The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Category: Faces of GPS (page 1 of 5)

Project Management in the Government

By Mike Gauthier

Mike Gauthier HeadshotDo you work for the government? Is the public sector a career you may be interested in pursuing? Are you a contractor currently servicing the government? Do you have a passion for non-profits?

If these questions resonate with you, I would highly suggest pursuing professional development opportunities in government project management.   

Every year, Brandeis Graduate Professional Studies offers special topics courses that touch upon subjects that are popular, interesting, niche, or just unique in general. Project Management in the Government is certainly niche and popular these days, with public projects either being criticized or politicized. If you are a project manager, program manager, contractor, or administrator, this class may provide some insightful lessons learned and considerations when planning, budgeting, managing, closing out, and maintaining a project.    

The fully online course covers the framework of a government project’s entire lifecycle, but you will also explore the particulars of federal, DOD, state, local, and non-profits as it relates to these endeavors. We will look at case studies, and recent articles of the challenges project managers may face. One week of the 10-week course covers best practices in government and contractor vendor management (prequalification and after action reporting), while another hits upon capital budgeting, financing, and fundraising of projects.    

Here is what you can expect from taking this course with me:

  1. There is no textbook. I plan to run the class like a seminar where what you learn can immediately be directly applied where you work.   
  2. Your semester assignment is real world based. You will be able to use it for actual projects that you manage
  3. You will be able to perform a variety of framework analysis on planned and reactive government projects.
  4. You will be able to identify government and non-profit areas of importance to successfully work within their rule sets.
  5. You will be able to apply best practices in contractor management.
  6. You will be able to identify and analyze the proper use of project financing and debt management.
  7. You will be able to recognize and adjust to future trends in government and non-profit project endeavors.

This 10-week, fully online course will run from April 10 to June 18. Start the registration process here or contact 781-736-8787 or gps@brandeis.edu for more information.

Mike Gauthier currently serves as a Team Lead in the Contracting Services Department at MIT Lincoln Laboratory. He provides oversight, direction, and leadership to a group of contracts professionals in accordance with FAR, DFARS, and MITLL policies and procedures. He is also the Vice President for Education for the National Contract Management Association – Boston Chapter.   Gauthier is an Adjunct Faculty Member at Brandeis University Rabb School of Continuing Studies (Division of Graduate Professional Studies) teaching Negotiation, Procurement & Contract Management, and Project Management in the Government.   

Previous to MIT and Brandeis, he was the Chief Procurement Officer for the City of Woburn, Guest Instructor at the Massachusetts Office of the Inspector General, Procurement Analyst for City of Somerville and worked for many years servicing the Federal and State Governments as a contractor.  

He is certified as a Massachusetts Certified Public Purchasing Official (MCPPO) and as a Certified Professional Contracts Manager (CPCM), and Certified Federal Contracts Manager (CFCM) by the National Contract Management Association. He holds a Bachelor’s Degree from Boston College, a Master’s in Public Administration at Framingham State University, and trained extensively at Massachusetts Institute of Technology.  Gauthier was a presenter at the 2016 NCMA World Congress and 2015 March Workshop. He is a published author in NCMA and Massachusetts Office of the Inspector General publications.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

The importance of UDL

By Lance Eaton

Lance Eaton HeadshotAccessibility has been an important issue within education for decades and increasingly, one that is causing many institutions to revisit some of their daily practices and educational tools.  As more institutions leverage digital technology in their learning environments, some are coming up short in making sure all students can equally access such learning experiences. Since making learning experiences accessible to all students is legally required, institutions are more actively pursuing the practice known as Universal Design for Learning (UDL).

UDL is a conscientious effort to create learning experiences (everything from individual readings and assignments to entire courses and programs) accessible to a larger range of people, regardless of challenges they might face with regards to their physical, social, mental, and emotional abilities.  Implicit with UDL is the idea that there are many artificial barriers we often create that make it improbable or impossible for students to successfully learn and complete a course.

Universally Designed Picnic Bench

A universally designed picnic bench

To help people think about the challenges and opportunities of leveraging UDL to make courses more accessible, we have recorded this webinar along with a website with resources to help others more effectively develop learning experiences from which all people can benefit.  

View webinar  |  Learn more about Accessibility and UDL

Lance Eaton is an instructional designer and faculty development specialist at Brandeis University Graduate Professional Studies. His previous work includes working at North Community College and Regis College as instructional designer. He is currently working on his PhD in Higher Education from University of Massachusetts, Boston.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Image Source: Virginia State Parks

Project Management in the Gig Economy

By Leanne Bateman

Leanne Bateman HeadshotIn last month’s blog post, I mentioned that in today’s market, a professional project manager has the option to work as a full-time project manager for a company or work as a project management contractor or consultant. This month, we will focus in on the contract project manager.

Prior to 2008, it was not uncommon to see project manager positions as regular full-time roles (particularly in IT departments) in many U.S. companies. When companies could not find an available full-time project manager to meet their needs, or if they didn’t have the funding for a permanent position, they had the option of hiring a contract project manager for a limited amount of time. This worked out great for the company, who could obtain an on-site PM to either augment their staff to manage several projects or hire the project manager to manage a single project without commitment for future work. It also worked out well for project managers who appreciated the typically higher pay while enjoying the flexibility of working across different departments, companies or industries.

The Rise of the Gig Economy
The rise of contract work in the 2000s came to be known as the “gig economy,” borrowing the term used by musicians to describe their paid show in a club or bar. The gig economy really took off after the significant economic downturn of 2008-2009, as companies went through layoffs and unemployed workers started taking temporary work to sustain their incomes. While the trend formed through dire circumstances and financial instability, growth continued long after the economy stabilized. That rate of growth will continue to increase. Why?

“Gigging”—whether through a set contract or ongoing consulting—tends to offer higher pay per hour to compensate for the lack of benefits. The flexibility is attractive to those who want more control over their work schedules or who seek breaks between contracts. There is also increasing opportunity to work in different companies and different industries, or to start as a contractor and convert to a permanent, full-time position once the compatibility between employee and employer is established.

Today, the gig economy is even stronger than could have been predicted for all levels of employees. The opportunities have stayed on par with the demand, including the rapid expansion of services such as Uber and Lyft as gig jobs offering riders a lower-cost transportation option. In the same way, accommodation services like Airbnb and HomeAway offer alternatives to pricier hotels. For both types of services, individuals are using their personal assets (their cars or homes) to make money through a temporary arrangement.

The Gig Economy and Project Management
So back to project management. The gig economy has been an extremely beneficial environment for both new and experienced project managers. Not only are there numerous opportunities across just about every professional segment and experience level, there is a consistently healthy rate of demand with low to moderate competition. And this demand is expected to increase significantly, eventually overtaking traditional employment by 2027:

The Future of the Gig Economy

Image courtesy of Jessup University

So, if you are one of the traditionally employed project managers interested in taking advantage of the benefits of working as a contract project manager, please be sure to take note of the typical differences before you take the leap.

Benefits Traditional Employment Contract Employment
Paid time off
Healthcare benefits
Employer contribution to Retirement Plan Depends on contract agency
Feeling of inclusion
Higher hourly pay
Flexibility in work schedule
Flexibility to work across different areas
Less involvement in company issues/politics

While contracting as a project manager has great benefits, it isn’t for everyone. But the same could be said for traditional employment arrangements. Whichever you choose, there is a robust demand for project managers, and it’s great to have options!

Leanne Bateman, MA, PMP, CSM, Six Sigma Green Belt, CIP is the program chair of the Project and Program Management program at Brandeis University Graduate Professional Studies, and the Principal Consultant with Beacon Strategy Group, a Boston-based management firm specializing in project management services. Leanne has 20+ years of project management experience across the areas of health care, biotech/pharmaceuticals, information technology, high-tech manufacturing, human resources, construction, housing/real estate, government, and higher education. 

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Communication for Effective Leadership

It may go without saying, but communication is a prevalent and critical component of today’s workforce. The skillset is especially essential for professionals seeking to excel in a leadership role. Regardless of industry, professional communications is imperative for leading effective meetings, mitigating crises, and navigating negotiations and conflict resolution.

“Communications is a critical part of doing business, especially in today’s environment. News travels fast. A bad customer experience can become a social media sensation before the CEO is even informed of the problem,” said Mary Caraccioli, Chief Communications Officer for The Central Park Conservancy. “On the flip side, you can use the power of social media to engage directly (and more deeply) with customers, employees and other stakeholders. You can use the power of the communications revolution to work for you by making communications part of your business strategy.”

Mary Caraccioli HeadshotCaraccioli is teaching a master’s-level course in Communication for Effective Leadership, a fully online, 10-week class that will help students build on their critical thinking skills and apply oral and written communication strategies to solve organizational problems and drive organizational change. Throughout the course, students will focus on topics such as negotiation and facilitation, crisis communications and public relations, virtual and global communications, and stakeholder management.

By the end of Communication for Effective Leadership, students should be able to:

  • Develop, execute and measure communication plans to manage stakeholders, solve organizational problems and drive organizational change.
  • Adapt communication strategies and use digital technologies to align with organizational, cultural, virtual, and global needs.
  • Build a portfolio of communication campaigns including crisis response, company positioning, and media statements.

This course is available for professional development or as part of several GPS graduate programs, including Technology Management, Information Security Leadership, Digital Marketing and Design, Strategic Analytics, and Project and Program Management.

At GPS, you can take up to two online courses without officially enrolling in one of our 12 online master’s degrees. This is a great opportunity to get to know our programs and approach to online learning. If you’re interested in exploring one of our graduate programs, or would like to learn more about effective communication for professional development, submit your information or contact the  GPS office for more information or to request a syllabus: 781-736-8787 or gps@brandeis.edu.

Faces of GPS: Meet Shannon McCarthy – Associate Director of Admissions and Student Services

Shannon McCarthy HeadshotIf you’re thinking about applying to a program at Brandeis GPS, you should have a conversation with Shannon McCarthy.

In her role as Associate Director of Admissions and Student Services, Shannon McCarthy works with applicants to our graduate programs, guiding them through the admissions process. Once they decide to enroll, Shannon helps them transition to working with a student advisor.

Born and raised in Taunton, MA, Shannon has stayed close to her New England roots. She received a degree in Sociology from Providence College before going immediately on to get her master’s in Higher Education Administration from Boston University.

As an undergrad, it was her internship in student affairs at Rhode Island School of Design that solidified her interest in higher education. After getting her master’s, Shannon worked first in admissions and then in academic counseling. She started at Brandeis GPS just over a month ago and enjoys her role because it is a combination of both.

Shannon wants students to know that she and the rest of the GPS team are available for any questions that they have. It can be challenging to come back to school after being in the workforce, all while juggling having a family and other personal and professional commitments. But the Brandeis GPS team is ready to work with you and help you succeed no matter what you have going on outside of school.

Shannon McCarthy HikingShannon is looking forward to working with students as they are applying and following up with them once they’ve started. She likes getting to see their next steps after they are accepted and continue to watch them be successful. She is also excited for her first graduation ceremony to see all the students get recognized for what they have achieved.

Outside of the office, Shannon loves spending time with her daughter, who’s almost a year old. She also enjoys taking dance and yoga classes and going hiking.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Project Management Certification or a Master’s Degree: Which Should You Get?

By Leanne Bateman

Leanne Bateman HeadshotAs the program chair of the Project & Program Management program at Brandeis GPS, one of the most frequent questions I have gotten over my 11 years at Brandeis University is this: Which is more important and valuable, Project Management Certification (Project Management Professional, or PMP) or a Master’s Degree in Project Management?

Honestly, the answer depends on what you want to accomplish in your career. The options are: work as a full-time Project Manager for a company, work as a project management consultant or just gain project management knowledge and experience in your non-project management related role.

If you’re primarily interested in working as a project management consultant—which involves either working through an agency on assignment at a company, or contracting directly with a company—then the Project Management Institute’s PMP certification is the first credential agencies and companies will expect. Coupling the PMP with Master’s Degree in Project Management will add tremendous value and distinguish you from other consultants/contractors. If your interest is to work as a full-time Project Manager for a company, then both credentials will help you get the job, but the Master’s degree is far more valuable and says much more about your commitment to your project management career. Similarly, if you’re currently a manager or employee interested in learning more about project management and integrating that discipline into your daily work, then once again, the Master’s degree is the way to go. And, your company may be able to contribute to your tuition.

The difference between the two credentials is this: PMP certification is a short-term study of the hard skills and knowledge needed to be a professional project manager, and this knowledge is validated through a 200-question exam that takes about four hours to complete. While there are requirements that must be fulfilled prior to taking the exam, they can be interpreted differently and unless the exam candidate is audited by PMI, the requirements may or may not be equal from candidate to candidate. Also, according to PMI, the number of PMPs has increased by 40,000-80,000 each year since 2009; this increase further dilutes the value of PMP certification.

With a Master’s Degree in Project Management, the value is greater on several levels:

  • First, because of the longer-term period of study over 10 graduate-level college courses, the breadth and depth of academic and experiential knowledge is more extensive. This knowledge covers not only the hard skills of project management but more importantly, the soft skills so critical for a successful project manager: leadership, communication, conflict resolution, influence, negotiation and team building.
  • Also, a Master’s degree in Project Management is more discerning to potential employers since few project managers have this credential.
  • Finally—and importantly—a graduate program whose faculty possess real-world experience as professional project managers is invaluable as they demonstrate the applicability of the hard and soft skills in actual projects and programs.

If one thing is certain in project management, it is that despite any earned credentials, practical experience is the most valuable credential of all. So, a Master’s Degree in Project Management taught by experienced faculty and demonstrated through practical coursework exercises is the next best thing to actually working as a professional project manager.

Leanne Bateman, MA, PMP, CSM, Six Sigma Green Belt, CIP is the program chair of the Project and Program Management program at Brandeis University Graduate Professional Studies, and the Principal Consultant with Beacon Strategy Group, a Boston-based management firm specializing in project management services. Leanne has 20+ years of project management experience across the areas of health care, biotech/pharmaceuticals, information technology, high-tech manufacturing, human resources, construction, housing/real estate, government, and higher education. 

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Don’t wait to create social impact – just do it!

By Subhadra Mahanti

The end of the year is a perfect time to reflect upon how one has done in the past year. Personally, I go back a few years looking for a trajectory that evolves towards growth and meaningful impact-personal, professional or social. I feel a life well-spent is one that has created a ripple effect of positive change in the lives around.

During my undergraduate summer internships with Tata Steel and Tata Motors in India, I was introduced to Tata’s legacy of blending business with philanthropy. Though I was already involved in various community activities, that was the first time I witnessed how a business can positively impact communities by bringing together its products, processes and people. Both these internships opened my eyes to corporate citizenry. Tata’s mission of integrating social responsibility with corporate strategy resonated deeply within me.

Not long after, I joined MathWorks. Since then, I have come to truly appreciate MathWorks’ commitment to establish itself as a global corporate citizen through its Social Mission program. I first participated in this program in 2007. I was fundraising for AID (Association for India’s Development) while training for the upcoming Chicago marathon . With the help of individual contributions and company match, I was able to raise about $7000 in spite of being a new employee then. I have found myself increasingly involved ever since, be it through a-thon fundraisers, STEM initiatives, end-of-year donations or disaster relief. I continue to be impressed with the growing outreach of the company’s social impact initiatives. My most recent experience was during the Tamil Nadu flood relief efforts where in a matter of two weeks, we collected a total of $40,000 in company match and staff donations worldwide. This is an excellent testament to the organizational culture and behavior.

And when an entire organization gets involved in the betterment of its society, that in my mind is corporate social responsibility at its best. What better way to explore and expand one’s impact than by engaging through such immersive experiences! I feel privileged to have had such an opportunity. At the same time, I recognize that there is still much to learn and so many avenues to discover.

For those of you contemplating to start out on this journey, there is a plethora of resources out there. Some of my favorite reads are: Creating a world without Poverty by Muhammad Yunus (a link to Yunus’ interview on Knowledge@Wharton) and The fortune at the bottom of the pyramid by C. K. Prahlad.

Also, McKinsey Quarterly published the following articles on the topic that caught my attention: Valuing Corporate Social Responsibility and Making the most of corporate social responsibility. Another site that I follow is Social Edge: it has posts and comprehensive discussions about personal experiences with for-profit, non-profit and the hybrid models-the challenges and the advantages.

Foundations like Scwab and Skoll probably pioneered the concept of social enterprise but the world has caught up fast. Organizations like Ashoka and conferences like Net Impact bring together social entrepreneurs round the globe and promote access to social financing and social venture capital firms. Now even top business schools have dedicated programs and tracks on social impact and entrepreneurship. After all, social responsibility is not a choice anymore: It is a necessity to sustain in today’s competitive landscape.

Read the article as originally published here.

Subhadra Mahanti is  a member of the Brandeis GPS Software Engineering advisory board.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Technology Transformation for 2019

By Matthew Rosenquist

Digital technology continues to connect and enrich the lives of people all over the globe and is transforming the tools of everyday life, but there are risks accompanying the tremendous benefits. Entire markets are committed and reliant on digital tools. The entertainment, communications, socialization, and many others sectors are heavily intertwined with digital services and devices that society is readily consuming and embracing. More importantly, the normal downstream model for information has transformed into a bi-directional channel as individuals now represent a vast source of data, both in content as well as telemetry. These and many other factors align to accelerate our adoption and mold our expectations of how technology can make a better world.

This year’s Activate Tech & Media’s Outlook 2019 presentation provides a tremendous depth of insights in their slide deck (153 slides) with a great amount of supporting data. It highlights many of the growth sectors and emerging use-cases that will have profound impacts on our daily lives.

Transforming Tech IntelligenceWomen's face being scanned

We are moving from the first epoch of digitally connecting people, to the second epoch of making intelligent decisions through technology. Artificial Intelligence research is advancing and with it the infrastructure necessary to make it scalable across a multitude of applications. Solutions are just beginning to emerge and yet showing great promise to make sense and use the massive amounts of data being generated.

Overall, devices and services continue to evolve with more awareness and functionality. We are in the ramp of adding ‘smart’ to everything. Smart: cars, cities, homes, currency, cameras, social media, advertising, online-commerce, manufacturing, logistics, education, entertainment, government, weapons, etc. It will be the buzzword for 2019-2020.

Such transformation opens the door where tools can begin to anticipate and interweave with how people want to be helped. Better interaction, more services, and tailored use-cases will all fuel a richer experience and foster a deeper embrace into our lives. Technology will be indispensable.

Risks and OpportunitiesGears and numbers

Reliance in our everyday activities means we have the luxury of forgetting how to accomplish menial tasks. Who needs to remember phone numbers, read a map, operate a car, or know how to use a complex remote control. Soon, our technology will listen, guide, watch, autonomously operate, and anticipate our needs. Life will seem easier, but there will be exceptions.

All these smart use-cases will require massive data collection, aggregation, and processing which will drive a new computing infrastructure market. Such reliance, intimate knowledge, and automation will also create new risks.

The more we value and rely on something, the more indebted we are when it fails. We must never forget that technology is just a tool. It can be used for good or for malice. There will be threats, drawn to such value and opportunity, that will exploit our dependence and misuse these tools for their gain and to our detriment. At the point people are helpless without their intelligent devices, they become easy victims for attackers. As we have seen with data breaches over the past several years, when people are victimized, their outlook changes.

In this journey of innovation and usage, public sentiment is also changing across many different domains. The desire for Security, Privacy, and Safety (the hallmarks of Cybersecurity) continues to increase but may initially be in direct conflict for our desire to rapidly embrace new innovations. This creates tension. We all want new tech toys (it is okay to admit it)! Innovation can drive prosperity and more enjoyment in our lives. But there are trade offs. Having a device listen, record and analyze every word you say in your bedroom may be convenient in turning on the lights when you ask, but it may also inadvertently share all the personal activities going-on without your knowledge. A smart car effortlessly transporting you to work while you nap or surf the internet sounds downright dreamy but what if that same car is overtaken by a malicious attacker who wants to play out their Dukes of Hazzard fantasies. Not so much fun to think about.

In the end, we all want to embrace the wonderful benefits of new technology, but will demand the right levels of security, privacy, and safety.

Trust in TechnologyMan poking padlock

Unfortunately, trust in digital technology is only now becoming truly important. In the past, if our primary computing device (PC or phone) crashed, we breathed a small curse, rebooted and went on our way. We might have a dropped call or lost part of a work document, but not much more harm than that. That is all changing.

In the future, we will heavily rely on technology for transportation, healthcare, and critical infrastructure services. That autonomous car we expect not to crash, the implanted pacemaker or defibrillator we expect to keep us alive, or the clean water and electricity we expect to flow unhindered to our homes may be at risk of failure, causing unacceptable impacts. We want tech, but very soon people will realize they also need security, privacy, and safety to go along with it.

But how will that work? We don’t typically think of trust in terms of high granularity. We naturally generalize for such abstract thoughts. We don’t contemplate how trustworthy a tire, bumper, or airbag is, as those are too piecemeal, rather we trust the manufacturer of the car to do what is right for all the components that make up the vehicle we purchase. We want the final product, tied to a brand, to be trustworthy. For those companies that we trust, we tend to believe, whether correct or not, in all their products and services. This reinforces tremendous loyalty. The reverse is true as well. One misstep can become a reputational blight affecting sentiment across all a company’s offerings.

The saying “We earn trust in drips and lose it

in buckets” perfectly exemplifies the necessary

level of commitment.

Writing the word trustedTrust may become the new differentiator for companies that can deliver secure and safe products in a timely fashion. Those who are not trustworthy may quickly fall out of favor with consumers. Privacy is the first in many problems. Consumers, government regulators, and businesses are struggling to find a balance that must be struck between gathering data necessary for better experiences, but not too much that it becomes a detriment to the user. A difficult conundrum to overcome. Security and safety aspects will follow, where the potential risks grow even higher. The challenges are great, but so will the rewards for all those who succeed. I believe those companies which master these disciplines will earn long-term loyalty from their customers and enjoy a premium for their products.

2019 might be the first year where we witness this delineation as consumers may gravitate to more responsible companies and begin to shun those who have misplaced their trust. The big story for next year may in fact be how purchasing decisions for technology are changing, thus driving greater commitment to making products and services more security, private, and safe.

Interested in more insights, rants, industry news and experiences? Follow me on Steemit and LinkedIn for insights and what is going on in cybersecurity.

Read the article as originally published here.

Matthew Rosenquist is a member of the Brandeis GPS Information Security Leadership advisory board. He is a Cybersecurity Strategist for Intel Corp and benefits from 28 years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

When the Wrong Person Leads Cybersecurity

By Matthew Rosenquist

Succeeding at managing cybersecurity risks is tremendously difficult even for seasoned professionals. To make situations worse, poorly suited people are often chosen to lead security organizations, bringing about disastrous results. This has contributed to weaker risk postures for organizations and the rapid turnover in cybersecurity leadership.

I am unhappy to report that the industry has a pervasive problem that few want to discuss: a propensity to enlist inexperienced or unsuitable professionals to lead cybersecurity. It is time to change that caustic and enabling behavior by first recognizing the problem.

As an example, recently in the news, there was criticisms for someone appointed with the responsibility to lead the cybersecurity effort for the 2020 Olympics, but had never used a computer. How does someone who has never used a computer and has difficulty answering basic questions about USB drives, be tasked with building a cybersecurity program to protect the digital security, privacy, and safety for hundreds of thousands of people?

Downward Spirals

Sadly, I have seen similar situations play-out over and over again across academia, business, and government sectors. Far too often, poorly suited people are appointed such roles and it simply does not make sense. Let’s be clear, most are truly knowledgeable and accomplished in their primary field, but a transition to security is a significantly different domain. Engineering and product management executives focus mostly on static problems where there is a solution and desired end-state. Whereas in cybersecurity, we face a highly dynamic set of threat agents, people who are creative, intelligent, motivated, and dynamic, who will adapt to any solution. There is no permanent fix for cybersecurity as it is an ongoing competition to managing risks between defenders and attackers.

Human nature, overconfidence, and a lack of understanding the challenges begins to shape a counterproductive mindset. It is common for a professional from a different discipline, transplanted and put in charge of cybersecurity, to believe their prior expertise is equally applicable to the new challenges. Somehow, magically, they think they are as proficient and insightful at an adjacent domain as their previous profession. To those experienced in adversarial challenges who have seen this unfold, it is an affront to common sense. It is no surprise that such dangerous situations most often result in momentous failure.

For years, the turnover rate in cybersecurity leadership positions across the industry has been very high, with most Chief Information Security Officers (CISO) only lasting 2 to 4 years. When surveyed, CISO’s cite a lack of executive management support or insufficient budgets were the pervasive motivators. But that is only one side of the story as many CISO’s have been let go.

I have always been curious what C-suites and board had to say. When I ask company leaders about a change in cybersecurity leadership, I often hear that an outgoing CISO was ineffective, could not communicate risks well, and demanded significant budget increases every year yet the organization did not show a commensurate benefit. Events culminated when a severe incident occurred and then the C-suite or board chose to find a new security leader.

With the shortage of CISO’s in the industry, those displaced quickly find another company and continue their ‘training’. This musical-chairs routine does not serve the company or overall industry needs very well and simply transplants problems from one organization to another.

Masters of All

This mistake occurs regularly with technical personnel, probably as cybersecurity is generally characterized as a technology problem by the unacquainted. An accomplished engineer or architect is put in charge of security and now with ‘cybersecurity’ in front of their title they truly believe they are a risk expert. They are not. Being savvy in technology vulnerabilities and exploits is far different than understanding the massive breadth involved in managing risk. Most are unwilling to admit their shortsightedness in the breadth and depth of the challenges and their arrogance simply becomes a hinderance to seeking the needed help to be successful.

Ego can be such a major hindrance when the fear, of being perceived as not understanding a problem or knowing an answer, limits your actions. It is typical for a person in such a quandary to retreat back to familiar areas they know, resulting in defining the problem and solution only in the terms of technology. This ignores the behavioral, adversarial, and process aspects that are crucial to managing risk. With blinders on, they continue to push forward regardless, thus the car wreck begins.

Cybersecurity is more than just a ‘tech’ problem and will never be ‘solved’ with technology alone (two pervasive misconceptions from engineers first joining cybersecurity). They are likely doomed. I have seen this happen countless times and can spot it a mile away. It is like an automobile accident happening in slow motion with an overconfident driver continuing to push forward as metal bends and glass shatters.

Enlarged Version of Cybersecurity Domains

Part of the issue is that people, who are experts in one field, assume they understand the entire problem set in another adjacent but ambiguous field. It is not until they are in the new role, that they then experience the unforeseen challenges of a different world.

Imagine a hospital. Would you promote the engineer who developed a defibrillation tool to be an emergency room doctor? No. Although tools and technology play a crucial role in medicine, it is not the same as predicting, preventing, detecting, and responding to health risks for patients across their lifespan. The same applies in cybersecurity. Technology is the battlefield, not the war. Understanding the terrain is important, but must be combined with a keen assessment of your opponents, and the ability to operationally maneuver in advantageous ways.

This is true in other fields as well. Aeronautical engineers aren’t promoted to fighter pilots and textbook publishers aren’t necessarily good grade school principals, so why do organizations make the mistake of a taking a software engineer or business-line product manager and expect them to be successful in leading cybersecurity?

Two Scenarios: Vastly Different Chances for Success

Now, I did say this is a recipe for failure most of the time. There are some, very rare situations, where an insightful but inexperienced person takes a cybersecurity leadership role and succeeds. It is possible. I have only seen it a handful of times and in every case that person was realistic about their knowledge and checked their ego at the door.

Guaranteed Failure:

An engineer, project manager, or business executive is put in charge of cybersecurity. They are confused or intimidated by security practitioners in their organization and respond by immediately surrounding themselves with like-minded, yet similarly security inexperienced people. They add other engineers, marketing, and legal people to their core echelon, inadvertently creating a self-reinforcing ineffective group-think team. Congratulations, an inexperienced leader has just encircled themselves with a cushion of people who don’t have the knowledge to challenge poor directives or independently deliver sustainable success. If you wonder what conversations with them are like, take a look at the Dilbert cartoon, specifically the ‘manager’ character. That is pretty close. Funny from afar, but frustrating up close.

Ineffectual organizations tend to grow fast, spend a lot of money, make hollow promises, tell a story of difficult times that are turning around, but have no real strategic plan, prioritized goals, or clearly defined scope with organizational roles and responsibilities. They seek non-existent cure-all solutions, and their long-term stratagem is to hope nothing bad happens while they battle daily issues. Even worse, the proficient security personnel, that may have been part of the team, will likely leave such a caustic environment for a better employer. That breaks my heart when I see capable people who want to make a difference, driven away. When quality employees begin jumping-ship en-masse, it is a sure warning sign.

The easiest way to detect this situation early on, is to look at their metrics, or lack thereof. If a security organization operates without the benefit of tangible metrics, it is a likely sign they have not defined or are not tracking against goals, roles, objectives, and probably aren’t measuring or tracking risk. What they are doing is responding to issues, self-marketing, rapidly growing the team, consuming significant resources, slowing down the business, and the looking for people to blame when their ineffectiveness becomes apparent. These orgs don’t last. They implode. People quickly leave and executive oversight will soon look past the whitewash to cut budgets, headcount, and eventually replace the leaders.

Potential for Success:

An engineer, project manager, or business executive is put in charge of cybersecurity. They understand they are not a security expert, so they assemble a team who has experience and talent in protecting digital assets, understanding threats, can articulate risks, and are intimate with the technology in use. They build an organization structure that is comprised of operations, engineering, and risk intelligence teams. Then listen and learn. Great leaders bring in the best people and let them excel. They quickly get clarification on the business goals and expectations from executives and customers. They then identify prioritized objectives, define a scope, derive the supporting measurable goals, identify areas in need of immediate attention, and establish the measures & metrics necessary to track progress.

Governance issues are addressed and a strategic process capability is embedded to constantly improve the organizations risk management ability to predict, prevent, detect, and respond to threats. They establish both the tactical plans necessary for immediate survival and day-to-day management, but also define a long-term directional strategy that takes into account the ever-evolving threat landscape, technology changes, and shifting expectations for security, privacy, and safety.

Proficient security workers thrive in such organizations and rarely leave. With a strong plan and capable team in place, leaders can effectively communicate and advocate across the organization. If all of these elements land in place, with the proper support, even an inexperienced security leader can have a chance at success.

Unfortunately, it rarely happens.

Failure is Expensive

Cybersecurity is difficult. It becomes exponentially more problematic when someone who lacks the necessary mentality or skills comes in and makes it profoundly worse. Cleaning up an ineffective legacy security program is painful, expensive, and time consuming. Simultaneously, a poor risk posture opens the door to more attacks and greater impacts until a capable security program is instituted.

We must understand that cybersecurity, like many other highly specialized roles, requires a depth of insight and experience to lead. I will echo Sun Tzu’s “…do what is great while it is small” and recommend putting a good leader in place the first time to build an effective and sustainable cybersecurity organization.

Let’s all break the silence and openly discuss the cycle of poor cybersecurity leadership, for everyone’s benefit.

For more insights on the challenges and required strategic deliverables, read my post Cybersecurity Fails Without Strategy.

Interested in more insights, rants, industry news and experiences? Follow me on Steemit and LinkedIn for insights and what is going on in cybersecurity.

Read the article as originally published here.

Matthew Rosenquist is a member of the Brandeis GPS Information Security Leadership advisory board. He is a Cybersecurity Strategist for Intel Corp and benefits from 28 years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Governance and the case for bringing cybersecurity out of IT

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

Information security governance is perhaps the most challenging aspect of cybersecurity.

Governance, while not a four-letter word, is often discussed with the same grumble that one uses when speaking about the dentist or aged fish. The basics of governance revolves around the advancement that simple accountability and transparency deters calamity. One cannot predict and avoid all disasters — think volcano here — but at the same time, one cannot grade one’s own homework.

It works well until there is a real test and someone else has the red pen. I think it was the queen of corporate governance, Nell Minow, who said, “watched boards change.” I agree, and would say this observation can be applied all the way down the corporate chain into an organization: those that change are the ones who are watched as objectively as possible.

So what does this have to do with cybersecurity, and why is governance hard in the cybersecurity space? There are a number of reasons for this perception. First, boards have been bamboozled by jargon and an IT executive tier that has been unclear and unsure of what and how to report on security. (For those of you on boards, when was the last time you had a security executive discuss the direct link between spend and the measured reduction of risk?). Indeed, in a Bay Dynamics/Osterman Research survey, “the majority (85%) of board members
believe that IT
and security executives need to improve the way they report to the board.”

While I am not a fan of standards for standards’ sake, the ISO/IEC 38500:2008 Corporate governance of information technology has the following useful definitions:

  • Corporate governance: The system by which organizations are directed and controlled.
  • Corporate governance of IT: The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.
  • Management: The system of controls and processes required to achieve the strategic objectives set by the organization’s governing body. Management is subject to the policy guidance and monitoring set through corporate governance.

Security leaders should tack these definitions to their wall.

When it comes to how security leaders can set the right direction for the board and make sure the Board has the right information for strategic oversight, I think it is a “two-way street.” Boards need to come to the security business and ask questions and security leaders need to come to the Board with improved reporting. Perhaps an improvement would be an approach that keeps the security report separate and distinct from that of technology. For organizations where information security, or cybersecurity, does not report to IT— bravo! You have taken a step toward greater transparency. The inherent mission of IT is accessibility and availability and the inherent mission of security is possession (control), protection and integrity. These missions are often in conflict, and managing them under the same leader (often a technology leader), could result in a Head of Security who does not have the chance to challenge or push back against the IT Executive who writes their performance assessment and controls their compensation.

We can better coordinate, manage and govern our complete security capabilities by bringing cybersecurity out of IT and taking a more holistic approach to incorporating physical and facility security, fraud and loss mitigation, and the other components converging security capabilities, data collection, management, and ultimately governance.

An organization’s board and business management must be in alignment where spend and the use of emerging technology are converging for the business. Security leaders should consider the following approach to champion governance:

  1. Above all, be transparent and accountable. Don’t tell the board what they want to hear or what you think they want to hear (they know when they are being managed). Represent the security program objectively. Characterize how security investments support the delivery of value for the business and supports organizational objectives.
  2. Do the hard work to consistently measure, monitor and report on security risk, and to provide the analysis between security investments and the execution to mitigate or manage risk and reduce or limit potential impact.
  3. Share performance and achievements of security resources — these drive the execution of a program and they are where the rubber meets the road for execution of the security program. Just like other business function, people are what drive success for a security program.
  4. Demonstrate how cybersecurity is aligned with and supports the strategic planning and objectives of the business and the expected business outcomes. Often the inherent conflict between the IT mantra of constant access and availability will be in conflict with cybersecurity’s mission of possession, protection and integrity, but the two do not have to be contentious, but IT needs a peer who can hold IT accountable if needed, not a lackey who does what they are told.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps.

« Older posts

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)