The career path to security leadership doesn’t have to start with a background in science, technology, engineering or math. Literature and history majors can also find their way into the executive ranks. Take Phil Mazzocco, CSO at Peraton, a Herndon, Virginia, company that provides services to the U.S. government.
Having a history degree helped Mazzocco hone the soft skills that were critical in helping him better learn the security industry and connect with his clients, particularly those with military backgrounds.
“Proper reading, listening, and writing were important skills that I got from the history side,” he said.
Mazzocco’s history background also informs his interpersonal approach to security. Effective communication with C-suite executives and middle managers is critical to his ability to foster a successful security program and his success as a security leader.
“At the end of the day, my job is to support the sector president and the business managers who use and work with security procedures every day. If I can help their mission success, they’ll be strong partners in the security program,” he said.
Before joining Peraton, Mazzocco held security leadership positions at Leidos, CGI, SAIC and Rand Corp., among other organizations.
What is one of the biggest changes you’ve seen in how organizations, public or private, approach cybersecurity?
When I started in this business 20 years ago, the Internet was still kind of new. I had it in my apartment, but I really didn’t know what to do with it. I was just figuring it out. We had it at work, but the systems were very compartmentalized then, and not just for security reasons but because of the technology. It took several years for that to change in a way that the personal and professional began to blend, and I think that’s created both opportunity and new cybersecurity considerations.
Years ago, when I was in a more highly classified environment, the Palm Pilot came out. The day we all came back from the Christmas holiday break, there was a line of people out the door asking if they could bring their Palm Pilots to work, and we had to deal with that.
And for years after that, every holiday season, we braced ourselves for the introduction of the next new technology that people wanted to introduce into the work environment. Those devices are enablers, but they come with new cybersecurity risks. We’ve had to keep up with the pace of technology these past 20 years in an amazing way.
I remember in the late 1990s giving security awareness briefings about the amount of information that could be contained on a writable CD-ROM, which is minimal compared to what we can put on a thumb drive today.
Again, it’s a case of balancing new capabilities with new risks. With cybersecurity, and security in general, you’re often a few steps behind, always trying to catch up – trying to write policies and procedures keep your organization ahead of the technology curve. That’s a challenge, and it’s going to continue to be a challenge for us.
Why did the role of CSO appeal to you? The career path can prove challenging and short-lived. CSOs are sometimes blamed for security incidents or they’re seen as enacting policies that hurt the business.
It’s certainly a challenge. I’ve never had a C-level position before, and I’m thrilled to have this opportunity. What appealed to me most about this position was Peraton’s mission focus. I wanted to lead security at a company that’s doing important work in national security, and making a difference for our country. That’s what we do at Peraton, and that’s what attracted me.
Our CEO, Stu Shea, was another factor in my joining. He understands and supports security, so I knew that he would support my division’s work, enabling me to build and run a leading security program.
You’ve been in the CSO role for a few months. What have you learned so far?
You’re learning a new history. You bring wisdom with you that you’ve developed over many jobs, and you build that up to organization-specific, C-level expertise. For me, the C-suite requires balance, moderation, partnership and collaboration. It requires proactive collaboration to develop solutions that help the company succeed.
Further, this is not a “doom-and-gloom” level. Rather, it’s a level where you have to be proactive, to buy into the company culture and ensure you deliver your functional area in partnership and harmony with your peers for the success of the company. You’ve got to be willing to jump in and support the day-to-day operations that our program managers and our employees need – and our customers expect – every day, while also putting the core foundation of the company in place.
How can security executives help the C-suite better understand cybersecurity?
The C-suite doesn’t want “hair-on-fire” communication on a daily basis. Doom and gloom cannot be the message every day. Don’t get me wrong. Sometimes there are reasons in security to talk about worst-case-scenarios after you read the newspapers and think about the potential threats.
You’ve got to have competence in your field. You’ve got to connect to the company and the company’s mission. Security is oftentimes not the mission. You’ve got to be authentic in the way you deliver that guidance and support. You’ve got to serve your customers well.
My customers are not only at the C-level. My internal Peraton customers are, many times, the level below. It’s the sector president and the business managers who use and work with security procedures every day to make their missions successful and, in a way, rate me and support me if I properly support them. That’s an important element. It’s looking one level down to ensure your team is fully supporting the actual mission of the company. You also have to exercise moderation – know when to speak up and when to sit back. You can’t sound alarm bells every time something happens. You have to manage that.
I’m not an engineer. I’m a history and literature guy, so I come at this from a very interpersonal perspective. My style is use a very personal-driven approach, rather than a technical one.
How do you determine when to sound the alarm bell?
I have some rough guidelines for what I call my “escalation plan,” which is triggered when there’s an issue or an event that could hinder company performance or impair revenue collection. In addition, any event that threatens one of our facilities or our employees must be escalated. Even then, the alert is measured. Of course, the severity of the issue determines the speed with which you escalate the alert.
We monitor our facilities and our employees the best we can. So far, we’ve been relatively lucky in that arena, but that could change at any time. I update [COO] Jeremy Wensinger and [CEO] Stu Shea early on, on a daily basis. Then, we control that information flow, depending on what’s going on at the time. Yes, I have my automatic triggers, but I’m also influenced very much by what my CEO wants to know.
You said that you’re more of a history guy than a science guy. How does that factor into your approach to security?
I loved being a history major. I love to learn new things. Studying history imbued me with a certain amount of curiosity, and that has served me well throughout my career – particularly in the early days.
I wasn’t in the military. I went straight into the contracting world, but with a focus on military and defense. I had a lot to learn, and I loved spending time reading. I think security professionals need to read; we need to know our industry. We need to know the genre. Yes, I subscribed to Defense News and Aviation Week for a couple of years just on my own. I wanted to be familiar with what was going in the community, in the business side of the field, as well as on the defense side. I wanted to be well-rounded and conversational in the field. I was working side-by-side with personnel from the military, so just having a little bit of context was helpful in gaining some respect. The reading, the listening, and the writing were important skills I first developed during my history studies.
How can CSOs balance cybersecurity and innovation?
When it comes to adopting new technologies, we as a company, and sometimes as individuals, have to be careful about being first. With new technology, you may want to let a couple people deploy it before you, or you want to let some time pass. Or, if you are going to adopt new technology, test it out.
For instance, the iPhone patch that I downloaded completely screwed up my Fitbit, and I’ve lost thousands of steps that I’m very proud of. I wish I waited a little longer to load that patch.
When we’re the ones developing a new technology, if we’re on the innovation side, security has to be included upfront in the initial development phase. It can’t be delayed until the end.
Increasingly, in the public sector, security is being included early in the development cycle. People are beginning to factor in a certification and accreditation process for a system at the beginning instead of when they’re almost ready to deliver a system. Nevertheless, we should continue to push that message of getting security involved early, and always considering security part of the technical development and the innovation itself, not just as something that is added after-the-fact.
You’ve worked on many projects for the federal government that have to include security from the start. What advice can you offer the private sector on adopting this mentality?
On the public sector side, there is an increasing awareness. Typically when you’re dealing with IT systems, the information system engineer, the solution architects, and the security architects are part of the technical team. They need to be brought in right away. You need to have a security lead in your project – even if it’s not a full-time job at the moment – but there needs to be someone who has eyes on security to ensure that proper considerations are being made during the initial design phase.
It’s a pretty straightforward proposition in the sense that security is becoming so well-known. You can’t be in IT without thinking about security these days. Still, there needs to be someone there who has the authority to drive security solutions into the project from the start, and then maintain it throughout the entire project or operation.
Most of your career has entailed working on security projects in the public sector. What can the private sector learn from the public sector about security?
I have great respect for the security professionals in the private sector who protect my private data, my personal data, and my financial information, and who ensure the electricity and the power continue to come into my house.
I think we need better transparency, better information sharing, better sharing of technology solutions and strategies. One concept I think the private sector has adopted from the public sector is the “insider threat.” You see it on the federal government side, you see it in banking. The concept of watching insiders has been practiced in those industries for years, but the term “insider threat” has provided a framework – a common understanding, with common approaches and techniques. I think that’s been very helpful for both sectors.
The public sector and the private sector do collaborate – there is sharing. I see it in certain trends, I see it in policies – it probably happens both intentionally and unintentionally, there are lessons learned that go back and forth. Both sectors have room for improvement, mistakes have happened on both sides. We know that, so I’m not going to try to take the approach that the public sector knows better than private sector, or vice versa.
I’ll give an example on the strategy side of cooperation and collaboration. One of the things that concerns me in the cybersecurity field is the incredible demand for talent, for people to do cybersecurity, security engineering, in both sectors. This may be an area where continued partnership can help, whether it’s through encouragement of STEM initiatives to get people more involved in cybersecurity at an early age.
We need to continue pushing that, not just in the suburbs of Baltimore but all around the country, up to the university level and into the market. I hope that we see security professionals moving between the private and public sectors. I know it happens, but I’m not sure to what extent.
Many of my peers in the public sector, myself included, we’re in the public sector probably for life, but is that the right approach? I’m not sure. I think cross-fertilization – of people moving back and forth – is a positive. System security engineers supporting Amazon right now on the commercial side may bring great capabilities into the public sector and vice versa. I think the documentation and rigorous standardization in the public side (as embodied in the government agencies’ certification and accreditation processes and NIST standards and its efforts to bring standards certainly) has created some complexity, and there’s some necessary growing pains to get through this, but it’s all well-intentioned and heading in the right direction. The lack of security talent is a perennial issue.
I want to offer a couple words to people who are newer in the security field or maybe even thinking about the security field. You mentioned that the lifespan of a CSO at a company is two years and that it’s a high-risk job: something bad happens, you get blamed, you move on or you’re asked to move on. I don’t want people in the security field to fear job opportunities and the ability to grow their career and to take on leadership roles in our field. Here’s the guidance that I would give to somebody mentoring people, somebody on the fence, somebody who’s thinking about a career in security: I think it’s about having a passion for your job and energy around the organization that you support. People recognize that, and people respect that.
Security practitioners have to learn how to solve problems. We’re not “no” people, we’re “how” people. We’re there to make programs successful, not to stop them from being successful. Problem solving is something you learn. Some people probably have some natural inclinations; others learn it and can be taught and mentored to do it.
Finally, I believe you should approach your job with a certain amount of humility. Maybe it’s the way I was raised. I’m lucky to have a job, and I’m thankful for it every day.
When you combine passion and energy for the job, take a problem-solving approach – which requires a certain amount of competency in your field – and throw in a dash of humility, you will earn the respect of your peers, and that will carry you through the ups and downs across your career.
Phil Mazzocco serves as the Chief Security Officer at Peraton. Peraton provides innovative, reliable solutions to the nation’s most sensitive and mission-critical programs and systems. The company is located in Herndon, VA, with approximately 3,500 employees across the U.S. and Canada.