“Be yourself” is always good advice. But as hackers get smarter, they can be you too! In this digital age, more people spend time online, from connecting with family and friends to doing business. At the same time, online risks keep growing. So do we take offense or defense? In this episode, Dan Lohrmann, Field CISO for Public Sector & Client Advisor at Presidio, talks about cybersecurity and how organizations and its leaders approach technological and digital challenges in securing proprietary information. He also touches on the “7 Reasons Security Pros Fail “and shares insights on what we can do about it and how company culture plays into getting an advantage against the bad guys.
Listen to the podcast here
Dan Lohrmann: From A Football Team To Government To The SOC… Culture Is The Key
Welcome to the show. We are bringing you some of the top experts in the industry for a chat about anything interesting in keeping our world secure. Speaking of keeping the world secure, we are excited to welcome Dan Lohrmann to the show. Dan is the field CISO for the public sector and client advisor at Presidio, as well as being the co-author along with Shamane Tan of Cyber Mayday and the Day After. We’re going to get to that. He has done a few things in his multi-decade career. He has held positions as CISO, CIO and CTO gigs at places that you may have heard of, like Security Mentor and the state of Michigan. He started his career as a slip of youth at the NSA. Dan, welcome to the show.
It’s great to be with you. I’m looking forward to this conversation.
We like to write things down around here but after our prep call chat, it’s almost like, “Let me turn on the mic, hit that first strum of the cord of the guitar and let you go.” I do want to dig into some of that because there has been a recurring theme in a lot of your writings where you make analogies to American football with regards to cybersecurity.
I’m saying American in front of it because there’s an international audience that may think that they can’t pick the ball up and run with it. One of the things I wonder is as CISO and the different C blank O positions that you have held, where are the alignments? Where are the analogies? Is it the general manager or the head coach or one of the offensive or defensive coordinators? How do we fit that together?
Thanks so much for bringing that up. I love football, first of all. A lot of people, certainly in the United States, have a better understanding of football than they do cybersecurity. That’s one of the reasons that I like talking about this. I jotted down all of the above. At the general manager level, you have to get the right players on the team, the salaries and the career path. You’re making sure you get the right players involved on your cyber team as well. The head coach sets the strategy, does the research, the film, the homework and lays out the game plan of how you’re going to do things.
At a very basic level, you’ve got an offense and a defense. Most people in this industry are not on offense. If you’re in the military and you’re attacking, that’s a different situation. Most of us are playing defense. We’re being attacked from around the world. I was a quarterback in high school and college. You got to be able to pull all the bulls at the line and think about making adjustments as having a good understanding of the field, if you will.
The physical and cyber worlds are intertwined; they’re really becoming a merger of physical and cybersecurity in so many ways.
In the cyber world, it’s the attacks that are happening. Visibility is huge, so you know what’s coming at you when, where and how. You can then adjust and make the adjustments you need to make. Sometimes, that’s all the bulls at the line of scrimmage. Sometimes, you call the right play. You’re ready to go and score a touchdown. It’s being able to act and adjust.
We’re holding onto this for a second because it is training camp. It’s also the end of July 2022 getting into the beginning of August 2022. There is no interesting sports news to talk about. Every training camp place suddenly becomes the news. When you look at some of the classic teams, whether it’s college or professional football, there are a lot of teams that the most successful ones seem to have a thing. The Steelers play defense. The service academies run the triple option. For those who are not big fans, it means they don’t throw the ball very often, whereas Brigham Young throws the ball all the time. Do organizations have a thing similar to that in their mindset or their approach to cyber security?
To some extent, yes. In a sense, we all need to be able to do all of the above. In this industry, you’ve got to have all the pieces. Some people don’t have all the pieces. Where I agree with you is from a cultural perspective. What is the culture of the organization? What is the culture from your technology team to your cybersecurity team? How do you work together with other parts of the organization?
It’s very different in different organizations. For example, when I was at the National Security Agency, it was like security was our middle name. Everything was about security. I worked in England on a US-UK military base. There were German shepherds, barbed wire fences and Uzi submachine guns watching the gates. There was a culture there that you could see and understand why. When I got to the Michigan government, it was like, “We’re not NSA, are we?”
Back in the late ‘90s, before 9/11, there were no guards on any doors. You could walk right in. There were signs up the first week I was at work saying, “Watch your purse.” I’m like, “What are all these signs up all over the place?” People were walking on the street, stealing women’s purses and walking out. There was no security at all. It was the opposite end of the extreme.
There was a big focus at that time. That culture was all about Y2K. It was about the year 2000. It was all about certain other things. They were like, “We don’t need passwords or screensavers.” A lot of that changed after 9/11. Things evolved and got much better in the following decade. Different organizations have different cultures and ways of approaching problems.
I’m curious. You’ve talked about your time in England on the US-UK joint site. We’ve got another episode with Freaky Clown, who’s a legendary physical security guy. He has been breaking into banks for many years. A military compound’s going to be different. When you have that type of physical security presence, in your experience, does that affect the culture of an organization compared to a place surprisingly like the NSA that sounds like it didn’t have at least an obvious physical security presence?
I’ll make sure I’m clear with that. NSA had a very big physical presence and so did my base in England. It was the state of Michigan that didn’t. It does change. At NSA, the bases I worked at in the UK and other places around the world, there were signs everywhere like, “Someone is watching you.” They were proud of the big brother. When I had my top secret clearance in the intelligence community, it was all about physical presence and all of the above. It was cyber and physical. That’s growing in a lot of other organizations.
The other thing going on is that the physical and the cyber worlds are intertwined in new ways. IT and OT, as we call them in the industry, are coming together. They’re becoming a merger of physical and cybersecurity in so many ways. We could spend an hour talking about that but one affects the other. They work together.
Culture has been such an interesting topic to talk about with previous guests at different events. You, in your career, have spent almost equal time in the public sector and the private sector. On the public side, it’s been government, military and overseas as well. Do you see a difference? Is the intersection on the Venn diagram bigger or smaller in what they have in common in their approach to security?
There are a lot of similarities but there are a lot of differences. The industry has changed quite a bit. The salaries and the career paths are different. One of the biggest challenges everyone’s talking about getting cyber talent is it has been a real challenge, especially for state and local governments and the federal government. They’re doing a better job of it, but it is hard, especially when you’re competing with startups and stock options. You hear these stories about companies going crazy. It’s hard to keep good talent.
I’ve been a big proponent. I spent a lot of my career in the public sector. I do think you get other opportunities in the public sector, maybe for training but also in a wider perspective that you may not get in the private sector. For example, we would give them more opportunities to intern and be involved in a lot of different functions and roles within security. Whereas I know a lot of people that have made the decision to go into the private sector, especially early in their career, were pigeonholed more.
Worry less about big incidents and worry more about the daily grind because that’s where you’ll see the burnout.
I like to compare that to another analogy here for people. Think about somebody who comes out of law school. They pass the bar and have to decide, “Do I want to work for the prosecutor’s office where I may get some time in front of the jury and get some court time where I’m in there or do I want to go work for this big law firm? I might be buried on the seventeenth floor in some research department. I might never stand before a judge and a jury for many years but I’m making more money.” There’s a question there.
That’s not always the case but a lot of times, the public sector does give people a lot of opportunities that you may not get in the private sector, especially early in careers. I have no regrets about my early career training with NSA and then in England with Lockheed and ManTech. I learned a ton that helped me become a CISO and CTO in Michigan and then go on from there. There are differences certainly. The private sector does tend to have more money and tends to offer more money.
When you talk about being in the public sector early in your career, is that a thing? Is that statistically provable that the security side may tend to be younger or at least more junior in their experience as they come in, get their chops and do their thing? They maybe even feel the obligation to serve the common good before moving on to the private sector, chasing the higher salaries, stock options and sexy startups.
It certainly was when I started in the late ‘80s. There were a lot of people who we call green badgers and black badgers. The green badgers were government employees. They both had top secret clearances in the intelligence community. The black badgers, a lot of the time, were sitting right next to you but they had a black badge. That’s how you knew they were contracted. They weren’t government employees. There are a lot of people who do that.
Some people go straight into the private sector. The industry is so much larger than it used to be. A lot of larger companies as well have hired students. They know they need to build the pipelines, so they bring them in earlier. There are examples of that. I also think that’s one of the ways that governments, universities and nonprofits, by necessity, have had to build the farm system. They haven’t been able to compete in the free agency market. Using another sports analogy, they can’t go out and slap down stock options and big boxes. They’ve had to bring in students and offer other things earlier in their careers.
The other piece about the public sector, which I appreciated, was a sense of helping your country or state and having a meaningful role. I’m not saying you can’t have that in the private sector but you’re making a difference. A lot of people want to make a difference. The public sector does offer that. I felt that as part of the NSA mission and the Michigan state government. I’m proud of that.
I got three things. Number one, I have to admit. When you said green badgers and black badgers, I was picturing a badger, not someone wearing a badge. I’m going to own that. It was awesome. I made myself laugh. I don’t know if I can remember points number 2 and 3. I’m going to skip to number three. There is a notion, though, of the experience and the innate knowledge of the younger crowd or the junior crowd coming in.
We’re in our third generation of people raised in technology, the digital era or whatever we want to call it. Do you see the new crop or the juniors coming in? I don’t mean people that are new to the field necessarily. They’re the ones that are fresh out of high school, college, prison or GED programs that know this stuff better at a younger age than you and I might’ve when we were at that same age coming in.
That’s true. That is a generalization. It is very hard. The answer I’m about to give you is there are exceptions to all of this. I do think they have better technology skills. They’re digital natives but especially coming out of the pandemic with all this online and not in line, some of the communication areas and some of the soft skills you need in the cyber areas can be weaker in some cases.
Human to human communications?
Exactly. It’s talking to somebody, looking them in the eye, shaking somebody’s hand or giving a fist bump. It’s trying to communicate in effective ways. The generation coming in maybe was a little bit behind the generation that I grew up in. Stereotypes aren’t always helpful. There are a lot of great communicators coming out of college and there are people that were excellent technology nerds, geeks or whatever term you want to use back in the day as well.
I do think that certainly, they’re coming with a lot of skills. The adversaries are coming with skills. You got to remember. Like in sports, it’s not just about what your team is doing. It’s also about what the other team is doing and being able to act and adjust. It’s being able to know that you may be getting better, stronger and smarter but they’re also getting smarter, better and stronger too.
The assumption that CEOs are all stupid or don’t know what they’re talking about when it comes to security is wrong.
I like it that you said act and adjust. The phrase that I like is read and react. It sounds like the same thing. To that point, the people that are growing up that have been technically savvy and technologically savvy for a long time don’t mean they’re automatically going to be good guys. The good guys and the bad guys are growing up together. The point is when we look at that, especially given the position that you’ve had with the state of Michigan, that is massive. Not only were you responsible for your workforce. You were responsible for the people of the great state of Michigan.
The pillars that we’ve heard on a few different episodes were the human element, technology element and physical element. We’ve touched a little bit on technology and the physical. When it comes to the people, there are a lot of discussions back and forth on whether your people are the biggest strength or the weakest link. In your approach, when you look at the population of your team and organization, how do you view what’s in there and how to maximize their potential to do what they need to do to protect everybody else that they’re charged with protecting?
This is a little bit of a cop-out but I’m going to say both. They are the biggest strength and the biggest weakness. It is an advantage if you can train them well or build a culture of security where people do take it seriously. You can move the needle and make a difference in powerful ways. They’re well-trained. They know where to go, what to do and how to respond to incidents.
You mentioned the state of Michigan. There’s so much at stake. I was there during the Blackout of ‘03. I was the Emergency Management Coordinator for the Department of Technology when the lights went out. That wasn’t directly technology related but there were a lot of technology challenges and things we had to overcome. The whole state of Michigan was relying on us not just to get the power back on but to respond to all these other emergencies that popped up and provide these public services that people were relying on even though the lights were out.
It’s all people processing technology. The people are the biggest piece. Early in my career, one senior executive in a large corporation which I won’t name the company said, “People process technology but 90% of it is about the people.” They can be your greatest strength but they can also be your greatest weakness. It shines the light on the importance of how you’re working with your people.
Let’s spin the way back machine on that thing. You wrote an article in 2010. It’s a great title, 7 Reasons Security Pros Fail (and What to Do About It). We don’t have to go through any of these or we can talk about all of them. I love the way that you broke it out. 1) Security as a Disabler. 2) Security Offers Only One Solution. 3) There’s Not Enough Humble Pie. 4) Believing the Customer is Clueless. 5) Personal Cyber Ethics. 6) Career Burnout. 7) Career Perspective Stuck in a Box. Looking back, do you feel that those reasons hold true? Did some get better? Have some gotten worse? Are there new ones?
Honestly, that was one of my rare great moments. There are certainly other reasons why security pros fail but I still believe those seven still apply as much now as when I wrote that article several years ago. I still think those are the challenges. I walked through each of those seven things in the article and then I did a special blog. I did a deep dive into each of the seven reasons, the stories behind them and why I picked those seven.
People said to me, why security pros fail. The preface to the article was not enough money, people, resources and executive support. Those are all true. We should need money, support, power and ability. My premise was I’ve seen people with all of the above. They had executive support, money and power. They had all that and still failed. I’ve also seen people who had none of it.
They did not have a good budget and executive support and they succeeded. To anyone reading this, I want you to have the budget you need and executive support. I certainly encourage that. There are tons of articles about how to get executive support, more budget and those kinds of things. Those are all important pieces when you’re thinking about your career.
I’ve been in security for decades since I wrote this article. I’ll talk about a couple of them. I’ll start with security as a disabler. I almost lost my job over this one. I was against Wi-Fi. This was very personal for me. I had reasons why I was against Wi-Fi. I had NSA, white papers, FBI, CIA, DIA and FBI that all said it was a bad idea. Wardriving was huge. People were hacking into Home Depot and cash registers from the parking lot. We all know those from many years ago.
My management gave me a task. They were like, “Put Wi-Fi in all of our government conference rooms through the state of Michigan.” I said, “No. I can’t do this project. It’s a bad idea.” I almost lost my job saying that. In the middle of a staff meeting, I said, “We’re not going to do this project.” My boss was like “I want everyone to leave the room but Dan.” I’ve never seen a government conference room empty so fast. Everyone ran out twenty minutes into a meeting.
I was sitting there across from Teri Takai. She became the CIO in California. Later, she became the CIO of the US Department of Defense. Teri went from a $500 million budget to a $5.5 billion budget to a $35 billion budget. She was looking me in the eye and said, “If that’s your answer, you can’t be the CISO in Michigan.” I’m like, “What?” I was freaking out.
We’re not where we were five years ago. We are making progress, but the bad actors are often three steps ahead of us.
I was like, “You don’t understand. Let me explain these white papers to you.” She said, “I’ve seen all the white papers. I know about the Home Depot story and the intelligence community but I’ve been to Ford, Chrysler and GM and they all have Wi-Fi in their conference rooms. What do they know that you don’t know? I’m giving you one week to find out. Put together a plan or give me your resignation.”
Security as a disabler, which is the first one on the list, was very personal to me. What happened was I kept my job. We ended up coming up with a plan and winning the award two years later for the most secure Wi-Fi in the nation. We won an award for all 50 states. The rest is history. We won a whole bunch of awards but it taught me a bigger lesson. Security is known for saying no.
They’re like, “The answer is no. What was the question?” If you’re like, “I want to do Cloud,” they’re like, “No. You can’t do that.” If you’re like, “I want to do IoT,” they’re like, “You can’t do that. That’s a bad idea.” Security’s got to get to yes. It’s got to be the right security with the right level at the right budget. There could be some caveats. How do you get on time and budget with the right level of security? That’s the challenge.
I’m not going to walk through all of these but I’ll also talk about how security offers only one solution. We come right back and say, “I got a solution for you. My team was doing this again.” The stories behind each one of these are personal experiences. We’re like, “Here’s the solution. It’s going to be $1 million.” They’re like, “The whole project is $100,000. You’re giving me a $1 million solution to a $100,000 technology problem or budget?” The customer, client-side or business is saying, “We’re back to no.” When you’re offering me a $1 million Maserati for driving around the neighborhood, I’m not doing that. Each of these is from lessons. Different people have different issues.
Number six, which is career burnout, we’re seeing that a lot. People are leaving the industry. I’ve had people tell me, “What do you mean career burnout? I’m not burned out. I’m loving this.” Three years later, they come up to me and say, “I see what you mean by career burnout. I’m burned out.” What can you do about that? I’ve been on shows. We talk through each of the seven reasons.
You could probably add 3 or 4 others but these seven are things that I have seen from colleagues, professionals and people who’ve worked for me. You have to be prepared for each of these. These things are obstacles. They’re going to come up in your career and you need to be ready for them. It’s going to happen. If you’re in this industry for 20 or 30 years, you’re going to face each of these issues. You need to know and be prepared for what is your answer.
Have you noticed any indicators? Burnout sticks in my head when we think about the human element and how a person can come from being one of your all-stars to a threat. It’s not on purpose. They’re not mad. Maybe some of them are but most of them are the overwhelming majority. It’s almost like repetitive motion injuries. They’ve been doing this for so long. When we talk about culture with that, what can you do as the leader of the security organization or as the CISO to keep people invested in the culture? What can you do to prevent them from becoming a potential threat through no fault of their own, whether it is apathy or they’re doing what they did?
It’s a long answer but part of what you said is also about personal cyber ethics and the slippery slope. I had people in our teams that were breaking the rules to defend the enterprise and doing stuff. I get slapped in the face by some business people saying, “The stuff that you’re barring us from doing, your people are doing the same things.” You’re having to have those hard conversations with people but that’s another topic.
Specifically, in the burnout area, every person is an individual. You need to have good relationships with your staff. Encourage them to take vacations. I worry less about the cyber-attack breach that’s a big incident. Every organization has big incidents and outages where the email goes down and the governor’s office is screaming. They spend 3 days and 3 nights working on these issues and come back up. They did it. Some people are getting into the industry for those. I call it the Die Hard 4 syndrome.
If you have seen Die Hard 4, all the lights were going out and the critical infrastructure was being attacked. It’s because of Die Hard 4 that they got into cyber in the first place. That worries me less. A good manager is going to send somebody home. They’re going to say, “Go take that trip to Disney World with your family. Take a week off. We saved the world.” I worry more about the day-in, day-out grind. It’s the 12 or 14-hour, 7 days a week where nothing is ever done. Security’s never finished. You never have milestones. You’re working for 7 days, 24 and 365 days a year. It goes and goes. That’s where I see burnout.
I worry less about the big incidents that shake people that are in the newspaper. Some people love being involved in those. People get burned out. You can say, “Security is never done. When are you finished? When is it complete?” How do you do that? You have to plan projects for things. Everything’s a project. You have to have success sometimes and parties. If you’re the party pooper, what do you do? Go have a party. You have to celebrate success and encourage people to take their vacation. You need to know what the individual needs.
If the business fails, you don’t need security.
Some people need help. We’re not professionals. I’m not a psychologist. I can’t give you a doctor’s help. If you need that kind of help, make sure you get it. More than that, know your people. Make sure that the family is important. Those relationships are important. It’s making sure that you have those times where you can have rest. You’re going to have coverage. Over the holidays, the bad actors come back. Typically, they want to hit us over the holidays but you need to make sure that your people are getting time off.
You have worked your way into a position where you are part of the C-Suite and in front of boards. This is a recurring question that we’ve been doing over a few episodes. Do you see legit security people in there? You’re the Chief Information Security Officer. By definition, that’s your role. When you look around the table, do you see people that have a similar CV to yours or do you have to dedicate X amount of time explaining what it is you’re about to explain to get the message across?
It’s becoming more common that the C-Suite’s getting smarter. A couple of years ago, it was like, “What is ransomware?” There were a lot of questions. I got a chance to speak to about 100 CEOs in New York City back in June 2022. I was surprised that there was a panel right before mine. There were five and I was the second up right before lunch. They were talking about what’s hottest in the industry. These were high-end real estate companies all over the world. The first guy who spoke said, “I want to hear the next guy and the ransomware stuff because we got hit by ransomware.” I was stunned that their panel came right out because one of the CEOs got hit by a ransomware attack. They spent fifteen minutes of their hour talking about cybersecurity, which shocked me. I did not expect that.
I do think they’re getting smarter. The assumption that CEOs, CFOs and other C-Suite executives are all stupid or don’t know what they’re talking about when it comes to security is wrong. They’re spinning up. We’re making progress, in my view. With that being said, the bad actors are often three steps ahead of us. They got ransomware 1.0 and we’re ransomware 3.0. They’re stealing the data, reselling the data on the dark web and doing other things. Back to our sports analogy, as soon as you get used to stopping the run, we’re going to play an action pass and throw the ball.
The game changes. This is a moving target. We have to keep educating the boards. This is an ongoing challenge. In no way am I suggesting that we’re done and C-Suites got it nailed. The answer is you need tabletop exercises and new scenarios. How are your peers getting attacked in the industries? How is this affecting others, whether they’re your competitors or partners?
The supply chain attacks are huge. We have to keep thinking broader. We have to keep educating them. I do think we have their attention. You thought my answer was going to be that they don’t get it. That was my answer a few years ago. That’s not my answer now. They are getting it. We’re moving the ball down the field. We need to score a touchdown. We need to keep going and make progress.
That’s the good news. It’s not all gloom and doom. A lot of security can get hung up on fear-mongering or say, “Buy our stuff or else.” If anybody thinks that their CEO is stupid, you are stupid. He or she got to sit in that chair for a reason. They may not be informed on this particular discipline but it sounds like they are becoming more informed. They are making a point to make themselves more informed. It’s not the running gag of, “I had my granddaughter explain that to me.” I’d be like, “That’s great. I’m selling that stock now.”
There is one more quick follow-up on that. One of the items on there, which is believing your customer is clueless, that’s back to the CEO of the business areas. We are not known for being the kindest, humblest people in the world. I wouldn’t think that our profession would be ranked in the top ten of most likable people except for when we’re talking to other security pros. We’re great with other security pros.
I find that often, security pros want to talk about security. If you have lunch with the CEO, the CFO, the business side or some executive, flip it. You’re there to learn about the business. Talk to them. Ask them questions. What do they need? Hopefully, security is going to be coming up and it’s going to be a two-way conversation. It’s not all about you. If the business fails, you don’t need security. If you went bankrupt, everybody’s going home. The business exists for a reason. That’s even in the business of government. We got to remember that. Often, security pros forget that. Having those conversations starts with the business.
You have put in a lot of time across a lot of different aspects of cybersecurity. In your position as the field CISO for Presidio, when you look out at our industry, what do you see is our industry’s biggest weakness in our approach?
The complexity is continuing to get overwhelming for people. There are a couple of answers I’d give to that. I was at the Gartner conference in Washington. There are so many great sessions there but one of the things that they talked about was the reality that whatever number of tools you have, you want half. If you’ve got 80, you’re only using 40 or sometimes less. If I have 80, I’m using 20. I’m saying using because maybe somebody uses it once a week. They’re utilizing it. People have too many tools. It’s complex. Architecture simplifying things is a challenge.
I also think another big one related to it is a little bit different. I’ll give us a second answer to this. CISOs aren’t lasting a long time in their jobs. I’ve seen different reports. I’ve seen 18 months, 20 months and 24 months. Let’s give them the benefit of the doubt and give them 24 months. Twenty four months or two years is the average length of a CISO.
The complexity of technology continues to get overwhelming for people. We have too many tools, and simplifying things is a challenge.
It takes you a year to figure out where all the restrooms are and your ability. It is rough to do much in two years. There are those people that go three, but there are a lot of people that leave after one. I know people that didn’t make it a year. It’s tough. I thank God for my time in the Michigan government as an agency CIO and then in the governor’s office building Michigan.gov before I became an enterprise-wide CISO.
It’s mainly not because I understood the technology and the data centers. It was because I had all the relationships. I knew all these people from Y2K and the business side. I was a CIO from an agency and they were all CIOs from other agencies. We centralized it all. We refined and did things. My point is I had that background before I became a statewide CISO.
Remember, this is more of a marathon than it is a sprint. Our careers are a marathon. It’s not what you do next week or next month. It’s also what’s in the long-term best interests of these companies or your government agency. That’s a huge challenge. It’s not always because you can’t find talent. Some of this is about money. I could switch jobs and make more money. You can keep making more money but at the same time, you also want to think about your career in terms of the skills and the organizations you’re working for and what’s in the best interest of that organization as well. That’s a huge challenge.
This is the last question. There’s the famous story that every outgoing United States President leaves a letter on the desk for the incoming one. Do CISOs do that? If they don’t, should they?
They should. Some do. Smart CISOs seek out their previous ones. It all depends on how you left. If you were shown the exit during a breach, you’re probably not going to have a good relationship with your predecessor or successor. I certainly have tried to do that. I always don’t burn bridges. My advice is don’t burn bridges. Do everything you can to make it a smooth transition and empower those who come behind you. They should pass that letter along.
Let’s move into the Leadership Corner. I always love this because you learn not just about what the guest is doing and has done but this is a little bit about who you are. What are you reading? What are you listening to, whether it’s music, podcasts or lectures? Are you bowling? Do you ride motorcycles or go to heavy metal concerts? What happens after the close of business hours?
I love sports. I got to start there. I’m a Michigan State Spartan fan. I was adopted into the Michigan family. I was born and raised in Maryland. Growing up, it was the Orioles and the Baltimore Colts way back when. My brothers still root for the Ravens and Baltimore. I love Michigan State football and follow a lot of sports, basketball as well. I’m pretty active in our church, so I spend time there. I enjoy a lot of the groups there.
I love cybersecurity. I love this field. I’m passionate about it. If that doesn’t come across, then I’m not doing a good job. I blog and write a lot. I write a blog for Government Technology Magazine. You can go to www.GovTech.com. Type Lohrmann on Cybersecurity. It’ll pop right up. I have been blogging since ‘06 for CSO Online and Government Technology Magazine. I do love it. I read a lot of blogs.
From a book perspective, I’m reviewing a book for Wiley. I also came out with our book. We co-wrote a book called Cyber Mayday and the Day After with Shamane Tan in Australia. It consists of true stories. There are 35 true stories of the public and private sectors that are good, bad and ugly. There is some ugly stuff in there. It talks about what happens when you’re hit before, during and after a cyber-incident. That’s what that’s about.
I’ve written some other books but as far as reading other people’s material, I’m reviewing some other books for Wiley. One is If It’s Smart, It’s Vulnerable by Mikko Hypponen. I listen to podcasts. I listen to yours and Smashing Security. 401 Access Denied with Joe Carson is another one that I like. Those are a few of the things I’m doing. I stay busy. I’m married. I have four children and one is in college. They keep me busy as well.
How do you have time to do any of this stuff in addition to being CISO? This is normally when we would downshift into shameless plugs but you already threw a few out there. With that being said, let’s do it again. For the people that are looking for you or anything cool that Presidio’s up, where can they go? You’ve mentioned the blog. Throw it out there again. Tell us about the social media events where you might be speaking.
On Twitter, I’m @GovCSO. You can also go to Presidio.com. We’re a global digital solutions provider. I blog and do some podcasts on there as well. We get involved in a lot of different aspects of both cyber security and the move to the cloud. How do you securely move payloads to the cloud? How do you do a lot of great stuff in a lot of state and local governments and private sector companies in that space? The easiest way if you want to connect with me is to go on LinkedIn. I connect with anybody as long as you look legit. I’m happy to reach out and talk. I appreciate being on your show.
This has been great. We got lots more to talk about. I’m going to do one, probably in the mid-season, where we could talk about hacking football and the ways that we can go back and forth and how the offense can beat the defense and vice versa. Amazingly, you have enough time to take out of the day for this. We are grateful for you coming on. Consider this the official invitation for the next episode.
Thank you so much. I want to come back. I love your energy, your show and all you’re doing. Thank you for your help in the industry as well.
That is it for this episode. I want to say thank you for joining us. For more information on all that’s good in the world of cybersecurity, make sure you check us out. You can find us on LinkedIn and Facebook. It is ElevateSecurity.com out there on the rest of the internet.
You can find me @PackMatt73 across all the socials. As far as this show, anywhere you go for your shows, that’s where we are. All we ask is you subscribe, rate, review and comment. This is a five-star show. If you give us four, I’m thinking that you might be a hater because these guests are too good. You can’t say that this isn’t five stars. With that being said, that is the end of my shameless plea for all of your love and affection. We will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Cyber Mayday and the Day After
- Cybersecurity at the Movies: Enemy of the State
- 7 Reasons Security Pros Fail (and What to Do About It)
- If It’s Smart, It’s Vulnerable
- Smashing Security
- 401 Access Denied
- @GovCSO – Twitter
- LinkedIn – Dan Lohrmann
- @PackMatt73 – Instagram
About Daniel Lohrmann
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann currently serves as the Field CISO, Public Sector for Presidio, a global digital services and solutions provider accelerating business transformation through secured technology modernization. Lohrmann leads cybersecurity advisory services for public sector clients at Presidio.