Secret CSO: Dan Lohrmann, Presidio

What is the worst current trend in cybersecurity? “Ransomware is eating us alive. Bad actors are still too far ahead.”

Headshot of Dan Lohrmann, Field CISO at Presidio
Presidio

Name: Dan Lohrmann

Organisation: Presidio

Job title: Field CISO

Date started current role: November 2021

Location: Michigan, USA

Prior to joining Presidio, Dan Lohrmann held CISO roles at Security Mentor and the state of Michigan and started his career at organisations including NSA and Lockheed Martin. He has more than 30 years of experience in the computer industry and has served global organisations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader. Lohrmann co-authored Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions, which will be published this month by Wiley.

What was your first job? Besides being a York Steak House cook at 16 and working at a YMCA sports camp through college, my first professional job was as a Computer Systems Analyst at the National Security Agency (NSA).  

How did you get involved in cybersecurity? I’ve always loved computers, and my NSA training provided the perfect baseline experience. In 2002, when Michigan State Government was re-organising and centralising IT, I helped create the enterprise-wide CISO role after the attacks of 9/11/01. I was also selected as the state first CISO and the first CISO for any US state government (covering the entire state.)      

What was your education? Do you hold any certifications? What are they? B.S in Computer Science from Valparaiso University. M.S. in Computer Science from Johns Hopkins University.

Certifications: C|CISO (from EC Council.)

Explain your career path. Did you take any detours? If so, discuss. My early years were mostly focused on multi-vendor interoperability testing, learning networks and protocols, and hands-on (Cisco-certified) network management roles working within 3-letter agencies. When asked to lead a network team for ManTech in England, I discovered that I loved management and working with people to achieve more than I could alone.

My family moved back to Michigan in the late 90s, and I took a job as a CIO in Michigan State Government (slight detour from security-specific role), and I managed 100 staff and 100 contractors – mainly focused on Y2K and day-to-day customer service. 

As mentioned above, Michigan centralised 20 agencies into one IT department in 2002, and I became the natural choice for the State’s first CISO. We had an incredible team and won tons of awards for our strategies and projects delivered.

In 2009, I was promoted to become the State CTO – over all infrastructure, data centers, networks, telecom, etc (approx. 800 staff, 400 contractors).  

In 2011, with a new Governor, I decided I liked security best, and went back to being the State’s CSO – but this time over all cybersecurity and physical security in a combined function. (US DHS / CISA came to us in Michigan to see how we did what we did.)

In 2014, I joined Security Mentor, Inc. as CSO and Chief Strategist – focusing mainly on government clients. I loved speaking / blogging / writing all over the world and being an ambassador for cybersecurity in the end user security awareness space.

In November 2021, I joined Presidio as a Field CISO – helping primarily public sector clients with their security plans and strategy.    

Was there anyone who has inspired or mentored you in your career? Several – my oldest brother Steve talked me into going into computers.

My father talked me into getting a master’s degree.

Pete Blodgett gave me a chance to be a manager over 20 – growing to 40 staff at ManTech in England. Several bosses at the State of Michigan took me under their wings. Three that come to mind include:  Rose Wilson, George Boersma and Teri Takai.

What do you feel is the most important aspect of your job? As an advisory CISO, listening to the needs of clients and offering pragmatic and helpful options. I also love to write and speak at conferences, so staying current (by reading a lot) is a must.

What metrics or KPIs do you use to measure security effectiveness? I believe the best measurements for CISOs are based on quality relationships (360 degrees) and meeting their specific business needs. For a full explanation on this, see: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/evaluating-technology-and-security-leaders.html

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes - all cyber roles are in great demand currently. To name a few: threat hunting, security analyst and specialists with experience in SOCs (including monitoring and security management tools), database and cloud security architects, and cyber specialists with experience doing penetration tests. Other areas which are hot include professionals with experience in ID management, endpoint security and AI.   

Cybersecurity is constantly changing – how do you keep learning? Read (and blog) a ton. Interact with other pros at conferences, on LinkedIn and withing teams internal to the company. Stay active industry groups, including InfraGard, ISSA and others.  One tip: I read a lot of prediction reports every year from the top cybersecurity companies, and I catalogue them (and give annual awards) in this annual blog: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-22-security-predictions-for-2022

What conferences are on your must-attend list? It’s tough during Covid. But the RSA Conference is always at the top. I also attend NASCIO conferences for public sector relationships as well as regional SecureWorld Expo events and FutureCon events – where I typically speak. 

What is the best current trend in cybersecurity? The worst? Best trend – more women in leadership and more women getting into the field.

Worst trend – ransomware is eating us alive. Bad actors are still too far ahead.

What's the best career advice you ever received? From my father – just days before he died from cancer: “Plan your career with the end in mind.”

Just before this, my father said: ““My life seems like one long day. This morning I was just a boy playing baseball. At noon, I started my career, travelled the world, and married your mother. This afternoon I raised seven children, earned my PHD in psychology and counselled families at our church.  This evening I watched my grandchildren grow. And now, it is almost midnight, and I’ll meet my maker.”

I wrote an article on this once. Here it is with more details:  https://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-best-career-advice-052113.html

What advice would you give to aspiring security leaders? I love the quote: “I skate to where the puck is going to be, not where it has been” by Wayne Gretzky.

In cyber terms, this means to try to become a trusted advisor in some segment of the future hot areas of cybersecurity – such as AI, robotics, IoT or some other specialised area that is growing fast. As with doctors, cyber is quickly becoming very specialised and segmented, so it will be hard to be an expert in any one aspect – IMHO.  

Also, focus on relationships. Get to “yes,” with options that enable the business rather than shutting down the business. See: https://securityweekly.com/shows/ciso-business-enablement-getting-to-yes-as-a-ciso-dan-lohrmann-csp-23/   

What has been your greatest career achievement? Building the security and technology teams we did in Michigan Government from 2002-2014. In 2008, I was named CSO of the Year by SC Magazine, Public Official of the Year by Governing Magazine and I published my first book – Virtual Integrity. But all of those recognitions happened because of the amazing team that enabled me to be their ambassador.  More than a dozen of those cyber experts are now leading security teams all over the globe. 

Looking back with 20:20 hindsight, what would you have done differently? Saying “NO” to Teri Takai (Michigan CIO at the time) in 2004 on a wifi project….

Back in 2004 when I was the CISO in Michigan government, I was firmly against Wi-Fi. Why? It was not secure, in my view.

I had plenty of wardriving stories, scary magazine breach headlines and an abundance of Washington DC three-letter agency white papers to back up my ‘Wi-Fi is a bad idea’ arguments.

Until one day, I almost got fired when I insisted that we could not put Wi-Fi in our government conference rooms. I said, “We just can’t do it. Not secure. Bad idea. I’m vetoing the project!”

My boss, and state CIO at the time, was Teri Takai. Teri later went on to become the CIO in California Government and at the Department of Defense. Teri said, “Dan, if that’s your answer, you can’t be the CISO in Michigan.”

Teri went on, “I’ve been to Dow, Ford, Chrysler and GM, and they all have Wi-Fi in their conference rooms. So you need to figure out what they know that you don’t know and then come back and tell me how we’re going to implement Wi-Fi securely. And I’m giving you one week.”

That meeting started a transformation in my security career. I began to rethink my role, my team’s mission and how we were being perceived. I refocused my tactical and strategic initiatives to become an enabler of innovation – with the ‘right’ level of security. We went on to win awards for secure Wi-Fi deployments in government a few years later.

And there was larger lesson for me from this experience. I now constantly ask myself: Am I bringing the organisation problems or workable solutions? Am I getting to yes?

What is your favourite quote? "The farther backward you can look, the farther forward you are likely to see." SIR WINSTON CHURCHILL

What are you reading now? Security predictions for 2022 – all across the online world.

In my spare time, I like to… Go to church. Watch and play sports.

Most people don't know that I… I spoke on cybersecurity at an IDC Security roadshow in Moscow in 2010 – with the blessing of the FBI. I wrote about my experience here: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/redefining-enemies-21st-century.html

Ask me to do anything but… Cheer for the University of Michigan (U of M) when they are playing Michigan State University (MSU) in college football. Go Spartans!