Secret CSO: Bill Lawrence, SecurityGate

What has been your greatest career achievement? “… persuading over 10,000 electricity security professionals across North America to put their company’s defences through hell, all for the sake of keeping the lights on, and sharing back what they learned.”

IDGConnect_secretcso_suppliedart_billlawrencesecuritygate_1200x800
SecurityGate

Name: Bill Lawrence

Organisation: SecurityGate

Job title: CISO

Date started current role: May 2021

Location: Houston, TX

Bill Lawrence is the Chief Information Security Officer at SecurityGate. Among other responsibilities, he leads the security operations and IT management teams, as well as oversees vulnerability management and incident response program activities. Previously, at the North American Electric Reliability Corporation, Lawrence held several senior leadership roles, including vice president and chief security officer, where he was responsible for the oversight of the Electricity Information Sharing and Analysis Center (E-ISAC). Lawrence had a distinguished career in the U.S. Navy where he served as a pilot of F-14B Tomcats and F/A-18F Super Hornets, flying off of carriers on three deployments to the Mediterranean and Persian Gulf. In 2012, after over 20 years of faithful service, Commander Lawrence honourably retired from the U.S. Navy. His awards include a Meritorious Service Medal, four Air Medals, three Navy Commendation Medals, and various unit and campaign awards.

What was your first job? My first job was as a ticket-taker at a movie theatre. There were probably six or eight screens and only one booth to sell tickets. I went to bed selling tickets in my head the first night on the job.

How did you get involved in cybersecurity? I had a very Sci-Fi upbringing and was fascinated by computers and technology. My parents bought us Commodore PETs (cassette tapes!) and an Apple IIe (color graphics!), so when the time came to go to college, I was set up well for computer science (aka gaming).

What was your education? Do you hold any certifications? What are they? Despite the drain that Wing Commander and SNN 688 had on my classwork, I got a BS in computer science from the U.S. Naval Academy. I’ve had a Project Management Professional cert and several SANS Institute cyber certs along the way, as well as a CISSP. Also in the Navy, I earned a master’s degree in International Relations from Auburn Montgomery, and a master’s degree in Military Operational Art and Science from the Air Command and Staff College.

Explain your career path. Did you take any detours? If so, discuss. For the next couple of decades after I graduated from Navy, I was focused on critical infrastructure destruction, primarily as an F-14 Tomcat pilot flying off of aircraft carriers. There were a great many collateral jobs that dealt with technology, and a couple of hand-built desktops that made a cruise or two with me, but it was on my last assignment (back at USNA) where I had a chance to teach cyber security as part of the new program there. Then I retired from the Navy, and with a PMP and cyber skills, went to the North American Electric Reliability Corporation for eight years, running big programs like the annual GridSecCon security conference and GridEx – a very large, continent-wide cyber and physical exercise. Now I’m at SecurityGate.io as the CISO. I was very drawn here due to the focus on risk assessments for ICS and SCADA environments, as well as a multi-sector approach.

Was there anyone who has inspired or mentored you in your career? There is a gentleman named Stuart Brindley who has a deep understanding of grid operations, public-private partnerships, and how the grid should be structured for resiliency in the face of extreme conditions or cyber/physical attacks. He did his best to help this fighter jock figure out what was important in grid security and how to gain trust from the electric utilities that had trepidation over anything NERC might do. He’s a great mentor and friend.

What do you feel is the most important aspect of your job? Standing back and letting the security team run with challenges. Dialogue from everyone is important, and if I can add some nuance from interactions at the executive level to help shape the strategy, I’ll do so.

What metrics or KPIs do you use to measure security effectiveness? Incident numbers need to be driven down, of course. With our team size, it is important to drive automation in terms of alerts and remediations.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We are a small but potent security operations team and had to make some sacrifices along the way. Right now we’re sized right even though we handle many more things than just security. Our company is hiring though! The DevOps team is looking for full-stack developers. Lots of great work with really exciting customers.

Cybersecurity is constantly changing – how do you keep learning? There are webinars and presentations to keep up the CPEs for the certs, but really there is almost a daily unfolding of calamity in the cyber wars going on. Every major breach or attack has lessons for us all. Usually, they start with doing a robust risk assessment, but also interactions between organisations and their attackers that bring nation-states into the mix.

What conferences are on your must-attend list? Since I ran a large one in the electricity sector with GridSecCon, I hadn’t been to many over the years. I had a very enjoyable time at my first HouSecCon here in Houston – great speakers and it was nice to be in a full-up conference environment. And SecurityGate.io has been invited to the S4x22 conference in Miami this January, which I’ve never been to either, but is focused like a laser on that ICS/SCADA defence we share.

What is the best current trend in cybersecurity? The worst? The best trend in cyber security is the uptake in two-factor or multi-factor authentication where the right controls can make an adversary’s day much more difficult. The worst is government agencies dropping mangled cyber security requirements and penalties with incredibly short fuses and no chance for industry to constructively comment on them. I’m looking at you, TSA and your Pipeline Security Directives.

What's the best career advice you ever received? “Take care of your people. First.” Fighter pilots get all the glory, but we can’t get airborne without the fantastic team who makes sure the jets are up and ready, safe and secure. Knowing who each of those team members are means talking with them, and listening mostly. It takes time and effort, but then you can help make changes that can positively influence lives, and things get better for everyone involved.

What advice would you give to aspiring security leaders? Get technically smart enough to hold you own in discussions of security, but you’ll have to step back from the keyboard (pry it out of my cold, dead hands!) sometimes to lead your people and see the big picture. It is great to find work in a job where there are so many technical requirements, but if you aspire to be a leader in security, it is often more about what you can do for the people around you than what you can do with that keyboard.

What has been your greatest career achievement? In the “real world” – carrier landings in a jet fighter at night and in bad weather. In “cyber space” – persuading over 10,000 electricity security professionals across North America to put their company’s defences through hell, all for the sake of keeping the lights on, and sharing back what they learned.

Looking back with 20:20 hindsight, what would you have done differently? I’m loving where I am in my life with my family and my career, so any little change “back then” would have had a bad “Quantum Leap”-like effect and who knows where I’d be. Maybe take more pictures along the way?

What is your favourite quote? “Do or do not. There is no try.”

What are you reading now? Finite and Infinite Games by James P. Carse (re-read). Simon Sinek has an interview with the late author that made me want to pick it up again. It is pretty wild how the logic is laid out.

In my spare time, I like to… Get my analog life into a digital format. Pictures, VHS tapes…

Most people don't know that I… Have my picture on an action figure box.

Ask me to do anything but… Underwater caving. Nope.