Contributing to the Cybersecurity Community

Scott Morris, Vice President, Chief Information Security Officer at BlueCross BlueShield Western New York sits down to talk to Steve Moore about how to be active on cybersecurity communities. They  talk about how to encourage young security professionals to find their voice, and the importance of sharing information as a means of strengthening the industry as a whole.

What Advice Would You Have for Your Younger Self?

I'm not one to really hold regrets or look back at the past, but I would say I've always pursued the uncomfortable things. I always try to find things to solve or problems I could help with, which is how I got around in the day. So always challenge yourself and make sure that you always make the right choices. I would tell my younger self to continue pushing.

What Was Your Actual Start in InfoSec?

My starting point was in information technology, more importantly in web development. I used to be a web developer by trade & quickly came to understand the risks involved in that. I continued to grow in my information security knowledge & experience, and for a while I was an expert in my former organization. And then I grew from there with a keen desire to know as much as I can and to help as much as I can in information security.

Through observation & conversation, Steve Moore has come to realize that some of the best people in InfoSec didn't actually start off in it. You kind of have to learn to build and create things and ultimately break them before you can know how to defend and protect them. And this is a great foundation

As I look back on my career, I recently realized that even from the early days and in previous organizations, I've never actually applied for a position; I've always somewhat in a way created the position. And I did that by finding areas or things that needed to be solved or fixed and made better.

In my current organization for example, we had an issue where we were having problems passing or being consistently good in our external audits. I took that on and turned it around, and through that exposure in a very diverse organization, I was able to start piecing together some of the things we needed to get where we are today and build the successful security program we have in place.

Any Tips for Someone Getting Ready to Do What You've Done?

The answer is something I tell all of my team members today. For the most part, what we do is not something we're responsible for and we can successfully build respect and great relationships. You need to understand your controllers and the people responsible for these processes and functions and build a relationship with them to help move things forward.

How Did You Get Involved in Security Communities?

At my previous role, I worked for a large consulting company and I had a very large community. But I realized that I needed to have more exposure outside of that. So I started turning to people and organizations locally around here. But there weren’t security communities back then; there were more technology communities. So getting involved with technology organizations was my entry point. I was hooked immediately and continued to grow & expand to where I am today.

What Do You Think is the Responsibility of Security Leaders?

As a leader, I think it's really important to set an example. I try to do the best I can by participating in these communities in various ways by not only attending it but by being a part of it, being an action and a voice within these communities, and by bringing my teams along and the people that are in this space. As leaders we have a responsibility to continue driving that. In Buffalo we are a pretty small community and we leverage those conduits and forms to continue to grow and vet out what we're doing. So lead by example, participate and the teams will come along.

What Benefits/Changes Have You Seen in the Junior Staff in the Buffalo Area?

In Blue Cross Blue Shield, we are fortunate to have a robust and talented security department, and not a lot of people especially in Buffalo or other small organizations have that. So we push out there and continue with what we're doing. And this helps a lot of people get past those first few layers with decisions and choices if they can hear from a trusted source. And frankly those conversations help us as well as we continue to share our experiences with the community not only in Buffalo but across the nation.

We try to present topics that we feel others can learn from and we get great feedback by sharing the experiences we've had, and especially the lessons learned.

What Do You Share?

Two of our primary outlets for that is first ,within the Blue Cross Blue Shield community where we have more than 30 organizations, and we tend to share things within that trusted community quite often. We're also a huge proponent and a member of Hysek, and that's been a tremendous value for information sharing across healthcare organizations and other places as well.

In my team, we encourage participation and often times the exact conversation we’ve had is centered around ‘what value can I add?’, ‘why would someone listen to me?’ And through that we hope people can realize how important their message is because there's always an audience for that. So for a young leader, professional, or analyst trying to get involved, I would advise him to not undermine or underestimate himself and the power of his voice and message. And instead get involved with the people of that community. Organizations and groups are always looking for topics and people want to listen and are genuine about it. And they'll give you the feedback you need to help you grow.

Getting comfortable presenting in front of an audience is important for a leader, so for anyone listening that should be your goal. It makes you a better leader in the long run. It takes practice and one resource people should take advantage of is Toastmasters. It's a wonderful opportunity and gives you an established and well trusted forum to horn your skills at public speaking. Most of my team members go through it.

What Did You Learn at Toastmasters that Helped You the Most?

The first time I did Toastmasters, I got really confident about what I was talking about. They give you very candid feedback at the end, and I think I broke a record for how many 'umhs' I said, although I thought I said 3 or 4. But it was eye opening and gave me something to move forward with. The best feedback I got from them that helped me grow was to just own what you are saying, knowing that you know the most about what you're talking about. And be confident at what you're doing. That's going to make a world of difference from how your presentation comes off.

What has Changed in Security Communities Over the Years?

Back when I started, there was little to know on cybersecurity community. But now you can't move around the corner without finding some kind of group that's wanting to talk about it.

I recently had a conversation with a number of CISOs last week, and we're finding that these communities or groups are actually struggling because everyone is so busy trying to protect their organizations and move forward. So I'm starting to see a little bit of downward trend in these things. People don't seem to have the bandwidth to keep these things going. And so we need more people who are passionate about keeping the organizations going, keeping the topic going, and moving those things forward to make sure we continue to have this amazing opportunity to participate and share information.

What’s the One Thing You Could Eliminate from Security Communities?

I won't say there's one overarching thing I would want to remove because the communities don’t have the same problems. But I think we need to make sure that the level of entitlement is kind of tapered, because some of these communities get far ahead of themselves or become too exclusive. And these can start to create negative connotations to what we're trying to do. So keeping it open, ethical, and moving everything forward in the best interests of the people who are part of these communities is the important thing to keeping mind.

In every community, take the best you can from it and continue to build on that and everything will come around.

How Do You Choose Which Security Community to Be Involved In?

I think it's about setting the proper expectations for yourself and in some cases the people in that community. Also make sure the community is not there just for the party or the vendor sponsor, but to learn. Once you attend one, I think you can pretty well determine if it's just a party so to speak, or if it's really there for an opportunity. It's all about what you make out of it.

As a leader at some point you have to give up those spots & invite someone else, and as you grow you'll get more invites and be more well-known and influential. In every community, take the best you can from it and continue to build on that and everything will come around.

In my case I'm lucky because I have a great team that wants to be involved and it’s not me pulling them along. They're very eager & outgoing in that nature of getting involved and we all share that mission together.

Is There a Measured Outcome?

One of our metrics is our participation in events in the community across the department. We track how often we do that and report to our board of directors. We have a very supportive leadership helping the community in any capacity, whether in cybersecurity or someone who could be affected by it.

We also use the information, the conversations and networks that we build to help enhance our cyber strategy as we go forward. We use our cyber experience to help the broader community - employees, our members, providers, and brokers. We do what we can to get out and socialize and help them understand and benefit from the information we have to help protect themselves. This is something our organization feels strongly about. 

Resources:

Exabeam - Website

Steve Moore - LinkedIn

Scott Morris  - LinkedIn

BlueCross BlueShield - Website