Former Air Force, DoD cyber lead on public-private sector transitions [Q&A]


Brig. Gen. Steven Spano, director of communications at Air Combat Command headquarters at Langley Air Force Base, Va., was the guest speaker for the Armed Forces Communications and Electronics Association Gulf Coast chapter’s luncheon Oct. 27 held in conjunction with Scope Warrior activities. (U.S. Air Force photo by Kemberly Groue)

With major corporate breaches and government hacks infiltrating the news, its no wonder IT security is becoming more of a top-of-mind necessity for business owners and organizational leaders across the country. For retired Air Force Brig. Gen. Steven Spano and his team at the Center for Internet Security, however, IT threat prevention has always been a priority. Spano is an expert on IT security and now heads CIS as the president and chief operating officer, advising businesses and organizations of all sizes on how to stay cyber secure in today’s complicated technology climate.

Gen. Spano shared his thoughts on recent security events and what organizations can do to mitigate risk.

Can you tell us about your background, experience and how you came to your current position?

It’s a pleasure to be here and have an opportunity to share some thoughts on cybersecurity, IT and where some of the trends are going.

First, a little bit about my background. I was born in Albany, N.Y. I graduated from Norwich University in 1983 with a degree in business administration. As a business major, I had to take two semesters of calculus, which ironically was a prerequisite for an IT career in the U.S. Air Force.

I married my high school sweetheart after college. Soon afterward, I entered the Air Force as an IT professional. I spent 28 years, three months, and 11 days in a variety of command, staff and joint assignments. I was lucky, as a major assigned to the Joint Chiefs of Staff, to have the opportunity to work in the Information Operations Division, drafting the first joint doctrine and DoD policy for Information Operations, which would later become what is now called cybersecurity.

Later in my career, I was fortunate enough to work for Gen. David Petraeus as his senior IT professional responsible for IT policy and strategy for all U.S. and coalition forces. In addition, I was also the senior IT adviser to the government of Iraq, tasked with helping rebuild its IT infrastructure.

This latter assignment was a new and exciting part of my role in Iraq — one I didn’t expect, but I found it challenging and enjoyable. It was very rewarding to do what everyone said was impossible: In the middle of a war, install the first commercial-based fiber optic cable from Baghdad, over 1,600 kilometers west through the Anbar region, to Saudi Arabia and the European fiber backbone. This project’s success allowed the coalition to get off of satellites and onto fiber. It also encouraged foreign companies to invest in rebuilding Iraq.

I wrapped up my military career as the director of IT at Headquarters Air Combat Command at Langley Air Force Base, where my staff helped stand up the new Air Force Cyber Command.

My first job after the military was with Amazon Web Services. I was one of the early hires in their public sector that helped build the worldwide vertical. I settled in to build and lead their intelligence and DoD businesses. I also managed the UK business for two years until AWS stood up their Europe, Middle East and Africa (EMEA) team.

Our intelligence team led proposal response to deliver private cloud region to the intelligence community. This significant win helped ignite the entire AWS business, in both commercial and public sectors.

After four years, I had the opportunity to return to my cybersecurity roots and lead CIS, a nonprofit. So I joined CIS in 2015.

CIS has two major core missions. First, we are the home to the Multi-State Information Sharing and Analysis Center (MS-ISAC). Under a cooperative agreement grant from the Department of Homeland Security, we provide net flow monitoring CERT and intelligence services supporting state, local, tribal, and territorial governments (SLTTs). We then fuse cyber intelligence from the 56 SLTTs we monitor and feed it to the National Cyber Communications Coordination Center at DHS.

Our other mission is to provide cybersecurity products and services to public and private sector entities. Through a membership, organizations get access to security benchmarks that harden more than 140 different hardware, software, and operating systems, for both on-premises and cloud services. These CIS benchmarks are built with input from volunteer communities and based on industry best practices.

We also provide a cybersecurity framework known as CIS Controls that guide organizations through a set of controls to help organizations deal with the most pervasive attacks.

You mentioned there was early apprehension to leverage the cloud, but now you have evolved to think “born in the cloud.” What changed?

Like many organizations, moving to the cloud is an evolutionary process. Back then the cloud was just emerging, and we lacked knowledge about cloud security. Also, there was a lot of early pushback from vendors who stood to lose from cloud adoption. They created a lot of FUD [Fear, Uncertainty and Doubt] about the cloud that scared many organizations away. But we’re in a different position now to embrace cloud.

It goes back to relevance. I told my staff the future is cloud-based and the IoT [internet of things]. If we don’t wrap our arms around both, then we lose the ability to engage in the debate about how best to achieve security for cloud and IoT. If we can’t engage and contribute to solutions, then we are irrelevant. We have to work like most companies work so that we can live the same security challenges they face. It makes us better and more credible.

With a new administration coming into place, do you anticipate any changes in technology direction from the feds to state and local?

I think the early signs of President Trump meeting with senior leaders in technology, even before he was inaugurated, signaled a strong intent to cultivate and invest in technology. The key challenges for this administration are the same challenges that past administrations faced: If you want leading-edge technology and thought leadership in cybersecurity, the government acquisition system needs to be realigned. It was designed for the analog age, not the digital age we live in now.

What seems promising is the regulation efforts the administration is talking about. Every regulation you put in — whether it is a policy regulation governing your network or regulations on how and what you can buy —  has the risk of creating drag or friction on organizations. Speed and agility are key to business success. Unneeded regulations slow agility, cost money and reduce competitive edge. Regulations impact effectiveness as well. There is a fine but important line between necessary regulations and over-regulation.

While regulations can open up markets, they can also shut others down just as fast. They also impact the workforce. Regulations can inspire parts of a staff and demoralize other parts. Take away network administrative privileges from technicians that were recently trained and you may solve one problem (e.g., reduce the number of technicians with access to the network). But you may also be unwittingly creating a morale and service problem with your workforce and customers who expect rapid responses and timely customer service.

What have you carried with you from your many years in the military to the private sector?

I think structure, discipline and leadership. Each of those was fundamental in making a successful transition.

I went from an environment where I had spent 28 years, and I was comfortable with the culture, the processes and the people. I had built a reputation and then I had to start it all over again when I crossed over to industry, where just about everything was new. It was much harder than I expected. The perceptions and labels were vastly different in industry.

I think many expected I would come in with a military-like command-directed style. I was too shell-shocked to think along those lines, and frankly that wasn’t my style. I had to learn business vernacular, a new technology and a new company culture … all while driving revenue for the company. Finding my place was a challenge, but it was also exciting.

I feel more comfortable in the leadership and development role — building the teams and focusing them on different strategies. I just find in industry there’s not as much of a premium on leadership development as in the military. It’s more about the bottom line.

Businesses are very short-term focused. Leading business analyses prove it is better to develop the people you have than it is to burn them out, let them go, and then bring somebody else in that you hope has good leadership skills.

The most important thing with managing people is knowing that they want to know how much you care before they are going to care how much you know. Staff respect you more when you show you care more about them than you do about the quota they are trying to attain. The first approach creates a more loyal staff. That loyalty usually translates into greater effort.

Leadership is leadership. Whether you’re in the military or industry sector, the same principles hold true that inspire people and make them want to work harder for you.

What would you say to someone who’s considering a career in the cybersecurity space as well as the government space? What do you think will help set them up for success?

For cyber professionals, if you want to be in a field of service to others or a community, cyber may be that opportunity. It’s an enormous growing field with zero unemployment.

The cyber workforce is such an untapped potential for training. The integration of STEM into K-12 can help fuel a passion that carries to college curriculum. Universities that can transform education from traditional textbook and classroom theory to practical application of theory to real-world challenges will go a long way toward increasing interest in cyber-related fields.

The potential of the workforce of cybersecurity is untapped in terms of its training, its education, and its development. There’s plenty of room for discoveries of new technologies and new ideas that will fuel startup businesses. These innovations will drive a continued need for cybersecurity professionals.

This interview was conducted and provided to FifthDomain by PCM-G. It has been edited for length and relevance.