Finding and keeping cybertalent is a top global concern for public- and private-sector organizations.
At the same time, security professionals understand the need to network, learn from case studies and gain a deeper level of professional interaction with cybersecurity experts and experienced leaders from a similar context or industry.
But in government, attracting, developing and enhancing the career effectiveness of security pros has become a crisis-level challenge.
So what is being done to help? How can new security leaders enhance their careers and learn from others who have gone before them? What alternatives are available to assist local and state government security professionals who may not have the same financial resources as their private-sector counterparts? How can experienced CISOs and other leaders give back to the community and leave a positive legacy — while expanding their own horizons at the same time?
Short answer: Mentoring.
More specifically: Find a mentor.
Or be a mentor.
One excellent mentoring program has been running for almost six years in state and local governments nationwide. Here's why it has been so successful and is a national best-practice, with personal stories to show the career and organizational benefits.
Background on the Multi-State Information Sharing and Analysis Center (MS-ISAC) Mentoring Program
I have written many articles on the development and benefits of active participating in your industry’s information sharing and analysis center (ISAC). You can learn more about industry ISACs here and specifically the MS-ISAC here and here and here.
The MS-ISAC Mentoring program began in 2012, and this article describes the early launch of the mentoring program, which is still free to participants. Note: Membership in the MS-ISAC is also free for government organizations.
I spoke with Mike Aliperti, a friend and longtime leader at the MS-ISAC, about the current mentoring program. Mike is the Multi-State Information Sharing and Analysis Center (MS-ISAC) VP of Stakeholder Engagement for the Center for Internet Security (CIS). CIS is a nonprofit organization whose mission is to provide cyberthreat prevention, protection, response and recovery for the nation's state, local, territorial and tribal (SLTT) governments as well as private-sector communities.
Michael Aliperti, MS-ISAC VP of Stakeholder Engagement
Mike has been with CIS for over seven years and is responsible for oversight of all of the MS-ISAC Members. Mike provides leadership in developing programs, organizational and financial strategies to deliver services to MS-ISAC members. Mike is working to build on and enhance the great relationships between federal, state and local governments and private industry by sharing information and collaborating where possible.
Here’s that interview.
Dan Lohrmann (DL): Can you briefly describe the MS-ISAC mentoring program in 2018? What does it entail?
Mike Aliperti (MA): The goal for the MS-ISAC Mentoring Program is to provide an opportunity for security leaders in management positions (chief information security officers and chief security officers) to network and learn from the experience of current security leaders. These professional partnerships, through regular communication, were to foster a trusted mentor/mentee relationships. The opportunity provides the mentee with a valued partner for problem-solving, career guidance, and insight into shared experiences and solutions.
The process is informal beside the quarterly calls with the full group, each pairing decides what goals are set for their relationship and how often they communicate. We encourage each to attend the MS-ISAC annual meeting so that they can meet F2F.
DL: Tell us your view on the benefits provided by the MS-ISAC Mentoring Program.
MA: We have learned that both the mentee and mentor gain from the relationship.
Having someone as an adviser and someone to talk to about specific security issues and questions. Sharing successes and things not so successful and being able to learn from these. Help with educational opportunities for mentee. Knowledge of contributing to overall security programs of participants. Enjoyed getting to know an individual person with similar job responsibilities and sharing knowledge with them. Given the opportunity to share knowledge with someone who was new in the information security role. Provided a venue to establish peer-to-peer contacts. Learning more about other cyber security programs and how problems were addressed DL: How many people are involved and how does it help your members improve in their roles?
MA: The number of participants has grown over the years, as you know we start with eight pairings and currently (for the 2018 cycle) there are 29 pairings with a possible additional six more. The biggest benefit, I believe, is that mentees see that there is (meaningful) help available. A number of mentees have become mentors. The more involved in the program they become, the more they understand what the MS-ISAC offers to them. A large number of mentors participate year after year in the program.
DL: How has the mentoring program evolved over the past five years since inception?
MA: We always have issues with some mentees looking for more technical support from their mentor, when the program is a security leadership mentoring program.
We created a process to “rematch” if the pairing is not good. Created a Mentoring Program Guideline to assist the pairing in creating and maintaining a mentoring relationship as well as setting goals. Establish matching criteria. Match local person with local person. Match to similar types of experiences. Consider time zones when matching. Face-to-face introductions at annual meeting. DL: Why do you think this program is growing?
MA: The MS-ISAC membership has grown from 200 members to over 1,950. The participants are spreading the word and encouraging others to join the program. Also, with the large turnover in chief information security officers and chief security officers, there is a very small number of state CISO that are the same from six years ago. Dan, the number of state CISOs from when you were one, I can count on one hand.
Interviews with MS-ISAC Mentors in State and Local Governments
Dan Lohrmann (DL): Elayne, you helped launch the mentoring program back in 2012, what benefits have you seen from being actively involved as a mentor?
Elayne Starkey (ES): The most important thing I’ve learned is that mentorship is a two-way street. I’m there to listen and to offer advice. What I get in return is a different perspective and insight into my mentee’s world. This allows our relationship to grow into something meaningful for both of us.
DL: Any drawbacks?
ES: ABSOLUTELY NONE!
DL: How much time does it take?
ES: On average one to two hours per month.
DL: Would you recommend that everyone either be a mentor, or a mentee, or both? Why?
ES: It is great when people “graduate” from being a mentee and then want to give back and become a mentor. I love when that happens, and the MS-ISAC mentoring program is filled with mentors who first started as a mentee.
DL: Anything else you want to add?
ES: Early in my career I worked at Xerox and decided to give mentoring a try, and I’ve been hooked ever since. It’s incredibly rewarding to give back, but honestly I get back as much as I give. Bravo to you, Dan, for having the vision and the drive to birth the MS-ISAC mentoring program many years ago! And hats off to the MS-ISAC for providing the staff and energy to grow this incredibly important program.
Dan Lohrmann (DL): Jay, you started as a new CISO and a mentee in 2012 and have moved on to be a leader in this mentoring program and a regular mentor for others. What did you learn as a mentee?
Jay White (JW): Not too long after becoming the CISO and facing my first set of challenges, I remember wishing for the option to “Phone-a-Friend” just as contestants did on the game show Who Wants to Be a Millionaire. Lucky for me, the MS-ISAC had just developed a Mentoring Program that gave me an opportunity to connect with an experienced peer in IT security. I realized after talking with the mentor that the questions and issues that were concerning me were not just unique to my situation. I learned that IT security professionals face many of the same types of problems, and having the opportunity to talk to someone about how they were able to navigate through those challenges proved to be a valuable experience. In addition to being in a position to avoid potential pitfalls that were sure to come my way, the mentor/mentee relationship helped to reassure me that I was on the right track.
DL: What makes a good mentor? What doesn’t work?
JW: I believe the essential quality of a good mentor is the willingness to dedicate the time to share their knowledge and expertise. While being a mentor may not be a fit for everybody, an individual willing to share their experiences with others has an excellent opportunity of enriching someone’s life professionally, personally, or both. Understandably, there are additional qualities that would improve one’s ability to be a successful mentor such as a positive attitude, enthusiasm, experience, excellent communication skills, and the ability to listen.
I don’t believe developing and sticking to a strict format lends itself to the most fruitful mentor/mentee relationship. While I am not a fan of the formal process, it is imperative that both the mentor and mentee are always prepared and establish minimum guidelines for ensuring that both participants get the most out of the relationship.
DL: What have you learned as a mentor? Has helping others helped you?
JW: The willingness to not only discuss successes but also disappointments can provide a great learning experience for both the mentee and mentor. I would guess that many people don’t spend the time they should reflecting on the outcomes of choices they have made during their professional career — I know that I don’t. During conversations with a mentor or mentee, someone is often talking about past experiences. Hearing the choices that others have made during their career and how those choices worked out for them can be very beneficial. Additionally, talking about the past decisions I have made, why I made them, and the resulting outcomes has helped me learn much more from those experiences than I would have otherwise.
DL: Have you evolved in your approach to helping others?
JW: I am not sure that I would say that my approach has evolved, but I do believe there has been an overall improvement in my ability to help others. I am much more comfortable now compared to when I first became a mentor. Initially, I thought to become a mentor meant that I had to have an answer to everything. As I gained experience, I realized I didn't have to be an expert on every topic. With that understanding, I can focus more on providing guidance on topics that I am familiar with, but also feel at ease with pointing the mentee in the right direction for more information in areas that I lack experience.
Being part of a mentee/mentor relationship can lead to improved communications skills for both people. An area of communication that many of us overlook is the ability to be a good listener. Being an active listener is a necessary skill needed not only when receiving guidance, but also when providing it. I believe participating in the Mentoring Program has strengthened my communication skills, and I am hopeful this has improved my ability to help others.
DL: How would you respond to the criticism that every government (and situation) is unique and different — so this can’t really help?
JW: If mentees were only interested in getting advice on topics that are unique to their environment, the mentor/mentee relationship would have a hard time living up to expectations. As a mentee, I had some initial expectations of what I thought I would gain from talking with the mentor. I thought I would get a lot of help with specific situations I was dealing with at the time. While I did get great advice on how to handle those cases, it was the professional advice and guidance I received that has proved to be more beneficial over time. If the mentor and mentee both enter into the relationship with an open mind, I find it hard to believe that either of them will look back and consider the partnership a failure. If at the conclusion of the official relationship you think you only learned one thing, then I would say it is worth the effort. The response this question about criticism can probably be summed up best in a quote many have attributed to Ronald Reagan, “We can’t help everyone, but everyone can help someone.”
Lynne Pizzini — Former CISO in Montana (She recently joined Cerium Networks). You can learn more about Lynne here.
DL: Tell us about role as Montana’s CISO. How did it evolve over the years?
Lynne Pizzini (LP): I started the security program at the state of Montana in 1997. I was the first CISO for the state and took on that job title in 2013. When I began the program, it was just me. When I retired at the end of 2017, the security office had 10 employees, the SOC (security operations center) had 15 employees, and other security tasks were spread across the organization. Montana indeed follows the “security is everyone’s responsibility” motto. The change over the years came as threats and security challenges increased. Montana’s governor, Steve Bullock, recognized the need for a formalized program when he came into office in 2013 and that is when the CISO position was created. Before that time, support for the security program was limited, but recognized as important.
DL: As a mentor in the MS-ISAC, what were the benefits you saw from the program?
LP: It is always nice to have someone that has the same goals and challenges as you do, to have discussions and share ideas with. This is one of the benefits of the program. As a mentor, I have a lot of experiences that I can share that may be helpful to someone just coming into the security role. I have found that no matter what state or local government you work in, you want to do similar things to make your security program better.
DL: Did you learn as a mentor?
LP: I did learn quite a bit as a mentor. I consider the relationship on an equal level because we all have things that we can learn from one another.
DL: How did you see your mentees grow? Has that brought you professional satisfaction?
LP: I have had five mentees, and each one has been different. All have grown in some way, whether from a technical or a leadership standpoint. My greatest satisfaction is hearing “I did what you recommended and it really helped me do X.” I think we all like that good feeling that we get when we truly help someone get through a challenging or unfamiliar task.
Jill Fraser CISO for Jefferson County, Colo.
Jill Fraser is the chief information security officer for Jefferson County in Colorado. She has been in the information technology field for 17 years and is a Certified Information Systems Security professional (CISSP*).
Jill is responsible for managing the county’s enterprise cybersecurity program.
She is one of the founding members of the Colorado Threat Intelligence Sharing (CTIS) network (a cooperative entity formed to share specific and detailed incident communication and security information within the Colorado public sector).
DL: Tell us about your experience with the MS-ISAC Mentoring program.
Jill Fraser (JF): 2018 is my third year in the program. My first year, I joined as a mentee. My mentor was Theresa Masse, the CISO from the Port of Portland. At the time I joined I was the Security Program Manager in my organization. I understood then it was a wonderful opportunity to connect with someone in a CISO role, someone with more experience. I understood then it was a chance to grow both myself and my organization by leveraging the experience and expertise of Theresa.
What I didn’t fully comprehend then that I do now is what a tremendous gift this program is to the government security community. There are many of us within local government that do not have an internal team of security-focused professionals with whom we can collaborate, bounce ideas, and most effectively mature our security programs. The MS-ISAC Mentoring program allows us to work directly with other security professionals in organizations of a similar size to discuss ways to be successful deploying and managing our own security programs. This program allows us to collaborate with our peers creating a virtual team of security professionals across the nation. More simply put — I knew I wasn’t alone, that I didn’t have to figure everything out myself.
The knowledge that I was a part of a team help me stay engaged and energized. My relationship and the collaboration with Theresa helped ensure the work I was doing for my organization was more beneficial for maturing its security posture than it ever would have been if I had been doing the work alone.
Last year I became the CISO for my organization and I continue to participate in the program as a mentor.
DL: Would you recommend it to others in government or the private sector? Why?
JF: The MS-ISAC Mentoring Program offers security leaders in management positions an opportunity to participate in this program to learn and grow from the experiences of their peers in the security community. I would most certainly recommend the program to anyone in a position to benefit. Most certainly!
DL: How can the program improve in the future? Do you think any changes are needed?
JF: The program asks that question of participants at the end of each year and makes thoughtful and reasonable modifications based on the feedback.
DL: Anything else you want to say?
JF: Thank you. I want to say thank you, Dan and Elayne, for putting this program together. I want to say thank you Michael, Jessica, Tammie (at MS-ISAC) for continuing to manage it year after year. I want to say thank you to all the magnificent government security personnel who sign up to be mentees and mentors. Thank you to everyone who participates and has participated, all those who continue to connect us all for the betterment of the whole.
Dan Lohrmann: I want to thank Mike, Elayne, Jay, Lynne and Jill for participating in these interviews and for their national leadership in mentoring security pros. I'd also like to thank Ms. Tammie Fanfa who currently runs the day-to-day mentoring program for the MS-ISAC for her help in arranging these interviews. Their role models and words of guidance on mentoring are outstanding examples that we all can learn from moving forward.
In a BrightTalk webcast this past week (which is available free with registration), I moderated a panel with cyberindustry leaders on best practices regarding attracting and retaining cybertalent. One top trend that was recommended was finding a security-focused mentor or being a mentor for others in the industry.
In addition, the Information Systems Security Association offers this CISO Mentoring Webinar Series, which is also an excellent resource.
In my opinion, there is no career substitute for finding a mentor or being a mentor. While we all have seasons of our lives when this may not be possible, try to make it a priority. You'll be glad you did. Interested government security professionals should contact Tammie at the MS-ISAC for more details on how to get involved in mentoring.
I also believe that this mentoring program is a model for all industry sectors beyond government, and the other ISACs or professional organizations may want to consider this MS-ISAC best practice approach.
My hope is that this (admittedly long) blog will convince you to get involved and either find a mentor, or be a mentor or both.