Michael Smith, Field CTO at Neustar Security Services spoke exclusively to Security Journal Americas to discuss his background in the military and his current role in cybersecurity.
Smith was appointed by Neustar Security Services in April 2022 and spoke highly of his new position: “Neustar Security Services is perfectly positioned in the market to meet the unique security requirements of global enterprises in need of cloud-oriented services that are secure, reliable and available,” said Smith. “I am thrilled to join the company and excited to work closely the team to deliver innovative solutions that will help our customers maximize performance and protect their businesses in an increasingly borderless digital world.”
Can you tell us a bit about your background in teaching/mentoring?
My career has mostly followed a blueprint: go into a vacuum, figure out what needs to be inside that space, teach other people how to operate inside that space and then once it gets self-sustaining, I’m onto the next thing. That means that about half of the time I’m teaching new concepts and operational processes to people to get my ideas to scale up and out.
I spent a good seven years teaching in Washington, DC, through a friend’s training company. It started out as lead generation for my employer at the time, but it grew out to be much more than that and across a handful of companies. I think at one point I taught about half of the people doing the compliance side of cybersecurity in the US Government.
Early last year, I started teaching a cybersecurity boot camp through ThriveDX and it’s been a very good experience. They white-label an 11-month program through traditional universities and I’m usually teaching for the University of Michigan. One huge selling point is that the instructors are all working in the field, so we add in as much experience and technique as we can. I usually teach the Internet of Things (IoT) security course which is a “dog’s breakfast” of topics: circuits and Arduino programming; firmware extraction, emulation and exploitation; MQTT and other protocols; automotive hacking; and analysis using software-defined radio.
Because these are more advanced subjects, the course is the last one in the program. As a result, we have a lot of conversations in class around hiring in the industry, what hiring managers look for, how to showcase your experience without having had a job yet in the industry, how to do real research on a company and who you are meeting there when you get an interview scheduled. I also identify students that fit into my company’s hiring needs and get them into our recruiting pipeline.
I took a three-year assignment in Singapore in 2015. It was a great experience and I went “way local” in a lot of ways, but I realized that if I ever wanted to go back there, there needs to be an ecosystem of companies that I can work in and for. As a result, I started volunteering as a mentor for two of the startup incubators there. When I got back home to Massachusetts in 2018, I picked up a couple of other local incubator programs. Usually, I gravitate towards product features and market fit for cybersecurity startups or security advice for non-cybersecurity companies.
How has your time as an Infantry Squad Leader helped in your current role at Neustar Security Services?
One army phrase that has stuck with me since my squad leader time is “There are only three leaders in the army: team leader, squad leader and platoon leader. Everybody else is just support.” In other words, there are tons of micro-decisions that are made by junior leaders throughout an organization and strategy is just a way to provide them with a framework for decision-making and to help them get their job done.
Role-wise inside of Neustar Security Services, I’m very much in a position where I’m doing mentoring full-time of all the leaders that we have. I’m helping Product Management with use cases and features as the voice of the customer, coaching and training sales on value proposition and our customer’s needs and interests, sharing my experiences and explaining concepts for engineering and operations and helping to build out messaging for marketing.
Why do you think it is important to encourage people with military backgrounds to gain job roles in the cybersecurity field?
One of my colleagues said it best many years ago: veterans usually run towards problems instead of away from them. They are very well-trained in making decisions under duress with only partial information. They learn reverse-order timelines very early in their career. This puts them into absolutely the perfect mindset for any kind of IT operations, planning and project management roles.
There’s a non-profit where I mentor, VetSec, that is dedicated to helping active-duty military, veterans and people in-between get jobs in the cybersecurity field. People with a military background tend to have strong technical capabilities, phenomenal attitudes, great leadership experience and a wide range of transferrable skills, but often miss some of the foundational knowledge and experience needed to jump into the cybersecurity field. Inside VetSec, we’re always helping our members with building a de-militarized resume, networking via LinkedIn, looking at training providers and giving them vouchers for IT and cybersecurity certifications because those are the HR and hiring hurdles that veterans don’t have experience with.
What is the root cause of the industry’s pipeline problem and how would you overcome this?
There are some things that security managers do that limit their pool of candidates. We might have five jobs to do but can only hire one person, so we want to find somebody who can operate inside of five very distinct roles. And then on top of it, we want them to be inside of our budget and within commuting distance of our office. If you start to remove barriers, then you can find and hire candidates.
Smart CISOs realized five to six years ago that lack of staff was limiting their ability to execute their plans, so they started to work on ways to build themselves a talent pipeline outside of established recruiting and HR processes. CISOs usually avoid non-technical parts of the business world, but they have realized that they can’t do their job without staff. Out of necessity, they are getting more creative and hands-on in the ways they find and attract talent, from being more active networking with potential new hires in their daily lives to getting directly involved with regional security organizations, conferences and mentorship programs. CISOs are becoming low-key recruiters operating on an extended hiring timeline.
CISOs also realized that they are going to have to hire somebody who can do maybe two of the jobs that they need and up-skill that new hire with a development program to learn the other three roles. And then you can take the tactic of finding talent from parallel fields with transferrable skills (such as military veterans) and an eagerness to learn, then help them develop and build those skills over time within the company.
How do you think the cybersecurity industry will fare in the coming years?
When I lived in Singapore, they released their national cybersecurity strategy and one of the tenets was to build a “cybersecurity ecosystem,” which they defined as local cybersecurity companies and a workforce that those companies and other industries, like banking, high-tech, etc., can hire. I like how they’ve recognized that talent development and management is a strategic priority for them.
I think that to meet the demand for talent, we’re going to have to improvise, adapt and overcome. I think there is a place for good bootcamp programs to cross-train working adults into the career field. I think that we will have to find a place for neurodivergent employees that don’t interview well. I think that there is a huge place for finding the key to hire remote, entry-level cybersecurity practitioners. If we don’t figure out how to do these things, we will follow the current course and speed of labor demands that are outstripping our ability to create workers.
For more information, visit: neustarsecurityservices.com
This article was originally published in the October edition of Security Journal Americas. To read your FREE digital edition, click here.
Return to Security Journal Americas NEWS INDEX