chris Sienko: 47:19

it's like you know what I'm gonna show you yeah, yeah, no, I was gonna say that that I like that that's the sort of the capper to all this, because it I feel like we've been sort of almost saying that several times during this interview of like, uh, of this discussion is like it's up to you to sort of find your own sort of energy source and it's up to you to find your own enthusiasm and your own sort of forward momentum. So that's, I think that's great. Yeah, absolutely.

Jeffrey Brown: 47:43

And it's something that's really important. I mean, your mindset is is so important and we hardly ever talk about it. Um, but I'll. I'll give you a quick story when I was going to Merrill Lynch. I was candidate number four out of the top three, so in other words, I was out.

Jeffrey Brown: 48:02

One of those candidates got another job, so they suddenly I became number three and I think I was sort of a distant number three and the recruiter actually talked to me and he said Jeff, you know what? You can definitely do this job, but you're going in like you can't and it's showing. Go in there more confident. And one of the things I learned was I went in a lot more confident and we started talking about the role and, like many companies, the job description was so just out of whack and wrong and I mean it was like oh yeah, you would never do this.

Jeffrey Brown: 48:29

At&t manages that. I mean, it's just stuff. That was like. You know, I'm like, look, full disclosure. I don't really understand this, that and the other thing on the description. Don't get hung up on the description. Go talk to them, see what they need, see what they want. They wanted to talk to me for a reason and I almost knocked myself out of the running because my mindset was wrong.

Chris Sienko: 48:47

Interesting. Yeah, that's boy. That's also very good advice. So you've already given us a lot about you know what you do with the state of Connecticut, so let's just sort of wrap this up. One last question here If our listeners want to learn more about you, jeffrey Brown, and the books that you've written, but also the work you do with the state of Connecticut like where should they look online for your stuff?

Jeffrey Brown: 49:06

Yeah, great. I mean I'm certainly pretty active on LinkedIn, of course that's unfortunately an embarrassment of Jeff Brown's in cybersecurity. So I am at in slash, jeffrey W Brown, I believe, on LinkedIn. If you can't find me there, you can certainly find me at. A lot of my books are sort of highlighted at digital leadershipcom and that's with a hyphen digital digital-leadershipcom.

Chris Sienko: 49:33

Got it. That's awesome. Well, jeffrey, thank you so much for joining me today. This was an absolute blast, and I know our listeners got a lot of it as well, so thank you.

Jeffrey Brown: 49:40

Love it Absolutely and thanks for inviting me.

Chris Sienko: 49:43

And, as always, thank you to everyone who watches, listens and writes into the podcast with feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop them in the comments below, as usual. Before we go, don't forget infosecinstitutecom slash free for a whole bunch of free and exclusive stuff for CyberWorks listeners Speaking of Cyber Security Awareness Training. Learn about our new Security Awareness Training series, work Bites, which is a smartly scripted and hilariously acted set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through age-old struggles of yore, whether it's not clicking on the treasure map someone just emailed you making sure your nocturnal vampiric accounting work at the hotel is VPN secured or realizing that, even if you have a face as recognizable as the office's terrifying IT guy Boneslicer, we still can't buzz you in without your key card. Anyway, go to the site and check out the trailer.

Chris Sienko: 50:37

Infosecinstitutecom slash free is still your best place to go for your free cybersecurity talent development ebook. We still download a lot of those every single week, so go check it out. You'll find our in-depth training plans for strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ICS professional and more. One last time. Infosecinstitutecom. Slash free and the link, as always, is in the description below. One last time. Thank you so much to Jeffrey Brown and the state of Connecticut and thank you all for watching and listening and until next week. This is Chris Sanko signing off, saying happy learning.