The Home of the Security Bloggers Network
Home » Security Bloggers Network »
Introduce yourself and tell us what you do for your day job.
My name is Dr. Joseph J. Burt-Miller Jr. I currently serve as Assistant Project Manager at type: embedded-entry-inline id: TGjqrCMzdzNdeLSX7Hrq1the Department of Homeland Security. One of my main duties is to handle the risk management piece for projects so interacting with contractors and with our risk owners, ensuring that our risks are being tracked and mitigated. Anything that needs immediate attention I bring to my leadership, my project manager and program manager, etc. Also to ensure that my project manager can do what he needs to do, I take on the extra responsibilities concerning the project. I can try and keep the fires down so they can keep going.
I was looking at your LinkedIn, you have a very interesting career history. You spent most of it with the US Government. You started as an Air Force SCADA engineer, what is that?
It’s pretty much a fancy way of describing my time doing HVAC, which I did when I was in the Air Force, where I served for four years. After I left, I started working at the Veterans Affairs hospital in New Jersey. That was really my first introduction to the OT side of things, seeing the OT and the IT mixed together.
I had my Bachelors in computer information systems. I wasn’t yet aware of all the different concepts but I did a lot of work with controls. One of the systems we used was called Delta and it was a control system we used to track temperatures for the different refrigerator units we had throughout the VA hospital. We would use that data to ensure certain medicines stayed within the necessary temperature ranges to keep them viable.
Now that I look back, I was doing SCADA work before I knew what it was. It was interesting and fun, and definitely a great skill with regards to HVAC. It helped me when I made the transition to IT, so it’s an experience I’m grateful to have.
Very cool. That’s got to be a lot of microcontrollers running all those sensors and systems. Your resume also mentions that you have some expertise in biometric identity management. What does that involve?
Biometrics involves iris scanning, fingerprints, voice recognition. My responsibility was to serve as a portfolio manager as we were working with different government agencies, regarding their biometric solutions for their own units. A great example is the work I did with FEMA addressing what biometric solutions they needed. They fell under my portfolio, to reach out regarding their POC’s, creating and cultivating those relationships and determining how DHS can meet those needs to complete their mission. Another example is CPB, the border patrol needs a solution when they’re trying to track fingerprints or facial scans at the border. When they send the scans we’re able to intake and run it, see if there is a match with a history or active warrants. It’s necessary to keep the turnaround time short and get that data back to the agents in the field as they have someone directly in front of them and need that information quickly. That’s how we can best make sure we’re supporting them in their mission.
After this long and varied career in cybersecurity, when you look around, where would you say we're still stuck? What needs to change?
When I look through LinkedIn, I would say the common theme is that entry-level needs to be entry-level. I have mentees I meet with regularly and give them advice, making plans to achieve the goals they set up. One mentee, she’s struggling. She finished school and is now applying for jobs. They told her she didn’t have enough experience for one job that she applied for. They wanted someone with experience, but the job she was applying for was entry-level. I understand the mentality that they want people who are coming in to be ready, but I’m not 100% with that because you can’t overlook soft skills. Of course, hard skills are important, but someone may not have the exact experience yet. However, that shouldn't be overlooked if they are determined, willing to learn, and coachable. Those are still great qualities for someone to have. Sometimes you’ll encounter someone who is very knowledgeable and knows their stuff but is difficult to be around because they’re complete jerks. It doesn’t foster a healthy working environment.
It’s very common in this industry, although I think things are changing. You can be amazing at what you do, but having a bad attitude or unchecked ego is not beneficial for the group or the mission.
As a whole, it brings down morale because someone who has that knowledge might be in a position where they could mentor someone and strengthen the next generation of cybersecurity experts, but when you have that sort of attitude of ‘I know everything get away from me’ it makes it hard to work together. It also damages someone’s growth because they might feel apprehensive about asking questions or speaking up. It should be okay to make mistakes; everyone does. The key is to learn from them and not keep making the same ones. At the same time, you should be free to have that environment because that's how we grow.
Looking out at the private sector from inside the Department of Defense you must that there are a lot of interesting companies doing innovative stuff. I imagine there is less control over what you’re bringing into your organization because of the procurement process, but is there anything exciting happening?
Not so much within DoD, but I currently like what CISA is doing right now. That's the Cybersecurity and Infrastructure Security Agency.
Since Director Jen Easterly came on board, there has been a real culture shift. There’s a sense that she’s listening to the issues people have, and as a result things are starting to change. I think that’s good, I think CISA is going in the right direction. She even won a leadership award recently, which is well deserved. The best way I can describe it is, type: embedded-entry-inline id: 50G3B7c96aOjycoNlbT0trthey’re making cyber approachable. It demystifies it a bit, even something as simple as if you go to the site and look at her profile picture, there is a stark difference between her and the previous directors. She goes against the grain, and I really appreciate that. Her profile inspires a message of you’re coming here to be yourself, this is a welcoming environment to learn, grow and foster your skills. So I do like the direction CISA is currently taking. Also the initiative of trying to hire more, trying to make changes and compete with the private sector. Depending on which areas you’re working in, you have to weigh it out when it comes to what’s more important. Some places pay more, some have better benefits, it varies a lot between the private or public sector. She does recognize the importance of trying to make changes toward creating a better future. She is definitely someone I have my eye on.
Do you think there’s a talent shortage in InfoSec? I guess this kind of goes back to your mentee’s experience with the “entry -evel” position she applied for. How do you think we should be addressing this as an industry?
I do think there is a shortage of companies willing to teach. I don’t know what happened to everyone’s patience. As far as lack of talent, I don’t work in HR and can’t give you accurate numbers when it comes to that. But I know there are a lot of people trying to get in and they’re not getting the opportunities. So that makes me question, if there's such a big shortage why aren’t you hiring? There are people doing bootcamps, classes, certifications, degrees, and what have you, and they're still not getting in. Make that make sense to me.
The initiative shown by people that go out there and get those certifications should show there is a real commitment and willingness to learn so why not make it possible for these people, right?
Those same people who may not have experience, or are pivoting from a different career field into cyber and tech or IT, they’re putting in the work and are dedicated to the field. They just want an opportunity. A chance to show what they’re capable of as they may not have these particular skills now, but they have the work ethic shows that they can do it. When I hear there is a shortage of talent I get confused. It makes me question things.
Do you have any hobbies outside tech?
I think a lot of folks during the shutdown portions of the pandemic started to notice some wider waist lines so lately I’ve been taking charge of my health, taking more walks, and being more active. I don’t know if you’d call it a hobby, but it’s an activity that I’ve been more consistent with.
I like to read and have been building my library, where I can chill out, listen to music. Of course I have my cyber collection, but also enjoy philosophy, social justice, and even some politics. I enjoy serving that intellectual side of myself, exploring new ideas and perspectives.
I also love sports, especially my New York teams, my Yankees, the Knicks. I know they’re not doing much of late, but I still love them.
Is there anything that keeps you up at night?
If people are really going to stay true to saying we’re having this shortage but folks who are trying aren’t getting opportunities, then what do you want them to do? A couple of mentees I have right now, I feel for them. I know they’re trying and working hard, but even with a couple getting interviews, they’re not getting over the hump. I’d like to see that change. I feel like there is a bit of gatekeeping in place too, which I think is unfortunate. If we’re going to grow and get better we're going to need a more diverse thought processes, a more diverse workforce. That is something that stays on my mind recently.
It’s a huge problem what you’re identifying. If people are getting certified and doing bootcamps and still not getting in, then something is wrong with the pipeline.
And those boot camps aren’t cheap, and some you have to be careful not to be taken advantage of. If you put yourself in the position of the job seeker who is trying to get in, after a few rejections you might start to feel desperate and there is the chance of overpaying for certain things because they’re trying so hard to get in. It’s such a shame. I tell my mentees not to buy any books because now there are so many free or low cost resources out there.
One person I’m doing a lot of work with right now is named Professor Roger Whyte. He’s part of the Black Cybersecurity Association, and I’m part of it as well. At the moment we’re working on a campaign demonstrating how to create a cybersecurity home lab. He created the step-by-step process and I’m bringing it to life. I’m going through his steps, recording myself doing it and putting it out there for folks who are in that position of trying to bolster their resume and learn. I think creating a home lab and practicing at home is a great way to get that experience that employers are looking for. I call the group that I lead through this the Study Hall.
It’s a good group on Discord who meet regularly. We’re currently studying for the CYSA certification. Previously we did the PMP and we all earned our certification. When I was doing my doctorate I learned that having a good group, a common mind of supportive individuals, helps with motivation, that push. There were days when impostor syndrome was overwhelming, when I wasn’t sure I was going to finish. What got me through was creating that group, and we’re still going. Now we include folks from different schools, pursuing different degrees but the common goal is to finish. A lot of people get psyched out but having the support and encouragement of your peers creates an accountability that helps.
Do you have advice for people early on in their careers or considering getting into cybersec?
There’s a long standing debate of whether one should go for a degree or do certifications. For myself, the way my brain is wired, I like to learn. I’m a lifelong learner and so getting the degrees was the most appealing route for me. When you’re starting out, try not to focus too much on those things. If you’re going for a government job, 99% of the postings on USAJOBS require at least a Security+. There are others but the common denominator is Security+. I even say get the A+ cert because that also gives a good foundation of different computer components and how they intertwine and interact with each other. That is a good one to get, but if you want a “fast-track way”, focus on the Security+ cert. Along with that, brush up your LinkedIn profile. We saw a lot of that during the shutdown, myself included. type: embedded-entry-inline id: 6hixuNwVHdpag1WSjAsRpPRecruiters are using it a lot more so make sure your profile is good. Join some groups, engage with people that have positions you wish to attain, or who are working in the fields you want to work in, get your name out there and market yourself. Once you get the certification and that first job, leverage your training department. Tell them you want to go with a particular degree and ask if they’ll pay for it. In many instances, as long as it aligns with what you’re doing career-wise, they’ll okay it and pay for it. It’s a win-win where you’re saving money, gaining knowledge, and potentially leveling up to an executive position down the road because you’ll have that higher education. To get in, you don’t necessarily need those higher degrees but to advance while you’re in, it becomes important.
I know that there are people out there I would like to mentor, and that is often a good way to progress, to seek out a mentor. They can definitely get you to places you may not get to on your own initially, they can help speed up the process in many ways. Look for the coaches, they’ve been there and done it, they have the soft skills which are important to pass on. Even myself, having my doctorate, I don’t see myself as knowing everything, there are still things for me to learn. To be in the mindset of being teachable and coachable creates longevity in your career because you have that willingness to open up and learn. And in turn, always reach back and help those behind you because you were once in that position as well, so don’t get too big and forget where you came from.
Do you have any predictions for the future?
I predict a much more diverse cyber workforce. I see a lot of work being done by groups such as the one I mentioned, the BCA, as well as some for women. One in particular is WiCyS. I’m starting to see a lot more initiatives, programs and training, many of which are free or low cost.
*** This is a Security Bloggers Network syndicated blog from LimaCharlie's Blog authored by LimaCharlie’s Blog. Read the original post at: https://www.limacharlie.io/blog/cybersecurity-expert-interview-dr-joseph-burt-miller-jr
Cybersecurity Expert Interview: Dr. Joseph Burt- Miller Jr. – Security Boulevard
The Home of the Security Bloggers Network