Dan Lohrmann currently serves as a Field CISO at Presidio. He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a U.S./UK military facility. Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 – August 2014, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington D.C. to Moscow.
Recently, in an exclusive interview with Digital First Magazine, Don shared his insights on the evolution of cybersecurity landscape, key competencies required to succeed as a CISO, the inspiration behind his latest book, future plans, pearls of wisdom, and a lot more. The following excerpts are taken from the interview.
According to you, how has cybersecurity changed over the last few years?
First, the scale and impact of cyberattacks continues to shock the world – from the smallest companies and local governments on one side to the largest Fortune 500 companies and G7 countries on the other. Ransomware attacks, online fraud and malware distribution through supply chain vulnerabilities are just a few of cyberattacks that have led to massive data breaches that continue to grow and cost trillions of dollars a year.
Second, the business transformations that began during the Covid-19 pandemic are still being felt. While the push to do more business in a “Digital First” manner has been a good thing, the bad actors continue to take advantage of the rapid change in organizational processes.
Third, when you add in the war in Ukraine and other growing nation-state cyberthreats, the landscape for cybersecurity expands to virtually every area of life, including social media impacts on society and areas such as “fake news” and GenAI.
In response, I think the cybersecurity industry continues to grow and evolve rapidly, with a surge in new companies and technology interests. Nevertheless, security leaders are striving for simplicity (fewer platforms and tools) in an environment that is becoming more complex with a wider attack surface that extends beyond traditional computers to a vast “Internet of Things” that include critical infrastructure.
What are some of the key components to succeeding as a CISO in today’s business environment?
First and foremost, CISOs must be good leaders who others will follow. Good CISOs know cyber best practices and how to apply those principles successfully in their specific organizational context. For example, how can the NIST Cybersecurity Framework guide our company’s people, process and technology?
At the same time, success as a CISO starts with good relationships with key partners, including internal and external customers that cover 360-degrees (CxOs, management peers, security and tech staff, clients and vendor partners). Of course, excellent relationships take time and effort, and they are hard to maintain in any business. Sadly, many CISOs last only a few years, which makes lasting security culture change difficult. I describe more detail on this topic in this blog.
No doubt, technical competence is important, as well as good communication skills. CISOs must strive to be trusted advisors, not only to other executives, but set an example for the enterprise using different channels (such as public speaking, internal newsletters, public blogs, etc.)
CISOs should surround themselves with experts that can strengthen the security and technology and business to work together as one team.
Dan, can you tell us about your professional background and areas of interest?
I started my career at the National Security Agency (NSA), and my early professional years were focused on multi-vendor interoperability testing, learning networks and protocols. After finishing my master’s degree in computer science at Johns Hopkins, my family moved to England with Lockheed Martin, working as a network management specialist in the 90s on a US / UK military base. When asked to lead a network team for ManTech, I discovered that I loved management and working with people to achieve more than I could alone.
My family moved back to Michigan in the late 90s, and I took a job as a CIO in Michigan State Government (slight detour from security-specific roles), and I managed 100 staff and 100 contractors – mainly focused on Y2K and day-to-day customer service.
Michigan centralized 20 agencies into one IT department in 2002, and I became the natural choice for the State’s first CISO. We had an incredible team and won tons of awards for our strategies and projects delivered. In 2009, I was promoted to become the State CTO – over all infrastructure, data centers, networks, telecom, etc. (approx. 800 staff, 400 contractors).
In 2011, with a new Governor, I decided I liked security best, and went back to being the State’s CSO – but this time over all cybersecurity and physical security in a combined function. (US DHS / CISA came to us in Michigan to see how we did what we did.)
In 2014, I joined Security Mentor, Inc. as CSO and Chief Strategist – focusing mainly on government clients. I loved speaking / blogging / writing all over the world and being an ambassador for cybersecurity in the security awareness space. During this journey, I have been blessed to write three books and contribute to many others.
Tell us about your role as Field Chief Information Security Officer (CISO) for Public Sector at Presidio.
In November 2021, I joined Presidio, a leading global digital services and solutions provider accelerating business transformation through secured technology modernization.
As the Field CISO for public sector at Presidio, I help public sector clients (and select private sector clients) with their security plans and cyber strategies. I love helping CXOs address operational challenges and build next-generation solutions using proven best practices and relevant government case studies.
I am a frequent speaker at global technology conferences, and I write for Government Technology Magazine and CSO Magazine. I am also an ambassador for cybersecurity, participating in several non-profit groups like NASCIO, StateRAMP, The Center for Digital Government, and InfraGard.
Given your vast years of experience as a CISO leader, what are the main cyber security related challenges that executives face when it comes to embracing new technologies for their business?
I think that executive challenges in cyber security start with having a good understanding of their current business environment and their data that makes them special or unique. Ask these questions: What data do we have? Also, how do we collect and store that data? Who do we refresh our data and make sure it is pure, accurate and up to date? What are the laws and privacy policies that affect that data?
Beyond the data itself, what people and process issues impact the data? How is the data used? Is current training relevant and helpful? How can we better utilize that data in our new world of GenAI, data analytics and business transformation?
After grasping these essential answers regarding data, business executives can work with their technology teams to understand backup and redundancy, as well as their CISOs and security teams to properly secure that data – based on business risk. Your security team should be able to provide alternatives approaches to ensuring the confidentiality, integrity and availability (CIA) of that data.
One more thing. We all need to be life-long learners. Staying current on cyberthreats and (at least high level) solutions is the responsibility of everyone in the C-Suite and board. At a minimum, ask good questions and measure progress against cybersecurity program objectives.
What was the inspiration behind writing your book, ‘Cyber Mayday & The Day After’. Please brief us about the main takeaways from your book.
My co-author Shamane Tan and I saw several scary ransomware trends growing at the beginning of the global Covid-19 pandemic. Although we were on opposite sides of the world (Shamane lives in Sydney, Australia), we saw how the number of global cyberattacks, costs to organizations and overall impact to businesses and governments from ransomware was devastating and getting much worse.
While there were already some checklists and white paper reports on various things an organization can do to address ransomware, we saw a lack of true stories, through the eyes of CxOs, on what happened when ransomware struck. We saw the need for a comprehensive book that offered best practices on what public and private sector organizations need to be doing before, during and after a ransomware attack or other major cyberattack. Most important, we saw the need for real-life examples and stories from global leaders who have actually implemented these practical solutions – sometimes after previous failure(s). It really covers the good, the bad and the ugly regarding evolving ransomware.
As far as takeaways, there are too many to mention, and readers typically love the real ransomware, and data breach stories the most.
Still, here are three takeaways from chapter one:
- The world will never be immune from Cyberattacks. Solutions require people, process and technology working together. CISO qualities are important. Reporting structure (governance) is vital.
- Cybersecurity is a business risk issue. Not just an IT issue. Supply chain attacks opening eyes. Not if, but when, an incident occurs at your organization. Damaging downstream consequences. How the organization reacts, responds, and learns from cyber incidents is very much a reflection of the organization’s values and capability.
- Act and adjust with resilience when cyber situation evolves. Prepare, practice (with cyber tabletop exercises), know your roles and act – follow the plan. Also, remain resilient as circumstances change. Be ready to adapt to new situations / scenarios.
What does working in cybersecurity mean on a practical level, and what kinds of skills/personality traits are an asset in the field?
Just as running a hospital requires many different roles and skillsets, working in cybersecurity can take on many different forms. Of course, we need hands-on technical experts in computers that can address topics like system administration (controlling access to devices), identity management (like passwords and multi-factor authentication) and accessing databases. We also need “hackers” who can break the norm and try new things easily. Cyber roles often require security certifications from companies like Microsoft and Cisco and/or professional degrees from universities in technical areas like computer science or engineering, but some cybersecurity pros are self-starters who taught themselves how to hack.
We also need people who can communicate well with the public and clients, provide a liaison role with business areas on new projects, and we also need good writers. As we enter the age of AI, some of these roles will certainly evolve. Nevertheless, we will always need good leaders who inspire and maintain the trust of business executives and who can build lasting personal relationships and company partnerships.
As far personality traits, I have seen all Myers Briggs personality types in cybersecurity over the years. Still, being inquisitive, a lifelong learner, technically astute and friendly always help. I wrote a more detailed article on this topic a few years ago, and you can read that here.
In your academic or work career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
I’ve been blessed with several great mentors in my career. Pete Blodgett when I was in England working for ManTech in the 1990s. Rose Wilson, George Boersma and Teri Takai were government executives who mentored me while in Michigan State Government over 17 years, during roles as an agency CIO, enterprise CISO and enterprise CTO.
And while there are other good career tips that I’ve been given over the years, the words that impacted me the most came from my father in the 1980s. He was the one who challenged me early in my career to get my master’s degree in computer science (when I was sick of going to classes), live my life with a well-informed and clear conscience – which flows from personal integrity, be ready for the hard times, which will surely come, strive to really understand the expectations of my boss/management at work – and to do what I can to exceed those expectations, understand the power of delayed gratification, dream big, take risks and even be open to a move oversees.
But his best, most memorable (and most impactful) advice came from my father’s last words to me a few days before he died of cancer:
“My life seems like one long day. This morning I was just a boy playing baseball. At noon, I started my career, traveled the world and married your mother. This afternoon I raised seven children, earned my PHD in psychology and counseled families at our church. This evening I watched my grandchildren grow. And now, it is almost midnight, and I’ll meet my maker.”
Where’s the advice in that? Plan your career with the end in mind.
Where would you like to be in the next 5 years?
I love my current role with Presidio – advising and helping CISOs, CXOs and other clients with cybersecurity strategies. Through my books, articles, blogs, webcasts, keynote speaking and social media, I want to continue to offer engaging content that is relevant, impactful and transformative. I also want to continue to mentor others in cybersecurity and technology.
Cybersecurity is becoming more specialized, so I may pick one particular area and try and dive in deeper where and when it makes sense.
Which technology are you investing in now to prepare for the future?
I see the cybersecurity (and other tech) industries, going through major changes as a result of GenAI, quantum computing, self-driving vehicles and more. This is an exciting time, and I hope to pick an area of this change and dive in deeper over the next few years.
I am learning more about GenAI now currently, and I am focusing on what in means for government enterprises regarding data and cybersecurity.
What advice would you offer others looking to build their career in cybersecurity?
Be a leader by moving beyond your position description. You can do that by following these tips:
First and foremost, understand that “the box” placed around your position is a good thing which must be respected. Always complete your stated duties and objectives and be sure to meet or exceed these basic expectations. This is your first priority. Note: Staff not completing their basic tasks are often seen as lazy and not respected.
Second, volunteer for key committees or important ad hoc teams. This may be a “Tiger Team” for some essential executive sponsored project. On the other hand, you may just become the organizer for the office Christmas party. Strive to lead, deliver and exceed expectations in these roles.
Third, generate good ideas. Look for organizational needs that aren’t being met. Think ahead to upcoming challenges and technologies. Discuss these problems and potential low-cost solutions with your management. Don’t be a complainer but ask to be put in charge of implementing the fix. If you are thinking, “I tried that once,” but no one listened. Try again. Repackage your ideas with a different approach. Perhaps it was the wrong time for your solution.
Fourth, find out how you can help make your boss’s boss become successful. What are his/her priorities? Discuss opportunities to work those projects with your supervisor. But also think beyond your own organization.
Fifth, what industry-wide opportunities can help? Can your government or company partner with others to provide a better service at a lower cost? Talk to others that you respect if you are unsure on ideas. What external industry groups will add value? Get involved or even lead these groups. Build cross-boundary partnerships. Think medium or long-term about possibilities but stay pragmatic and look for tangible results.
Sixth, explore what security skills or functions will be needed in the future in your office? What is lacking now? Obtain those skills or offer to provide training and mentor others if you already have those skills. Be known as the “go to” person in the office for specific answers. Start a blog or wiki. Don’t hoard knowledge, but freely give it away. This will build trust and respect all around.
I discuss these ideas in more detail here. But finally, find a good mentor who is ahead of you in your professional journey and listen and act on their advice.