On today’s episode, Aaron Baillio, the CISO of the University of Oklahoma, joins us to speak about his transition from the Department of Defense to higher education, how he managed merging teams, and how incorporating students into his SOC has benefitted everyone.
The Switch from DOD to Education
Before Aaron worked for the University of Oklahoma, he worked for the Department of Defense for 11 years. He reflects on how the DOD is primarily concerned about keeping secrets, whereas
The higher education space is ultimately about giving away all the secrets. He loves how open the community to exchanging ideas. Listen to the episode to hear more on what he learned in his transition.
Education vs. Commercial
Aaron also discusses the intrinsic values in education: how everything you do is meant to support the student and to help educate and prepare them for life. The DOD, however, is all geared towards supporting the solider. He finds it very satisfying to be among young people.
It’s also important to note that the salary in the education sector is about 12-13% less than commercial area. However, the education will offer free tuition for dependents, like children, and provides a better work-life balance, as they can’t compete with the salary.
Aaron also speaks on the different security perspectives between the Department of Defense and education. Listen to the episode to hear how one field offers very ad hoc or tribal knowledge, whereas the other provides methodical training.
Changes in the Job
When Aaron first began, there was already a CISO, and then 9 months later, the CISO left. He had to learn how to adjust while still adjusting to the job. Then, 4 years later the CISO leaves again but during immense change for the university. Aaron rose to the occasion and moved into the role. His advice during times of change in your institution is to perform at least at the same level, if not better, than before the change. He iterates that you cannot slack.
He learned that he had to let go of some of the technical information, and focus more on management side of the job, as well as learn the multiple layers of politics.
Taking on the Leadership Role
Fortunately, Aaron felt like he was supported by the university during his transition to a new role. He gives advice on what to do if your institution doesn’t support you. He encourages the listeners to get involved with charitable organizations or read books and listen to podcasts on leadership. However, when you’re practicing leadership, you will learn more, so it’s best to join organizations.
Centralization at OU
Campuses were so disorganized and disconnected
But then a years ago, they acquired a new president, who wanted to centralize and consolidate the campuses
Each campus had its own IT department and budget, so he had to oversee how to integrate this with grace and rationality
Biggest hurdle was standardizing the technology
While the faculty are the state employees and working towards tenure, they also act like contractors because they receive grant money and don’t want to conform to a standard way of doing things
Managing people’s feelings was the greatest difficulties
The people who didn’t want this amount of change left the organization
Student Incorporation
Aaron tells the story of a student coming to him and asking to learn cybersecurity. This sparked him to begin teaching a class on the 10 domains. Listen to the episode to hear his story.
He also discusses how the industry wants people to have experience to get any job in cybersecurity, but they can’t get experience without a job. It became clear to Aaron that graduates out of OU were struggling to get jobs because they didn’t and couldn’t have experience at 22 years old—this especially depends on where you live as well.
He speaks on how he thinks the industry got to this point and how every year, hundreds of thousands of cyber positions go unfilled, and not because of lack of talent. He urges CISOs to create more programs and opportunities that feed into the industry.
Aaron started hiring students and incorporating them more in their cybersecurity team to give them that experience. He built a SOC with a student slant two or three years ago, and since then, it’s only been a great experience of refining raw talent and helping place students into jobs after the program. Everyone benefits from this set up: the team gets more help and students get experience and exposure. Aaron believes that many students have the passion, energy, and fire to do well but they need a firm or mentor to help them channel their energy into a productive source. He encourages CISOs to expose the younger generations to the possibilities of this field.
Listen to the episode to hear more on how Aaron accomplished setting up a successful program, how he runs it, and how everyone benefits.
Internship Expectations
Aaron discusses how other industries have interns and expect graduates to have internships. They set up programs to help them with garnering experience during college. However, in the technology sector, we don’t have that expectation but also we don’t set it up for them. Aaron continues his talk on how to set up feeder programs. If your IT department doesn’t have the budget, he offers how else you can expose the younger generations to cybersecurity via free activities, through donations, and through national chapters.
New CISO to Aaron
On reflecting on what the new CISO means to Aaron, he gives three pieces of advice. He believes that every individual must find their unique leadership style, and to be true to their personality. He also iterates it’s important to learn how to adapt, especially letting go of being in the technology and instead focusing on providing guidance. Lastly, he encourages the listener to layer some confidence on top of all of that.
Links: