[00:00:00] Chris Sienko: Today on Cyber Work, I talk with Ginny Morton, Project Management Professional at Dell and veteran in the US Army about the practice of cybersecurity project management in both for profit and military sectors. We talk Scrum and Agile certifications, building the best team for the project, and tapping into your personal power in all of your work. That’s all today on Cyber Work.
Also, let’s talk about Cyber Work Applied, a new series from Cyber Work. Whether you want to learn how cross site scripting attacks work, set up a man in the middle attack, or get a blow by blow recap of the Equifax breach. Expert Infosec instructors and industry practitioners will teach these cybersecurity skills and show you how those skills apply to real world scenarios. Best of all, it’s 100% free, just go to infosecinstitute.com/ learn or check out the link in the description below and get started with fun hands on training that keeps the cybersecurity skills you have relevant. That’s infosec.institute.com/learn. Now, let’s begin the show.
[00:01:06] CS: Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends. The way those trends affect the work of Infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry.
Ginny Morton is a Senior Cyber Security Advisor Program Management at Dell and had spent much of her career in the project management space for cybersecurity. Previously working at Tech systems and in both the Texas Army National Guard and the US Army. So, our recent guests project manager, Jackie Olshack recommended Ginny for the show. As we had a ton of people tune in to see Jackie’s episode, we realized that our listeners are pretty passionate and thirsty for more project management and IT and cyber content as a career path.
So, I’m really looking forward to talking with Ginny about her career path, as well as some of the unique aspects of doing project management work on a federal and military level.
So, Jenny, thank you for joining me, and welcome to Cyber Work.
[00:02:01] Ginny Morton: Thank you and it’s great to be here.
[00:02:04] CS: Thank you very much. So, I’d like to start with the usual origin story question, what what first got you interested in IT and security? I see that you did IT project management going all the way back to your earliest days in the US Army. So, did you learn these skills in your military training or did you bring them to your military training?
[00:02:20] GM: So, that’s an interesting question. But first, I’m very interested in IT. It’s actually from my mother, because she was a restaurant manager and that’s when Windows, all that came out. She wanted somebody to make poster for her to make words, and all that, and spreadsheet. So, she pretty much told me, “Ginny, please learn Excel.” So, I found a way to learn Excel, and I was able to do everything for her.
Fast forward through the military, and I wasn’t even in the IT field. I was in the warehouse fields processing repair parts. However, I guess I typed very, very fast and my boss was looking at me. So normal people, instead of processing 30 parts a day, I was able to do 300 parts a day. I don’t know if it was my typing skill or anything. So, she put in the office and at that time, I was doing command, a little bit command printing on the UNIX system. I had no idea what that was. I knew I was in the route. But that’s all I knew. But that’s when I realized, “Hey, I might be good at that. Let me go pursue this field.” So, I got an IT degree, Computer Information System in the bachelor and Management Information System as master and graduate degree. So, here I am.
[00:03:36] CS: Okay. So, you brought you brought your degrees and your experience with you to the US Army then. Is that right?
[00:03:42] GM: First. So, I was fortunate enough to branch Signal Corps, which is the army communication branch. So, when we go into training, and of course, the Army did provide enough technical training to understand what the network is, what is the OSI model, but it did not really teach you how to manage it. So, my first job is really, “Hey, in this first job, you got the basic skill, you need to enable us to talk.” Us, I mean is my customer, my customer, my bosses and they all right me. It’s okay, you better make it happen. So, guess what? We made it happen.
[00:04:23] CS: There you go. That’s probably still the best way to learn anything.
[00:04:27] GM: That’s for sure.
[00:04:29] CS: Yeah. So, like I said, a few months back, we had your colleague, Jackie Olshack on to talk about cybersecurity project management, and we were delighted to find out that people are quite eager to hear more about it. We got a thousand listeners for the episode in just the first week alone. So, we were like, “Let’s talk more about cybersecurity project management.” So, for those who are just considering this type of work, tell us what a project manager does in a cybersecurity space like yourself? How does your work fit into the larger security landscape at Dell?
[00:04:57] GM: So yes, I work Jackie. So, I heard her talking about this podcast and Jackie is a really phenomenal project manager., I’m glad we have her in the field. So, with your question, first of all I want to say like as a project manager in cybersecurity is really come down to and I want to break it down like this. It comes down to these three parts, which is your personal power, your expert power, and your positional power. I can tell you 70% is my life for me, is personal powers. 20% is my expert power. Expert power as in what kind of knowledge I have in the cybersecurity field, and 10% is my position power.
So, my position power, which I’m a project manager, but I don’t own the team. I do have like all the teammates, everybody I work with, they have a manager to report to. So how you, as a project manager, go into your organization to motivate people to get the job done, and that’s what a project manager does. As far as my experience was, that’s what I do in any field, even in the Army or at Dell.
[00:06:11] CS: Now, can you sort of walk us through what your average workday is like? What are some tasks that you do every single day as a project manager?
[00:06:19] GM: I will say, from planning the project, making sure everything goes straight, we move impediment, putting out fires, and communicate with people, read people, gain commitment, gain trust, built a team, motivate a team, and all, I have to do.
[00:06:38] CS: Okay, so when you say putting out fires, like what are some of the average fires that happen in a project? What’s something that just grinds to a halt that you need to come in and sort of untangle the mask?
[00:06:49] GM: So, I can tell you, it’s not specific for one organization, I think, in general. Because whenever you roll out a project, let’s say you have a software to roll out, it doesn’t just involve your software, it involves the customer, it involves the infrastructure team, how do you build that? So, some of the fire is, and we got this application we need testing, but the business team, most of the time they’re busy, and how are you engaging with them? Or maybe when major stakeholder because they overwork, how are you going to engage them to make them understand, to let them understand your work is important. Your engineer work is important, how they respond to you, and that’s what the main portion of the project manager is where we make our money is to get commitment, get people involved.
[00:07:40] CS: Okay, so what are the aspects of your job that you enjoy the most? And what are also more importantly, the aspects of your job that might not be as fun whether it’s paperwork or telling people to do things they don’t want to do, but that people should know is integral to the work. So, what are your favorite things and then what are the least favorite but still important things?
[00:07:59] GM: I think my favorite thing to do is really to build a team, because the team will work. It doesn’t matter what organization you go to. Why are they engineers? Why are they architects? Is because they work their way. So, they do want to produce result. So, what I enjoy the most is I go in, and I see them working hard. What can I help them with? I can help them with coordination. We move any impediment between departments, and to get them to work, they don’t have to worry about other things, they don’t have to worry about scheduling, they don’t have to worry about producing their progress, they don’t have to even worry about talking to their boss about what they’re doing. Because that’s what they got you for. They got you so you will be able to translate a different language.
I think that’s what I enjoy the most not only I’m able to talk with the team, and I’m able to, per se, brag about my team in front of the management and the work they have done and, in a way, that the management understand without going into the configuration detail or any detail to make the team shine. That’s what I enjoy the most.
[00:09:02] CS: That’s interesting to know that, that you’re also sort of the mouthpiece of the teams. I didn’t really realize that and I know we we talked to a lot of cybersecurity professionals and they always say that it’s really important to have communication skills, even if you’re incredibly in the weeds with what you do. But it’s also interesting to know that the project manager can be your kind of voice for you, if you’re not the sort that likes to talk to the the board or the the trustees or anything.
[00:09:28] GM: Exactly.
[00:09:29] CS: Yeah. So, in what ways does having a project manager as part of your security team improve the work of cybersecurity itself? Like what does your team do better, safer or more efficiently because of your work on the team?
[00:09:40] GM: So, I would say every single project I implement for the cybersecurity team and it doesn’t matter what organization is, there’s a need for that tool. There’s a need for that tool improve the network security to meet the business requirement. So, in turn when every tool that you provide to the network, to the environment, you have strengthened the security of the organization. So, in turn, your customers are protected. When your customers know they are being protected, because you’re using up to date technology, you have a good project management team to execute. However, technology that’s up to date that need to be implemented. And your stakeholder, your customer or your stockholder will have confidence to your organization, “Hey, I want to invest. I want to do business with you because we trust you. You will not lose our information to malicious party.” So, there’s a confidence building for what I do and I really enjoy what I do.
[00:10:40] CS: I love that. So, you were talking about in terms of like, one of your favorite things to do is, is putting teams together. Now, I’m trying to get a sense of this. So, like in Dell, is there kind of like a pool of IT people or project people? And you’re looking at the scope of the project and you’re saying, “Okay, Bob, and Jenny and George would be the best for this one.” Are you sort of putting the team together in that way or are you sort of like adding – I guess, would like to sort of get a sense of what it’s like i in a granular way?
[00:11:13] GM: So, in most organizations, I will tell you same as the army. Most organizations, you have teams to do different stuff. It depends on how your organization. Let’s say if I make US army as an example, you have your infantry guys, you have your logistical guy, and you have your engineer, but you also have IT portion. So, what IT does is making sure whatever equipment they use, is to test. That’s the day to day basis and that’s what most IT people or cybersecurity people, they have day-to-day work. However, just like the army, or Dell, or even Apple or Tesla, they have a certain product to produce outside of their day-to-day work.
So, their product is in, let’s say your day-to-day work security, incidence respond. I’m looking at all this law. I have this to report. I have this. But all of a sudden, we have a new tool to implement. So, that becomes a project. So, do I start my day-to-day work to concentrate on you? What do I do? That’s when the PM comes to. PM does not really select people. That’s when the management team gives you a team of people. Okay, I have this team, I give it to you. So, the people are given to you. The team are built because management knows these projects are important to roll out, so you have this team, you have this team, everybody got commitment. So, now we have this team, they are from all different pillars, department, how you motivate them, how you build a relationship with this team during this project duration.
[00:12:50] CS: Okay, now, have you ever come into a situation where there was an IT team that had not had a project management before, and everyone was just doing a little bit everything and no one was sort of specializing anything? Have you had to really come in and like, just sweep up and like start from the ground up before?
[00:13:08] GM: All the time.
[00:13:08] CS: All the time, okay
[00:13:12] GM: Actually, surprisingly, it goes really well, at least for me is because everybody’s busy. Everybody’s craving, looking for help. And when you go in, but when you go in your attitude is, “Hey, I’m here to help you. So, here’s what I’m going to do. Here’s what you can tell me, what’s going on right now?” And you tell me what A, B, C. “Oh, you got to get it done. My deadlines here.” And most likely, I already know what the deadline, but I want them to tell me so I gain their understanding. I know what they’re understanding is. In turn, I engage.
So, when they finish telling me, I’ll say, “Okay, hold up, you’re the engineer.” So, what I’m going to do is, “Here’s what I can help you. I can help you do A, B, C. You don’t have to worry about infrastructure. You don’t have to worry about the business because that’s what I’m here for you. I will do more A, B and C for you. So, in turn, could you concentrate on architecting the network, building the – configurating whatever software appliances we have.” 9 of 10, I actually haven’t seen an engineer or any stakeholder, any team that will be like, “I don’t want you to do that for me.” Nobody will say that. They are grateful because you are here to help them.
[00:14:22] CS: Right. Sometimes I think it’s really easy to get paralyzed by all the choices. What do I do next? Where do I go from here? Here, you’re giving them the answer. Do this next. Do this thing next. Is that right?
[00:14:34] GM: Exactly.
[00:14:36] CS: Okay. So, can you tell me about the certifications that you hold? I know you’re a certified Scrum Master and Scrum Fundamentals Certified in Project Management, but all the way over also to CCNA and networking. Can you talk about what each cert has done to either help you learn the skills to do the tasks that you do or show employers that you have those skills?
[00:14:54] GM: I cannot stress that. Certification is really important. I always start from the Scrum Master and my skill Agile Scrum Master. So, those certs are really to confirm what I’m doing is the right approach. So, what Agile is, Agile is not really a tool or skill set. Yes, they give you tools. They give you a skill set. But it’s what are you going to use? Which tool and skill set are you going to pay in order to drive results? Because at the end of the day, it doesn’t matter what skill set you have. Are you driving results? Are you closing project on time? Are you making organization better?
So, the skill set is what I learned, so I can apply it to the project management skill. This has been beneficial for me. I can talk back about the Cisco certification CCNA. What it is, and I’m lucky, I had the opportunity because the great US Army put me through that certification, along with many other stuffs, and it was great, because it’s not like the skill set actually served me because I don’t manipulate the network. I do not configure the network. But what it gives me is confidence. When my engineer come and talk about let’s say, for example, I have this on DMC, I have to put something on the core layer, I don’t have to do [inaudible 00:16:16], I don’t know what they’re talking about. I know exactly what you’re talking about. I know exactly what it is, when you’re talking about subnets, when you’re talking about VLAN. I know what you’re talking about. And even though, like when your knowledge becomes, you don’t have to understand the detail, but you know the gist of it. In turn, you become more and more confident. When things come out that you don’t know, let’s say that’s a term call blue cat. I didn’t know what that was. I can just Google and Google will tell me instead of Google 10 things, now that because I have this certification base, I only have to Google one thing.
[00:16:53] CS: Yeah. Now, are there any other certifications that you’re in the process of studying for? Or do you have what you need for the moment?
[00:17:00] GM: Nobody will ever have what they need to do everything.
[00:17:05] CS: Not, if you want to grow, right?
[00:17:07] GM: Exactly. I wouldn’t say that I’m still pursuing but I think that’s one certification in cybersecurity, actually, a couple of them and people should – anybody who’s interested in the cybersecurity space should look into it. The first one is really, Jackie mentioned that too, is the security pulse. Because this is that welcome to cybersecurity. Let me teach you the lingo. Let me teach you what really cybersecurity is. When you get really, really good at it, you have some experience in the cybersecurity field, the next one I will say everybody should strive for is CISSP.
When I say strive for, I don’t mean you need to get a certification. Honestly, the certification is so hard I try. But even though I didn’t get a certification, the knowledge you learn to apply to the cybersecurity world is very important, because many of the security lingo why they do certain things they do, what kind of encryption is good, and why are they good in this encryption, what’s out there, is it just encrypting the thing or is the message integrity? By the way, the credit card you use, the chips, what is this for compared to the whole world?
In the army, we have a common access card, why does it have chips? They set that certification inside. Why is that? So, all these questions can be answer through that course. When you come out, even though you might not have the cert but you have the knowledge and then you understand everything from knowledge become common sense. You will be more and more confident and your future will be unlimited.
[00:18:55] CS: Now are you are you PMP certified? Is that something you’re thinking?
[00:18:59] GM: I’m actually not. No offense, I love Houston PMI Institute. I went through the course and it was mainly process driven and very in detail and it’s very beneficial. It depends on what field you are. Just me personally, it didn’t benefit me as much, just because when I’m going through my project management, it’s driving result. In the software development world, in the cybersecurity world, it’s hard to make a year plan. You can’t make a year plan because the plan change. You can spend 70% of your project management to do like a work breakdown structure into detail, and you will change. So, what I did is I broke it down into quarter, into months, and then I make sure we produce, we produce. Guess what? Literally, I know that’s a term for called Agile.
[00:19:54] CS: Right. Okay.
[00:19:56] GM: So, that’s the certification I decided to go for.
[00:19:57] CS: Nice. Okay. I mean, like I said, I have no stake, one way or the other, whether you have the PMP. But it’s just seen as sort of like the top of the hill in terms of like project management stuff. So, I like knowing the different tools, like I said, different tools for different jobs and stuff. So, if you know Agile and Scrum, you know, work better for what you do in these types of projects, then that makes – and that’s helpful for our listeners as well to know that you don’t need to collect every cert to start doing the work.
[00:20:27] GM: You really don’t. But the good news about PMP cert, is they are really transforming to the Agile format. So, for anybody that does not have any PM, I will say private sector PM experience. Let’s say you’re in the army, you’re doing the work or you are in the organization, you already doing the work, but they just don’t call it a PM work. It is still very beneficial for you to pursue the PMP or the Scrum Master or the Scale Agile. Any of those certs will help you at least to get your foot into the door, you need those certs.
[00:21:02] CS: Now speaking of, you’d mentioned that you’ve done project management tasks both for profit companies like Dell, where you’re currently employed, as well as for the US Army and the Texas Army National Guard. Can you speak about any differences in the way you do project management work between the two? Are there things like security clearances or other high secrecy issues that affect the methodology between one than the other?
[00:21:22] GM: So, the difference between the nonprofit and the profit, it depends on what their goal. But the way of work, to me it’s very similar. So, with the army, your motivation is not money because the organization or strive for money. Your motivation is keeping people alive. How do you as IT, as a cybersecurity person, keep somebody downrange. You might think, my thing, it doesn’t connect. But if you don’t secure your network, you don’t secure for all the intelligence, then malicious hacker can go in or your enemy country can go in and look at the information, know all your location, in turn you cost the lives of many people. So, that’s your motivation into keeping the network safe.
In civilian is profit driven. Like, I said before, how are you going to maintain the business? Because for cybersecurity, or any IT world, as long as you’re not the sales team, you are here to spend money. So, how are you going to continue to spend money? You have to enable the team that make money to continue to make money. So, as long as you understand that, that you’re here to support the sales team to make money, the business is everything. You need to listen to your business. You need to listen to who stand up, who maintain the organization. In turn, you will be a very good provider and very good support element.
[00:22:49] CS: Now, yeah, I guess I’m asking also, because I know when you get pretty high level in cybersecurity, there are certain government clearances that you need to do your work. Now, I mean, I know because you’re in the military, you probably have those clearances, but for people who are trying to work in that sphere, are there certain sort of military level clearances that you would need to do the work of project management?
[00:23:10] GM: So, it depends. So, if you work in the military, yes, you do. Like for me, in the military, I will have to maintain a top-secret clearance because of this position. I mean, I’m maintaining and the materials I’m touching. However, in most industry, as long as you are not like general dynamic or L3 that work directly to the military, they are the military contracting. Security clearances are not required. What is required, for example, in my experience right now with my organization is I am in the federal space for my organization. I have to be a US citizen. I have to have a clear background. So, these two are very important and I think it’s not just in my organization. I think in most places a clear background is really important. US citizen might not be a requirement, but the clear background is really important.
[00:23:10] CS: Sure. Now, you’ve climbed pretty far up the ladder in the project management sphere. Can you talk about what combination of skills or experiences that you would want to work on to reach the next highest level? Like what types of projects do master level project managers get to do that are too complex or demanding people who are just entering the industry?
[00:24:28] GM: I will say, don’t be afraid to start low. I started low and I started as a project coordinator, which is the assistant of the project manager. So, don’t be afraid of that, because even when you’ve coming from another industry, and let’s say you have the experience, you have the maturity, you know you are a true leader, you know you have to build a team, but you don’t have the industry experience. I spent one year to start on a lower level to get the lingo, to get the knowledge. Once you get the language, you get the knowledge and because you have your work ethic, and because you have whatever it takes to get the project done, you drive result, people can see that. Instantly, you will have that kind of connection.
For people who are in, especially in the military, and or maybe not in IT field, I will say IT or cybersecurity recruiters everywhere in the United States. Update your resume, get help to update your resume, put it on LinkedIn, Monster, whatever you can think of. Put on there. Recruiters will start reaching out to you and that’s when you start. Don’t be afraid to start as a contractor, because that’s how I started as a contractor, and then work your way into a full time, a promoter position.
[00:25:53] CS: Now, what are some of the skills or interests that people who want to be project managers should have? What type of people succeed and thrive in this space?
[00:26:03] GM: I would say, like, before the triangle factor, which is your personal personal power, your expert power and your position power. The most important thing is your personal power. What that means is leadership. How are you going to empower your team? Do you know how to encourage your team? Do you know how to recognize, give recognition when people are doing a good job truly, wholeheartedly, not just a checkbox. “Okay, I’m going to give you recognition because you did good.” No, literally understand what they do so good and stop bad culture. For example, point blaming. If you can do that, and you can express that during the interview, you’re doing your job interview, or whenever you push to the next job in the project management world. I can tell you many managements are looking for that personality. They won’t tell you, but that’s what they’re looking for.
[00:27:01] CS: That’s what they’re looking for. Yeah, absolutely. Now, for people who might feel stuck in their current job or intimidated by the prospect of trying to get into project management from something else, are there something you’d recommend that they start working on tonight that would help them understand the work and begin working towards a career change in project management?
[00:27:20] GM: I always say start certification, whatever certification you can start. Listen to podcasts like this. Go online. Google anything you you might have interest on, or just type in cybersecurity and read some headline and to see where it will take you.
[00:27:37] CS: Yeah. Now, has the project management field changed at all in the face of work from home orders and COVID? Does it normally require close collaboration that’s currently being disrupted? And if so, what are you doing to get around that?
[00:27:50] GM: So, I’m blessed to be in a company that believe in more from home before COVID. So, I can tell you working from home from my experience is actually way more productive than going into the office. I get to just walk into my office and start my work and sometimes I’ll be in my pajamas. So, I don’t have to worry about a whole lot of things. When I am hungry, I can just go grab lunch. I can take a break. It doesn’t take 15 or 20 minutes. Think about it. If you have to drive an hour to go to work, your lunch is an hour, you have to leave the office come back and your workday is actually not that much. But you feel like you work for a long time because you’re not in your house. So, to me, working from home, I think it makes our organization more productive and makes everybody more productive.
[00:28:41] CS: Now, it sounds like you were working from home before that anyway, but now that everyone’s working from home, has that changed anything about sort of like how you do what you do? Have you had to like make adjustments in terms of methodology? Or has your whole team always been sort of working in their homes?
[00:29:02] GM: So, not everybody. I can tell you yes, there’s some adjustment. For example, me talking to you in Zoom right now. If this is the first time you talk on Zoom, being in the camera, looking at somebody else, you will be very uncomfortable. So, practice, and everybody is practicing, everybody is adjusting. AT First, nobody wants to turn on the camera. But once in a while when you get close to your team, we just want to know what everybody looks like. So, we turn on a camera and we say hi, and then we have a good time. Sometimes we even use it for virtual happy hours. In all honesty, with this, nowadays virtual world., many people are talking to their family this way because they everywhere in the world. So yes, this adjustment, but the adjustment is very quick and the transition is very close to me so far.
[00:29:49] CS: Yeah, it definitely seems like it, and people have figured it out pretty quickly. I think people are finally surprised by that. So, as we wrap up today, do you see the role of project management changing in the coming years? Are there some ways that people who are studying and learning to enter this industry now can future proof their skills based on how the trends might go?
[00:30:08] GM: Yeah, I think project management is changing all the time, just because from before, how business come up to now, Apple, Tesla, Dell, and all these organizations can continue to drive and excel and make a good profit. Regardless of COVID, or whatever politics that affect it, how are they still continue to prosper, because they have to change the process, they have to change their project management.
So, if you’re already in the industry, please keep up your skill. If you’re not and you’re interested, get some base certification, pay attention to current events, and be confident when you want one industry. Go into the meeting, go into the interview with confidence. Don’t be afraid to fail. You might not get the interview, you might not get the job on the first 10 times, but do not stop trying.
[00:30:58] CS: Yeah. Having your personal power, like you said. So, as we wrap up, do you have any projects or anything you want to promote? Is there anything next for you or where can our listeners find you online?
[00:31:10] GM: You can find me on LinkedIn on LinkedIn/ginnycyc. Cyc used my name a long time ago when I came from Hong Kong. So, it’s Ginny Cyc. I’m on Facebook as well and you can reach me by email. I like to help. I like to help people with their resume and I love to help people, especially military people to transition, because I went through this, it wasn’t easy. But you know what, I got through it and I want to help you to get through it, too.
[00:31:39] CS: Well, Ginny, thank you so much for sharing your time and insights with us today. This was a lot of fun.
[00:31:43] GM: Thank you. Nice to meet you, Chris.
[00:31:45] CS: Thank you. And as always, thank you to our listeners at home and at work for listening and watching. New episodes of the Cyber Work Podcast are available every Monday at 1 PM Central both on video and our YouTube page at www.infosecinstitute,com/infosec or on audio, wherever fine podcasts are downloaded. I think if you want to rate and review as five stars, that would always be helpful.
Also, don’t forget to check out our hands-on training series Cyber Work Applied. Tune in as expert Infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real world scenarios. Go to infosecinstitute.com/ learn to stay up to date on all things Cyber Work. Thank you once again to Ginny Morton, and thank you all again for watching and listening. We’ll speak to you next week.