Washington is full of leaders that promise and pontificate...but don't deliver. Phyllis Schneck, deputy under secretary for cybersecurity for the National Protection and Programs Directorate (NPPD), the chief cybersecurity official for the U.S. Department of Homeland Security (DHS), clearly is not one of them.“She is deliverable-oriented, thoughtful in her delivery and always does the right thing,” says William Pelgrin, CEO at the Center for Internet Security, a nonprofit focused on enhancing cybersecurity readiness that works with DHS on a number of initiatives.
Pelgrin, who has known Schneck for more than a decade, explains that, unlike some leaders, Schneck doesn't set out to “get her way” when it comes to finding and implementing solutions to cybersecurity issues. “She believes it's more important to get it right,” he says, adding that she is particularly adept at presenting “deliverables in a concrete way to improve our cybersecurity position going forward in a new day and age.”
That's a sentiment that Schneck herself echoes. “I'm charged with that vision,” she says. But, it's a task made more difficult because of the duality of her agency's mission. DHS has the Herculean task of looking at both the private and public sectors,” says Pelgrin. Or as Schneck explains, “we work for the government but serve the private sector.”
| OUR EXPERTS:
State of the Union
Michael Kaiser, executive director at the National Cyber Security Alliance
Ed Lowery, special agent in charge of the criminal investigative division in the United States Secret Service.
William Pelgrin, CEO, Center for Internet Security
Phyllis Schneck, deputy under secretary for cybersecurity for the National Protection and Programs Directorate (NPPD), the chief cybersecurity official for the U.S. Department of Homeland Security (DHS)
However, if anyone has the background to straddle the two sectors without sacrificing the service to either, it is Schneck.
She holds a Ph.D. in computer science from Georgia Tech, though her education in computer science started much earlier than that. As she likes to tell it, her father sparked her interest in computer science and stoked her nascent talent when she was just three years old.
And her résumé includes stints in various information science technical positions at numerous organizations, including CSC (Computer Sciences Corporation), IBM Systems Integration Division, NASA Goddard Space Flight Center and the University of Maryland's Department of Meteorology.
Schneck was vice president of corporate strategy for SecureWorks and was founder and chief executive officer of real-time security technology provider Avalon Communications, which was eventually acquired by SecureWorks. She also served as vice president of enterprise services for eCommSecurity, eventually landing at McAfee, where she was chief technology officer for global public sector, responsible for the technical vision for products and service, as well as global threat intelligence, industrial control system security and telecom strategy.
Further, she has worked closely with the FBI, sitting for eight years as chair of the agency's InfraGard program.
But, perhaps more importantly, she knows how to use her extensive and rich experience to get the job done. Schneck draws on her education, intellect and what Pelgrin calls her “uncanny” instinct to drive cybersecurity initiatives.
And that's at least part of the reason that DHS has continued to grow more nimble and quicker to respond.
There's an overall realization “we can't do it alone,” says Pelgrin (right).
When SC Magazine first spoke with Phyllis Schneck, shortly after she left her CTO position at McAfee and joined the Homeland Security team in September 2013, she had already set a few significant goals, lofty but, she believed, doable: Make DHS more nimble and responsive, raise awareness of cybersecurity across the board from government down to the consumer, and stimulate the dialog and collaboration between government and the private sector on everything from sharing threat information to developing innovative solutions.
We caught up with her again this fall, a day after she completed what she calls “a very transitional year in cybersecurity,” one that has been marked not only by changes at DHS but by high-profile breaches at retailers Target, Michaels, eBay and, more recently, Home Depot. As well, cyberespionage campaigns and assaults on government systems from nation-states, the rise of malware, and the takedown of Cryptolocker Gameover Zeus have been top challenges for security personnel.
“My top three priorities are building trust with stakeholders, raising situational awareness and leveraging the cybersecurity framework and fulfilling the President's Executive Order 13636 [to improve critical infrastructure],” Schneck says.
While underscoring that cybersecurity is constantly evolving, Schneck's proponents, including her superiors, are satisfied that her team has made progress toward their goals during her inaugural year.
Over the course of the year, she has brought her “combined experience from the private sector and her work with law enforcement to provide steady, focused leadership to the DHS cybersecurity team,” says Deputy Secretary of Homeland Security Alejandro Mayorkas.
As part of that leadership, Schneck has strived to raise awareness and, as promised, has delivered.
As DHS hosts its 11th annual National Cyber Security Awareness Month in October, much has changed, says Michael Kaiser, executive director at the National Cyber Security Alliance, of the month-long awareness campaign that he refers to as a grassroots effort at its core. “Participation has grown with a lot of people rallying around this month.”
Schneck has also thrown considerable effort behind the agency's “Stop. Think. Connect.” campaign, a national public awareness initiative aimed at helping the public better understand cyberthreats and empowering them to be safer online.
She's also drawn from her background in weather to raise situational awareness, creating a map of sorts that draws security intelligence from a wide variety of sources offering security pros a big picture of various threats. “It's like a weather map with feeds from all different satellites but when you put it altogether you can see a hurricane event,” says Schneck.
One of any cybersecurity expert's big challenges is to cut through both the technical jargon and the misinformation to instill cybersecurity good habits. Presentations in the field often sound like the “wah, wah, wah” of Charlie Brown's teacher to those less technical, says Pelgrin. Calling Schneck “incredibly bright” with an impressive “technical expertise,” he says she possesses the “unique ability” to take the very technical and present it where “everyone understands it. She makes it real and understandable.”
She also has a knack for pulling security proponents together, he notes. Schneck has brought her experience working with the FBI to bear as she forges relationships with law enforcement and encourages the sharing of threat information, increasing the outcomes of the agency's cybersecurity initiatives.
“Phyllis has been a great partner in our mutual efforts to promote the effectiveness of the DHS-wide cybersecurity efforts, which feature highly developed defensive technology, effective threat information-sharing and successful cyberlaw enforcement operations,” says Ed Lowery (left), special agent in charge of the criminal investigative division in the United States Secret Service.
Her efforts have been just as tireless when it comes to encouraging government and private industry to work together. “We need to build trust with stakeholders – public and private,” Schneck says, which is why she spends a lot of time crisscrossing the country – and around the world – meeting with companies to understand what they need from government, what government can get from them and how to build collaborative initiatives and solutions.
Of late, she has zeroed in on small- and midsized businesses (SMBs), which Pelgrin notes, represent the American Dream. Those companies traditionally don't have in-house expertise, he says, so Schneck has sought to get them the assistance they need through a DHS mentoring program.
She encourages SMBs “to invest in [their] safety before the adversary can,” says Schneck. And she sees how government can benefit from them as well. “We want to combine the policy developed on the East Coast with open creativity out West,” she says. A recent trip there met with positive feedback. “They were very surprised at the visit they got from government,” she says. “They said we were informed and friendly.”
It's hard out there for a security pro
Though Schneck has hit milestones in her first year, she and her colleagues at DHS still face challenges. Chief among them: Allaying fears. “People are most hesitant to share information at a time when they need to the most,” she says.
Not that anyone blames them. The constant chatter in the news about breaches has given the public a crash course in risks. But raising awareness requires more than raising the alarm. The misinformation that can swirl around a breach or compromise can send the public running for cover – and DHS must counter that.
“There's reality and there's what the public hears,” says Schneck. “We have to mitigate from many fronts.” That's another reason the cybersecurity guru is keen on awareness initiatives.
And, focused on initiatives to encourage more people to enter the field. Like all security-focused organizations, DHS feels the pinch of a talent shortage. She advocates encouraging college students, especially young women, toward security. “We need to show them it's cool,” she says.
Schneck has faith that DHS can hold its own against business and draw from the existing security talent out there. Although government can't match the salaries of big companies, “I know we can compete with business,” she says.
The cyberchief also takes issue with what she sees as shortcomings in computer science programs at universities. Students need to be taught “basic hygiene,” she contends, such as something as simple as programmers releasing memory no longer being used in a computer. “If you don't tell a computer you are no longer using [that memory], it's available,” says Schneck. And the computer does what you tell it to do, which is something that adversaries could exploit.
In the months and years to come, there will be no shortage of incidents – or initiatives – to keep DHS on its toes and raising awareness. The agency, Schneck says, will focus on building its infrastructure, putting out fires, learning from business and doing resilience reviews.
“Incidents are going to keep happening,” says Schneck. “What we strive for is resilience. To bounce back. Like when you catch a cold, you get better and you're stronger for it.”