Dan Lohrmann, Chief Strategist & Chief Security Officer at Security Mentor, Inc. shared his perspective on the cybersecurity and discussed his contributions to IT security industry
Dan Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author. He has been named CSO of the Year by SC Magazine, Public Official of the Year by Governing Magazine and a Computerworld Premier 100 IT Leader.
Lohrmann became the Chief Security Officer and Chief Strategist for Security Mentor Inc. in August, 2014. Prior to this role, he led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin and for four years as a technical director for ManTech International.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.He holds a master’s degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor’s degree in CS from Valparaiso University in Indiana.
Sajid Khan: Dan, thank you very much for taking the time out of your busy schedule for this interview. Can you please begin by sharing your perspective on the role of Chief Strategist & CSO at the Security Mentor, Inc.?
Dan Lohrmann: Thank you Sajid for the very kind invitation to be interviewed for your MicroAgility blog. I love my job at Security Mentor and at the same time wear many hats.
My role starts with my passion for cyber awareness for everyone in society, since technology has become an ongoing imperative touching every area of our lives. Security Mentor truly excels at providing training for everyone from small governments to global private sector enterprises in many forms.
We offer engaging, computer based end user security awareness training that changes your business culture for the better, using a mix of interactive content and gamification or game-based learning that is “sticky” and memorable and works. We pioneered a model called brief, frequent and focused security awareness training, which changes the paradigm away from the traditional once a year 1-2 hour “death by Powerpoint” presentations to ten minute lessons offered monthly on a single topic.
I am the primary evangelist for our company – typically speaking at about twenty public events a year around the US and world on a variety of technology and security topics from cloud computing to mobile computing to the Internet of Things (IoT) developments. I also lead security awareness consulting efforts within governments and private sector companies to bring together different training channels for the best results in each situation. I meet with executives and security staff to enable the best possible mix of live and online training.
In my thought-leadership role, I work with our development teams to build up-to-date cyber training content for new and existing online materials. I also blog and write articles for a range of media providers from Government Technology Magazine to CSO Magazine to mainstream media outlets like the Wall Street Journal (WSJ).
Finally, I manage our public sector business development efforts, coordinating actions with CIOs and CISOs all over the US in federal, state and local governments. This role enables me to be active in boards for Michigan InfraGard, university cybersecurity advisory boards, NASCIO’s Corporate Leadership Council and several other groups.
SK: What have been some of the biggest challenges faced by Computer & Network security organizations during the last couple of years?
Dan: There have been many challenges. Attracting and retaining talent must be the #1 challenge for organizations. That issue is well-documented.
Second, keeping up with technology changes and fighting yesterday’s battles. I don’t think our organizations are very good at learning from history – and we keep repeating the same mistakes.
Third, I would say balancing innovation and a “can do” attitude with cybersecurity initiatives that are often seen as disablers to the enterprise. We need security to be an enabler, but this is hard and takes tact and experience and an understanding of the business goals. For example, how do we get security right for smart cities?
SK: How effective is Security Mentor in innovation and where do you see your company by the year 2020?
Dan: I think we are very innovative. As I mentioned earlier, we brought gamification to the end user security awareness training market. We also brought the “brief, frequent, focused” training concept to the industry – which is still a big leap for many, but is catching-on fast.
They say that imitation is the best form of flattery, and other companies are starting to do what we’ve been doing for a while. (Some even fought us on these best practice concepts, but now are implementing them.)
We added new topics that are emerging such as the Internet of Things and insider threats, which we are providing training on. Also, integrating phishing simulation and other tools into the training experience is the new normal to measure impact and success.
Moving forward, I see us adding even more targeted training for different roles, integrating more contests, more gamification and more topics as the industry evolves and grows.
SK: What trends do you see ending their life cycle, what are some trends that you see for the future, for your industry?
Dan: Where to begin? There is a lot happening now, and cybersecurity architectures and training methods are changing fast! As we head towards autonomous vehicles, robots, more drone, smart cities and smart everything, etc., we will see new challenges in every area of life.
IoT was the #1 topic at BlackHat and the RSA Conference in 2017, and Bruce Schneier says we are seeing the “endless broadening of security into every area of life.”
I agree. And this will impact security training. Global hacking is growing in many forms for a wide variety of reasons, and people need to know how to protect themselves in cyberspace. I see this trend growing because the people side of security isn’t going to end. One specific trend: we will see more bug bounties with associated activities.
SK: Would you like to share some of your key initiatives for the awareness of cybersecurity programs?
Dan: Gamification and game-based learning will be expanded in many new ways. Think about how we compete with friends and family members in counting steps on your Fitbit watch or other wearable device. Competitions are huge in the personal health and hygiene areas, and they are also growing in the end user security awareness training areas.
Also, look for more measurements, value-based actions for enterprises that want to ensure that messages are hitting home and changing security behaviors both offline and online. Ultimately, we want to be changing cultures to help build more cyber-savvy employees in different circumstances at home and work. There are some exciting new ways to do this, so watch this space for some new announcements.
SK: What has been your greatest achievement in your career thus far?
Dan: Back on September 11, 2001, I was directing an eMichigan team on rolling out the first Michigan.gov portal for Governor John Engler. That sad day brought about the realization of the importance of security both offline and online for our nation and the world.
I was able to articulate a new vision for cybersecurity for Michigan government and laid-out a multi-year plan to centralize information security into one government office. I became the first enterprise-wide CISO in Michigan in May 2002, which was also the first of a kind in the nation.
We built a great team that accomplished many things and won tons of awards and led the nation in state and local government cybersecurity efforts for more than decade. That was a rock-star team that included more than a dozen people that are cybersecurity leaders all over the world now.
In 2011, we centralized further and combine physical and cybersecurity. My top achievement was building that great team. I left in August 2014, but the initiatives are still going strong.
SK: What advice would you offer to our readers who aspire to follow in your footsteps?
Dan: I have been blessed to have great professional mentors in my life who guided and directed my career journey. Find a good mentor (or two) that you respect and trust and follow-through on their recommendations. Here’s a bit more detail on that topic.
SK: Is there anything else you would like to share with other fellow C-level executives?
Dan: I don’t think there has ever been a better time for technology and cybersecurity professionals to make an impact in our world than right now. I am very thankful to God for the opportunities that I have had so far in my career, and I still believe the best is yet to come!