IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Erik Avakian on a Decade-Plus as Pennsylvania's CISO

Soft skills are essential to good cybersecurity — a lesson Erik Avakian has learned over the course of his more than 12 years as chief information security officer for the state of Pennsylvania.

Profile photo of Erik Avakian
With a state CISO career stretching 12.5 years and three administrations, Pennsylvania’s Erik Avakian has had a remarkably long tenure. He spoke with Government Technology on Oct. 21, his last day in office before departing for the private sector.

“I’m just excited to have been part of it, and I'm humbled by it,” Avakian said.

While in office, Avakian saw cybersecurity shift from being a niche area handled exclusively by the security team to become an enterprisewide concern and one that residents saw as impacting their daily lives.

“The role of the CISO, particularly when I came in, was extremely operational and very much technical,” Avakian said. When he became deputy CISO in 2007, “The CISO [was] kind of deep in the organization; mostly, like the guy that knows security, and nobody else knows anything about that.”

But today’s CISOs need to be able to work hand-in-hand with business leaders, and Avakian’s long career has underscored how essential soft skills are to cybersecurity.

“I see a lot of young CISOs come in, and they've got all the technical certs [certifications] and they can talk the talk and use all the acronyms. That’s going to work for a while,” he said. “But it's those soft skills that are really important, because they’re really going to have to communicate if they want to build their program and get the support they need.”

CISOs need to be able to communicate problems and initiatives in different ways to suit different audiences, if they want to get momentum. They must speak with highly technical security practitioners as well as agency heads and governors and members of different levels of government.

To connect with the business side of government, CISOs have to translate their work and ideas into terms that click with business leaders’ backgrounds and priorities.

CISOs also need to think about individuals’ communication styles and be able to convey information well in visuals and writing as well as speech. And when it comes to administration change, Avakian’s found that discussing cyber in terms of “risk” tends to resonate with elected officials across political party lines.

“To be an effective CISO is to be an effective communicator,” he said. “There's so much of the psychology of just communication, and people, with this job.”

For Avakian, these kinds of lessons were won through trial and error.

“I remember as a young CISO, coming in here [and] showing high-level executives 50-page reports of intrusion prevention systems, and that just didn't resonate with them. But as security practitioners, we're like, ‘This is cool stuff. Look at all this stuff, it's important.’ And they didn't get it,” Avakian said. “Sometimes you have to go through those experiences to learn and to learn what works and what doesn't work.”

Cybersecurity is a team sport, and CISOs must take the time to understand the people on their team so they can set them up for success, he explained. As leaders, CISOs need to learn staff’s specific talents and interests and offer them the mentoring, training, tools and opportunities to grow and excel.

“I look at my role as to make them rock stars — just to make them blossom into the best that they can be given their position on the field,” Avakian said.

With cybersecurity skills in high demand, recruiting and keeping employees can be a challenge. But Avakian said his security team had “nearly 100 percent retention” — something he attributes to a management style focused on identifying which specialty areas most excite particular employees and then helping them focus and grow in those areas.

“You might have somebody that loves forensics, and another person that loves security policy and writing policy. Those are two entirely different psychological mindsets that make up somebody,” Avakian said.

He likened running a security team to managing a baseball team.

“Making the catcher pitch, or the pitcher catch, or vice versa and all that, they're probably not going to like it too much,” he said. “In the same vein, I'm not going to force my forensic specialist to write a security policy. He might not be so happy with me if I did that. He might not stay.”

Avakian said he now leaves behind a passionate and talented team and a strong cybersecurity program for the next person to build on.

At least temporarily, that next person will be Christopher Dressler. Now acting CISO Dressler comes with background as an information security officer for Pennsylvania agencies like Labor and Industry, the Department of State, Banking and Securities, and Insurance, according to Communications Director Dan Egan.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.