CTO Sessions: Craig Harber, Fidelis Cybersecurity

CTO Sessions: Craig Harber, Fidelis Cybersecurity

Name: Craig Harber

Company: Fidelis Cybersecurity

Job title: CTO

Date started current role: March 1, 2019

Location: Bethesda, MD

Craig Harber joined Fidelis Cybersecurity as Chief Technology Officer in 2019 following a distinguished career at the US National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC).

What was your first job? I started working at the National Security Agency (NSA), a national-level intelligence agency in the US, in the late 1980s. My first job was working in the Secure Telephone Unit Third Generation (STU-III) as a project engineer. The STU-II was the first full-duplex echo cancelling modem operating at 2400 bps. Nearly 500,000 devices were deployed to support strategic and tactical communications.

Did you always want to work in IT? I have always worked in cybersecurity. Approximately 15 years ago, I led an effort to define the Information Assurance Architecture for the Global Information Grid (GIG), which effectively was the entire Department of Defense (DOD) enterprise.

What was your education? Do you hold any certifications? What are they? I graduated from Pennsylvania State University with a Bachelor of Science (BSc) in Electrical Engineering.

Explain your career path. Did you take any detours? If so, discuss. I have spent my entire 33-year career working at the NSA. During my last year, I was forward deployed to USCYBERCOM, or the United States Cyber Command. This unifies the direction of cyberspace operations, strengthens DOD cyberspace capabilities, as well as integrating and bolstering DODs cyber expertise.

What type of CTO are you? The CTO role is a new one for me, so I guess I would say ‘CTO in training'! However, I believe I can provide a perspective on how the DOD/IC build secure systems. I also have a good understanding of adversary behavior and how best to build solutions, given my leadership positions at the NSA on Active Cyber Defense and as the NSA lead to the NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR), now known as DODCAR.

Which emerging technology are you most excited about the prospect of? I believe the cyber threat frameworks (e.g., DoDCAR, GovCAR, Mitre ATT&CK) provide a basis to streamline the security stack, which will consequently improve the effectiveness of threat detection/response/hunting teams who are fatigued by alerts. Improvements start with continuous real-time visibility of assets (cyber terrain), which our Fidelis Elevate platform inherently provides through our deception technology efforts. Integrating our understanding of the cyber terrain and adversary behaviour (cyber threat framework) provides a real opportunity to finally get ahead of the adversary. It will allow for automated cyber playbooks to be executed in a predictive, proactive manner.

The addition of deception technology is a game-changer in the sense that it allows cyber defenders to significantly increase the cost and complexity to the adversary. The rich metadata generated by our platform is a treasure trove to be harvested by data scientists, who can identify complex relationships to expose previously unseen adversary tactics and techniques. So, it's not just one emerging technology that excites me, it is a framework that can drive our development and deployment strategies to better defend our customer environments.

Are there any technologies which you think are overhyped? Why? I believe data science is extremely important going forward, but I think Artificial Intelligence (AI) is a technology that is somewhat overhyped today. This is because for many people, there is a lack of understanding of the differences between data science, machine-learning, and Artificial Intelligence.

Data science is the extraction of relevant insights from data. It uses techniques from many fields like mathematics, machine learning, computer programming, statistical modeling, data engineering and visualisation, pattern recognition and learning, uncertainty modeling, data warehousing, and cloud computing

Machine learning is the ability of a computer system to learn from the environment and improve itself from experience without the need for any explicit programming. Machine learning focuses on enabling algorithms to learn from the data provided, gather insights and make predictions on previously unanalysed data using the information gathered.

Artificial Intelligence refers to the simulation of a human brain function by machines. This is achieved by creating an artificial neural network that can show human intelligence. The primary human functions that an AI machine performs include logical reasoning, learning and self-correction.

From my perspective, data science combines machine learning with other disciplines like big data analytics and cloud computing. It is a practical application of machine learning with a complete focus on solving real-world problems including cyber security.

What is one unique initiative that you've employed over the last 12 months that you're really proud of? The NSA's lead to the NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR), now known as DODCAR. It provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? In my role, I am advocating for our customers to streamline their security stacks to be more cost-effective, integrated, automated, and deliver real-time defensive capabilities. It first begins with defining an overall strategy that includes continuous end-to-end visibility, threat-driven analysis, and knowledge-driven operations.

What is the biggest issue that you're helping customers with at the moment? One of the biggest issues I'm helping our customers with is rethinking their current investment strategies to streamline their security stacks and optimise coverage against the cyber threat framework. I believe this is critical because there a lot of noise in the market from so many security vendors who all claim to provide the same capabilities - when in fact, the strengths of these features are very different. To that end, I am helping customers to fully understand the breadth and depth of the Fidelis solution. We have customers using our technology for different reasons, but perhaps they're not leveraging the full set of capabilities, and maybe some of these capabilities overlap with other point products that could be removed from the stack. 

How do you align your technology use to meet business goals? A key challenge for customers is to maximise the efficiency and effectiveness of any solution deployed within their cybersecurity budget. Where possible, streamlining the security stack to include integration and automation is critical, given the shortage of skilled resources to operate these tools. In some cases, it may make more sense to outsource the requirement to a managed detection and response provider such as Fidelis.

Do you have any trouble matching product/service strategy with tech strategy? I believe there needs to be a framework to support the decision-making process. The cyber threat framework developed under the NSCSAR (now DODCAR) is the framework that should be used by cybersecurity professionals.

What makes an effective tech strategy? An effective technology strategy is one that fully considers the users and operators of the system. All too often, solutions are engineered that require highly-skilled operators - and these are not always available to customers.

What predictions do you have for the role of the CTO in the future? As security infrastructures become increasingly streamlined, threat driven, and automated, I believe CTOs will gain back the power to properly leverage their expertise and focus on proactively and creatively protecting their companies from evolving threats.

What has been your greatest career achievement? My greatest career achievement is providing the Department of Defense and Intelligence Community with defined investment strategies, which improve the security and cyber resiliency of national warfighting and intelligence platforms. This resulted in multi-billions dollar increases of new investments.

Looking back with 20:20 hindsight, what would you have done differently? Nothing at all. Overall, I am happy with the choices that I have made. It was most important for me to create a good work-life balance that enabled me to coach my son's baseball and soccer teams from the time he was age six until high school, and I achieved that.

Professionally, over the course of my career I delivered security products to include more than one million secure, wired and wireless communication devices that supported warfighting and intelligence operations around the globe. Without these, many more of our men and women would have lost their lives.

What are you reading now? When I am relaxing, I enjoy reading James Patterson, especially ones with Alex Cross as the main character. I am currently waiting for his next book to be released.

Most people don't know that I… Plan to spend my retirement as a landscaper. One of my favorite things to do when I am not working is taking care of the garden. Unfortunately, mine was never big enough, so I found myself providing landscape projects to my neighbours for free.

In my spare time, I like to…Play golf, ride bikes and workout at the gym.

Ask me to do anything but… Paint.


« Secret CSO: Chris Hodson, Tanium


How open source software is being weaponised »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?