Please tell us about yourself, your background, and your journey of becoming a CISO for the Dallas Independent School District.
I began my journey as a service member in the Army, serving as an intelligence analyst. During my time, the Army started utilizing computers more extensively, and I gained experience in Cisco networking. After leaving the Army, I had to start from scratch and worked my way up from desktop support to network engineering and eventually became a manager.
I specialized in turnarounds, working with neglected organizations to update their outdated equipment. Around 2014, I noticed the growing importance of cybersecurity and made the transition into that field.
Over the years, I progressed from a manager to a director and eventually became a CISO. Currently, I oversee threat and vulnerability management, architecture, and engineering, as well as privacy and compliance at Dallas ISD.
It seemed like you had a lot of experience with information security roles within various industries. What would you say is the common denominator in all of them, and what is the biggest difference among these industries?
The common denominator across industries is the presence of dynamics between cybersecurity and other departments. Often, there is friction between the infrastructure team and cybersecurity when it comes to applying security measures.
A similar relationship exists between security and application development teams. To excel in cybersecurity, one must understand not only the tools and techniques but also have a deep understanding of infrastructure and application development. Being multi-disciplinary gives an edge and sets one apart from the pack.
What do you see as the hottest trends within the industry today?
One of the hottest trends in the industry is the adoption of the Zero Trust architectural framework. This approach treats both external and internal access requests with the same level of rigor, not trusting either by default. It has gained significant support, even becoming mandated for federal and state-level agencies.
Another significant trend is the rise of ransomware, which poses a conglomeration of issues, including insurance challenges and costly defense strategies.
Lastly, there is a growing focus on adopting cybersecurity frameworks to gain a holistic understanding of risk profiles and prioritize risk reduction strategies effectively.
How do you handle third-party risk, and what are your thoughts about the future of third-party risk management?
Managing third-party risk involves implementing a robust vendor management program. I categorize vendors into different tiers based on their level of access and transactions with us. Each tier receives different treatment and priority. We assess their cybersecurity posture, utilizing tools, surveys, and assessments to understand potential risks.
Recent breaches have demonstrated the importance of considering not only the organization’s direct interaction but also their partners’ impact on our security. The future of third-party risk management lies in developing enhanced strategies that account for strategic and data partners individually.
On a personal note, what advice would you give your 21-year-old self?
I would emphasize two things: mindset and communication skills. Overcoming limiting beliefs and understanding oneself is crucial for personal and professional growth.
Additionally, focusing on communication and presentation skills, tailoring messages to different audiences, and becoming comfortable with public speaking are essential for career advancement.
Mastery of the cybersecurity discipline is vital, but I would also encourage a broader understanding of application development, Cloud computing, and network/data center operations to enhance one’s knowledge base and capabilities.