Today on Cyber Work, Tom Siu, CISO of Inversion6, joins the podcast to talk about cyber diplomacy! As Siu says at the start of the show, the internet has no borders. It’s like water. There are pathways and choke points, but there is no ownership by any one country or entity. How does that influence international diplomacy? Siu discusses possible scenarios for the future of cyber diplomacy, and skills and backgrounds that make you a good fit for this work. This is a great episode for our job changers, especially as this work requires strong backgrounds from a variety of tech and non-tech careers, but as always, there’s lots to learn, no matter your skill level or background, on today’s episode of Cyber Work.

0:00 - Work in cyber diplomacy
4:36 - First interest in cybersecurity
7:01 - Learning by breaking
8:58 - Working as a CISO
17:44 - Reading and learning different job languages
21:15 - Career and personal resiliency
25:42 - The impact of cyber on foreign policy
35:14 - Working in cybersecurity foreign policy
38:24 - The military and cyber diplomacy
43:11 - Emerging trends in cyber diplomacy
48:52 - Skills you need to work in cybersecurity
54:20 - Best cybersecurity career advice
56:12 - Learn more about Inversion6
59:25 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast Stitcher +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

Chris Sienko: 1:10

CyberWork and InfoSec would like to introduce you to our new Cybersecurity Beginner Immersive Boot Camps. They're designed to help you gain and enhance your expertise in the cybersecurity field. Join our live interactive virtual classes led by InfoSec's highly skilled instructors, who will guide you through the material and provide real-time support. And, as part of InfoSec's Immersives training, each student will have access to career coaching aimed at helping them start or switch to the cybersecurity field. You heard that right. We aren't here to just teach you the concept of what a security professional does. We want to prepare you to enter the job market with a competitive edge in six months time. Now I've told you about InfoSec certification boot camps, and if you're trying to hit your next career target and need a certification to do it, that's still your best bet. But if you're an entry-level cybersecurity professional or want to be, or you're switching your career and want to experience a career transformation, infosec's immersive boot camps are designed to make you job ready in six months. To learn more, go to infosecinstitutecom. Slash cyberwork all one word C-Y-B-E-R-W-R-K. And learn more about this exciting new way to immerse yourself in learning with InfoSec.

Chris Sienko: 2:17

Now let's begin the show Today on Cyber Work. Tom Seehugh, the CISO of Inversion 6, joins the podcast to talk about cyber diplomacy. As Tom says at the start of the show, the capital I Internet has no borders. It's like water. There's pathways, there's choke points, but there's no singular ownership by any one country or entity. So how does this influence international diplomacy? Tom discusses possible scenarios for the future of cyber diplomacy and the skills and background that make you a good fit for this type of work.

Chris Sienko: 2:46

This is a great episode for our job changers, especially as this work requires strong backgrounds from a variety of tech and non-tech careers. But, as always, there's lots to learn, no matter your skill level or background. And that's all today on Cyber Work. Hello and welcome to this week's episode of the Cyber Work podcast. My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, while leaving you with some tips and advice for breaking in or moving up the cybersecurity industry ladder.

Chris Sienko: 3:22

My guest today, tom Seehugh, ciso of Inversion6, is an accomplished security executive with 30 years of varied leadership experience in multiple sectors. Seehugh's recent CISO roles include acclaimed universities, michigan State and Case Western Reserve, as well as a virtual CISO with a veteran-owned managed security service provider. He also brings complex systems security risk expertise from his time at NASA. We're going to hear all about that. His cybersecurity career began with his military service in the US Navy, where he served 10 years as a naval flight officer, including a tour as a faculty member at the US Naval Academy. So during these experiences he developed an information security program, directed an information security office staff and supported global customers with their cybersecurity strategy and product development.

Chris Sienko: 4:08

Tom's most recent interests include AI risk, customer-level home security, integrated cyber-physical incident response and strategic cyber policy issues. That last one, especially, is interesting because today's topic is the work of cyber diplomacy. We're going to talk about the intersection of cyber security and international relations and diplomacy, and Tom is just the person to do it. So thank you very much for joining me today and welcome to Cyber Work.

Tom Siu: 4:33

Thank you, chris, glad to be here.

Chris Sienko: 4:36

Thank you, Tom. So to help our listeners get to know you a little better, we always like to ask our guests for the first time. Can you tell us how you first got interested in computers and tech and cybersecurity? Was this something that excited you from childhood, or did you learn it later in life?

Tom Siu: 4:56

Well, it was kind of in childhood, I guess in high school. I'm a musician and so part of that means there's always been sort of a timeline to follow through. And my high school started offering some computer programming in lieu of mathematics. Now that was probably a mistake to do the computer programming because I probably needed the math bet more in that stage. But I got high school math credit for learning how to program these little small computers To date myself. It had a little cassette tape that you put the code on, so Commodores is what they were.

Tom Siu: 5:28

But you learn sort of structured frameworks and it did follow patterns, for, like, you see musical staffs and you see how music is laid out in writing, at least to be literate. So it made sense to me to follow some sort of time-based frequency approach to that. I'm learning simple programs to do mathematical problems. And that was just the start. Later I started taking stuff apart. Didn't work, got to figure out how to put it back together. But a lot of that was going to school and they had them available at universities. So I went to university in California, santa Clara, in the boom of the tech boom in the 80s, and a lot of what we saw was you could go use the mainframe program and then they had labs of PCs which were just work processing basically.

Chris Sienko: 6:18

Right.

Tom Siu: 6:18

So I saw those two different dimensions of that work, and then we had to start writing programs to analyze our data and that was really the kickoff Gotcha. Later in my career, I got to do more taking apart and putting back together, and that was where I was learning technology from the networking standpoint, and that was at the nail academy, actually, you know, when you're teaching chemistry, uh, we were teaching students how to use outro pro.

Tom Siu: 6:45

Yeah, right sure, and how to do linear least squares analysis and curve fitting with the data, and that wasn't something everybody had done with a computer, they'd done it on paper, very much like when you're just showing people how to use those tools, and that's always sort of caught me as an intriguing way Learn it, teach it.

Chris Sienko: 7:01

Yeah, I was just going to say you brought up two different ways that seem like the best way to learn something. One is to break something and then put it back together, and the other is to know it so well that you can teach it well to someone else, because not only do you have to know it inside and out, you have to know it well enough to make it easy to understand for someone else. Right?

Tom Siu: 7:20

Well, and you have to be comfortable with little failures. Yeah, you know, and if your parents are yelling at you for taking the TV apart, you know I didn't do that, but I did really found myself very curious in the mechanical, physical space, in the cyber pieces or very abstract. So I think that was also helpful to consume the IT type of things that you would learn.

Chris Sienko: 7:43

Did you kind of come into it then through the more hands-on IT like the networking and stuff, Because it seems like that would have interested you as well, because you can actually sort of put your hands on routers and switches and cords and so forth.

Tom Siu: 7:55

Well, not exactly at that point. When I was in graduate school I was doing polymer photophysics and we were building instruments and then we had to build the computer systems to take the data and put it into the mainframe to crunch it. We were doing curve fitting for a multiple variable curve fitting. It was pretty complex math but the computer made it happen faster, so we were just in a sense using the tools enough. I wasn't really programming it, other than the sense of having access to some of the mainframes that the academic environments have. It was later, when I was in the Navy, when I had to start, we started putting together networks. Otherwise it was just a bunch of PCs that we would carry around with us, and that was more of my education and immersion in information sensitivity. Because we were dealing with classified information and unclassified information. You needed to keep them separate and apply different rules or some general rules overall, which has sort of come to be part of what is called OPSEC, and it's a big piece of cybersecurity.

Chris Sienko: 8:58

Totally Okay. Well, great, I appreciate the various contexts there because we're going to drill a little deeper into your career history. So obviously you've had quite a rich and multifaceted career. I mentioned a lot of it in the bio section here and I wanted to ask you about some of the highlights. So, like you said, you spent time in the US Navy, during which you did software systems and security testing analysis, as well as working as a network security team leader for the NASA Glenn Research Center in the first half of the 2000s.

Chris Sienko: 9:30

So following this, you worked in leadership or in CISO positions at several universities, including Case Western and my dad's alma mater, michigan State University. So in these roles, you were implementing security strategy for the university or, in the case of Case, you were building an information security strategy from the ground up. So, Tom, can you talk about your career path through some of these interesting milestones? It seems like you have a lot of CISO in your background. Was CISO always kind of a goal of yours? And, you know, I guess maybe more philosophically? If not, where did you imagine your career going when you started it?

Tom Siu: 10:05

Sure. Well, one thing I always remind people in the cybersecurity field is that the job that I'm doing now didn't exist in the 90s.

Chris Sienko: 10:14

Yeah, for sure.

Tom Siu: 10:15

So part of that means you need to be looking forward to see, like, okay, what needs are being filled and how it could be organized. So, in particular, you know, I had the opportunity to be in the military and serve in the military, which taught me some organizational structure and I've got a visual here for you. This is the airplane I flew, oh look at that.

Tom Siu: 10:35

That's the E-2C Hawkeye. This is like one 327th scale but it's cool. I can keep it here on my desk without breaking anything. That aircraft was part of what was called if you read the book by Tom Clancy Red Storm Rising, part of the command and control network. Those planes had networking in them. We used an HF radio and sent data across these links so that all the ships and all the aircraft that were capable had a big picture visualization and that sort of in a sense, gave me the idea of how to pay attention to the big picture as you move through your career spaces.

Tom Siu: 11:12

So you know, I didn't really know what cybersecurity was going to be until one day in the Navy, one of my department heads came over and said you're going to do this Like, okay, it's a yes, sir, what is it? And they made me the ADP security officer, a collateral duty. So besides flying the aircraft and doing missions and doing on the flight schedule and going on deployments, I had to figure out a program to either account for all the computers and all the software and all the classified information was associated with that. So that was a new thing and it wasn't. You know, we didn't have networks, so we just had.

Tom Siu: 11:52

We knew we had good hard inventory of where all that material was. Also, that was in the time of John Walker. If you may be familiar, he was a Navy cryptologist who was selling secrets to the Soviets. So the practices we learned called two-person integrity were part of that practice of how we handled sensitive information. It has actually flowed down into certain practices that we see in cybersecurity realm, mostly multi-factor authentication or not having everybody know all the codes and all the secrets you had. Half the people knew one and the other people knew those before you could decode things. That's why ransomware is such an issue, because they have all the tools in one place to give you problems to give you problems.

Tom Siu: 12:31

But anyway, from the career pathway it's like you're learning skills and organizational structures, but the sense of building a mindset is what has really brought me into cybersecurity, mostly from the military, mostly from communications. But then I also got to do some test and evaluation at the end of my naval career, and that was you may or may not know this, but it started out in World War II and you hear the stories about the early American torpedoes. They were, you know, in the Pacific War. They were failing, so the US industrial might was filling up, but this equipment was, you know, they're shooting at the ships and the torpedoes were not fusing underneath the ship because they were supposed to be in proximity explosive. They'd get close to hits and they weren't happening. And then the Japanese would sink the submarines because the idea is you need to sink them first. It wasn't until later in the war they stood up this test and evaluation force to make sure things operationally worked before they put them on the fleet. And so that gave me the opportunity to see many different systems than I would have been in just the one community in the Navy. I saw a lot of submarines, I saw a lot of surface materials, and then software testing and evaluation. That sort of was all these kind of foundational elements that made cybersecurity really grow for me Interesting. So in a sense you develop a way to solve problems and that sense of curiosity is helpful and then look for opportunities.

Tom Siu: 14:08

So one of the things I got to do was working in an insurance company doing IT and that business is risk and if you think about it, if you call an insurance company and say like, hey, I'd like to get a quote for a policy for my home, they ask you a battery of questions, right, and then they ask for additional evidence to prove that that's a risk assessment. Everybody will participate in that In a sense. If you step back from that, you can start to see risks, and that's in essence what cybersecurity is is seeing where there's risk and making some strategies and policies or practices to either accept them or mitigate them. I like to use the watch accept risk, remediate or mitigate. Or research, mitigate, warm.

Tom Siu: 14:55

So that business sort of carried on to what I got to do at NASA, because NASA really got a full job as a cybersecurity network analyst and NASA in a sense, is all about risk, if you think about how hard it is to send a satellite around the sun and make sure that's going to be successful. Nasa has a very formal program in risk management. They have a group of PhDs down in Houston who make sure the processes all work. In addition to all the different various elements. Just think how in the 70s if someone were on a space shuttle and they got sick from food poisoning, that would jeopardize the whole mission. They had to track how those capabilities were working from food poisoning. That would jeopardize the whole mission.

Tom Siu: 15:35

They had to track how those capabilities were working. So all those cultural things about risk sort of fuse into what we can bring to the cybersecurity realm, and that's kind of where we are now Becoming a CISO was, in a sense, just a chance to sort of exercise the leadership capabilities of commanding the technical materials. And I think sometimes we talk about career and we'll talk about that a little later. Career development, I think you know, looking back on doing this for so long, is that quite often you need to step back from cybersecurity and look at something different so you can look at it from the outside and then get back into it with a new perspective, then get back into it seeing, with a new perspective. Unlike chemistry or mathematicians or medicine, there's a career path. The cybersecurity career path is really new. We've been stealing from other areas Right Stealing, borrowing it's like a mashup.

Chris Sienko: 16:29

Yeah, but it does have more of a sort of jump from lily pad to lily pad feeling. You said you don't have as many straight lines. You know there's a lot more options, or a choose your own adventure, like every. Every sort of spot on the way could be something completely different, and I'm glad you mentioned that with regard to risk too, because that's that's its own whole topic. But anyway, go ahead. I'm sorry um.

Tom Siu: 16:47

so in a sense, um, I got the chance to to come to case western reserve university as their to come to Case Western Reserve University as their second CISO, mostly on the sense that I'd already been at university. I kind of understood the intricate relationships between administration and faculty and the power play there and that made it easier for me from a standpoint of speaking as a peer to faculty rather than you know someone who's quote outside.

Chris Sienko: 17:15

And.

Tom Siu: 17:16

I think that's important to be able to build relationships in that realm. If you're going to try and solve cybersecurity problems, you have to understand the business and you have to be able to speak the language of that business.

Chris Sienko: 17:27

Yeah.

Tom Siu: 17:27

Sometimes we, as technologists, want to go speak our techno speak and if you don't get it, then we look down on you and I think that's one way to ruin any type of relationship you need with helping people to know they trust you or that you don't know everything yeah, yeah, I know I agree totally.

Chris Sienko: 17:44

Um, I was. I wanted to ask with regards to speaking the language of your, of the culture, because, like you said, you could have a job in higher ed, you could have a job in finance. You're still still doing cybersecurity for all of these things. You had health care, but if you don't have their vernacular at hand to explain what, what their risks are, what their issues are, what needs to be, you know you're not going to ever communicate. Do you have any experience or sort of like overarching things, about how you kind of would get up to speed with regards to the language of, say, higher ed or insurance or whatnot Like? How do you sort of dip your toe in the water in a way that you're not, you know, just resisting and sort of staying in your own cyber world?

Tom Siu: 18:28

Well, two things that come to mind. One I live in a library, as you've got. You do need to read outside your realm. Yes, you can gain a whole lot of knowledge about the world, and I mean books, and here's why there's a lot of fleeting information out here. This recording will be fleeting, even though they say the Internet lasts forever. It lasts forever as long as you've got Internet connectivity. Yeah, yeah, but in a sense, you need to cultivate the way you think. Cultivate the way you think and the way you think is also going to be part of how you deal with what I call overall resilience.

Chris Sienko: 19:03

Okay.

Tom Siu: 19:05

And so when your question was about how to build these relationships, at some point you need to understand that the academic space, which I knew pretty well, was publish or perish. And if you went in to say, hey, this information is sensitive, well, it's in a time basis. It is right now, but in about a year it's going to be all public and it's what we're trying to get out. So if you understand the mission of that organization, then you can understand where you prioritize. I think a good deal of the conflict that you get between cybersecurity and business professionals is how to prioritize, and on the other side, I've seen too much trust where they ask the cybersecurity team to prioritize a business objective where they don't have enough information to do that. So part of it is remember that you have to have certain relationships, which actually points out to our cyber diplomacy situation and how you build up larger scale. Additionally, there's this engineering principle that I learned in undergraduate studies and it's when you have a problem you manage the scope.

Tom Siu: 20:10

Yeah, I think why sometimes, when you go to between different industries, you know, for me, government seemed like they never really wanted to manage the scope. They wanted to do everything Sure, and you know when someone says we need a law to do this, and I'm something like has industry already solved this problem? And all you're doing is codifying some fairness principles, because I think that's the best place for a regulatory scheme to say okay, here's how we keep fair play. But if a regulatory agency by their nature will never be on the front end of a technology or a learning curve, if they said you'd have to be certified to become a CISO in 1990, there would be nobody doing it because nobody knew exactly what you need to be certified in. Nowadays, there's a community practice and there's dissent and there are arguments and what's more important and what's not. And that's good, a healthy, if you want to call it, career ecosystem. That's how you get to language. You'll be ready to engage.

Chris Sienko: 21:15

Yeah, that's great. We'll get to the main topic of the day in just a moment, but one thing popped out that I thought would make an interesting sort of piece of career talk. You mentioned developing resiliency and we usually talk about that in terms of, you know, defense posture or something like that, but it sounded like you were talking about developing resiliency in terms of your own career or personal development. Can you speak more to that idea, Tom Well?

Tom Siu: 21:41

certainly the reason why I bring that up is I've been in some very major incidents and major long lasting security incidents and physical security incidents that are both fusion of the response process, and I see that quite often you have to have some sort of personal resilience, meaning there's a crisis and you're really, really stressed. How do you recognize that the stress is affecting your ability to make good decisions? You know one tactic that's always there is to distance yourself from the situation a little bit, step back, look around, breathe. But if your heart rate's running because you know there's life and death or life and death of the company situation in front of you, ideally you spent the time thinking through those beforehand so you don't have to think during the crisis. The same thing from the aircraft. You know emergency procedures. You know when that warning light comes on, you follow the procedure, but you still have to step back a little bit and say are those the indicators that the procedure, that this engine's on fire? You know, and then I'm going to follow that, because sometimes it could be just the warning light Right.

Tom Siu: 22:51

So the resilience you have to develop is actually put yourself in stressful situations controlled, which often means like working out really hard or training so that your physical and psychological balance are maintained. And you know, and as sometimes we sometimes sit in front of a computer all day Right, like how am I going to be resilient there? So you have to think that I think that's essential for a cybersecurity practitioner. I know we were going to ask about what you get ready for, but I still think that it's an attractive fun field for curious and abstract thinkers. But you also have to remember am I right for this job, you know, am I right for this type of stressful situation? Because different in your life you would be, and other times you might not be. And the part is, you know, can you find exactly when you could flourish in those type of roles? So resilience is in a sense, um, you know, I guess as a veteran.

Tom Siu: 23:50

you know we get run through a grinder to to, uh, because we're going to fight wars and we may die for those reasons and they have to be solved and you have to have thought through them. So you do them rather than withdraw right when the country needs you or your colleagues or your comrades need you. So in the cybersecurity realm you need to recognize those. On the other hand, you might be so inured to them that the dangerous situations sometimes make you cold and you know unem, know yeah, just shut that, shut down a little bit yeah so yeah, so I do know many people who are dealing with um.

Tom Siu: 24:26

You know at least veteran syndromes, stressful long-time stress and how that um causes injury not alone mental, but moral injuries occur, and how that is, you know, manifested in the suicide crisis that you still see. But the idea is, here you can still have those strengthening exercises without burning yourself out. I think that's one concern we often have in the cyber realm is hiring people in the sock and they're staring at the screens all day and they're responding all the time and they get burned out because they don't really have the right outlet or they haven't developed the resilience they need up front.

Chris Sienko: 25:00

Yeah, oh it's. Yeah. That's great advice, I think, because, yeah, I don't. I'm always a big proponent of like know what, know the downsides of the thing that you think is your dream job, as well as the upsides, because both of them will be there in equal measures every single time.

Tom Siu: 25:15

And it's, and it's good for us in this opportunity to tell people hey, this is the reality and that's why I mentioned earlier it's probably reasonable to say you leave the field for a little while and go do other things and then come back. I've always tried to advocate for that, in terms of people working their career, coming from a different field, learning enough cybersecurity to be productive as a mid-career professional and then using that to strengthen their ability to lead in other areas, IT or not.

Chris Sienko: 25:42

Interesting. Okay, well, we'll definitely come to mid-career changers later on, but I guess it's time to start talking our main topic today. So we're talking about the impact of cyber in the realm of foreign policy. Now, full-on analyses of decisions made in foreign policy from year to year are way above my pay grade and, frankly, my IQ.

Chris Sienko: 26:01

But we want to talk today about some of the practical ramifications of recent announcements by the US Department of State. So, as you said in your statement, the announcement by the Department of State quote will be an important acknowledgement of the impact of cyber in the realm of US foreign policy. In essence, quote, cyber diplomacy will affect how our nation relates to others, but we must remember that much of the origin of internet protocols as evidenced by the request for comments, RFC documents, through the Internet Engineering Task Force, IETF, established technical standards that were agnostic of international divisions. The internet and the domain of cybersecurity is a stateless, in a geopoliticalical sense, entity. So you continue.

Chris Sienko: 26:42

The question that comes to mind for me is will this newly announced strategy change statecraft to adapt to rapid changes in information flow, or will the strategy simply be added to the tools available to current foreign policy strategies? Unquote. So, Tom, can you summarize some of these strategies for our listeners and, specifically, can you compare the two different outcomes you suggest above? So like, how does this policy operate if it's used, to quote adapt to rapid changes in information flow, versus how it exists, if it simply becomes yet another tool in the toolbox?

Tom Siu: 27:14

Well, great, yes, so the US Department of State, which we call statecraft, is a foreign policy by the administration. One thing we have to remember is when you change administrations, sometimes that changes. That was rather invariant through the 70s and 80s and maybe the 90s. The Cold War, I'm an enemy. The different parties didn't necessarily have. They had different approaches, but they had still a clear vision of what to do. Different parties didn't necessarily have. They had different approaches, but they had still a clear vision of what to do. I'd say in the last 20 years our nation hasn't had a clear adversary, now that they're popping up in the cyber realm. But it wasn't really easy for us to unite around one thing the Soviet Union, global communism, were a big thing we were dealing with, and now we just seem to be in a foreign policy state, not sort of driving for a common goal all the time across administrations. So what the current administration has done is that they published this international strategy, and the international strategy is different than a national strategy. Here's why National strategy says this is what the United States will do and the international strategy says this is how we're going to get along. You know we talked about the language between making relationships. So, um, I'll I'll read from the notes here that says that you know they want to promote three, three principles. One is a positive vision for cyberspace to adhere to human rights law. The second was to integrate cyber security, tech innovation and sustainable development and economic growth. That makes makes sense. You know, from a foreign policy state, we want other nations to have economic growth and, ideally, trading partners with us, right. And then the last one is employ a comprehensive policy to ensure a secure approach to global digital infrastructure. That is a realization and a manifestation that the internet is all ours and it's obviously man-made. It's actually infrastructure that's going around. And one thing we have to remember is no one place can destroy the internet. Darpanet and ARPANET in the routing framework that still exists in the internet, communications were designed that if a nuclear weapon took out one node communication would reroute We'd still be in communications. One node communication would reroute we'd still be in communications. Something we've learned from World War II electronic warfare, as well as signals, intelligence, all those things really spawned out of. Just imagine the Enigma machines and how they used the computers that bludgeoned apart to break the codes to kind of know what the enemy was talking about. Well nowadays, if I could just deny your way to communicate, you actually may not be able to respond to certain things. So, in a sense of resilience, picture right there.

Tom Siu: 29:46

So this particular strategy is aiming at how the United States is going to organize peer nations or people who believe the same things that we do. The challenge there is that there are a number of nations who don't believe in the sort of freedom of the internet. Information will be free censorship, which we see in our nation at least, a censorship of opinions they don't like, which is probably the worst thing. We need healthy dissent. Feel free to dissent with me on that but in a sense, free exchange of ideas allows us to pursue the best ones via debate, sense of order and liberty, if you want to call it that. So I see that as a positive step forward.

Tom Siu: 30:30

But upon further study, you asked me what are the two particular outcomes? Are they going to actually drive another tool? Actually, I'm digging in a little more. It seems like they're trying to use this cyber strategy as an additional tool in the diplomatic toolkit. Okay, so one example is how we wield influence amongst other nations, and one of the things that were listed they have a 50 million dollar fund where they can help another country out who's been taken out by a cyber attack.

Tom Siu: 30:57

Um, and I think that's in a sense also to help us with allies who aren't really quite allies, you know, like, hey, we'll help you, you've been hit with a ransomware, we can help you recover your environment with some money that we have available from US tax dollars. That's you and me, but it's also kind of like, as I mentioned, there's not any landscape, and the pattern that comes to my mind is from studying this book, the Influence of Sea Power on History, by Alfred Thayer Mahan. So in a sense this book talks about. You know, the ocean has got no features, although there are features, for example, if you can control the choke points like the Straits of Gibraltar you can control communications choke points like the Straits of Gibraltar.

Tom Siu: 31:41

You can control communication through those areas. So mastery of the sea is done through the United States as well as post-World War II, to allow commerce to go through, and I think that's a pattern that we could follow through in a cyber diplomacy thing that we get, like the law of the high seas, the law of the Internet. The question is, who's going to enforce a law of the Internet? We have standards IP version 4 and IP version 6. They're standards, so if you want the equipment to work, they follow the standard, and sometimes in our audits we look to see are you following standards? But the technical standards are pretty hard and fast. You can't adjust for them. But the behavior standards and the legal standards obviously can have a lot more room for interpretation. So I still think it's a tool.

Tom Siu: 32:26

One thing you may have noted on a side note to this is the 2023 National Defense Authorization Act authorized the State Department to hire like 25 cybersecurity experts from the private sector 25 cybersecurity experts from the private sector and to help them fill out this, what they've acknowledged as a gap in their diplomacy capabilities. They have a division. What's his name? Michael Fick. He's USAID ambassador-at-large for cybersecurity and digital policy. It's admirable they already have someone in that role. What kind of people are they going to pull? Obviously they're going to pull some academics. They want to pull some people from cybersecurity commerce. Their goal is to get an ambassador.

Tom Siu: 33:08

So every embassy, foreign embassy, the US, has to have an expert from one of these fields. I say that's a big challenge because they have 170 experts 170, not experts. Embassies, embassies okay, one in every embassy. They have a really exacting skill set to demand. Maybe they don't need foreign service officers that's a career that you probably didn't have time to study cybersecurity but they want to bring people from the private sector in to help them with those gaps. So I think that I've refined my thinking about that statement, and it's definitely the latter. They're adding the tool belt to the tool belt, rather than standing up like a space force or a cyber force for the military.

Chris Sienko: 33:53

Yeah.

Tom Siu: 33:53

You know, I don't think they're going to have another and controlling choke points basically. Is that what I'm hearing? Yeah, basically.

Chris Sienko: 33:59

Yeah, so we're not trying to straight-serve Gibraltar things. Is that what you're saying?

Tom Siu: 34:04

Is that right? I don't believe that the other option would be. It depends on where we go foreign policy-wise. Does the cyber realm add to that? And the biggest problem that everybody looks at is why are we being attacked from other countries? Why can't we do something bad? I've always heard people like why can't they go arrest them? Because those borders of the laws don't apply. And if you think about the GDPR, the privacy law of the EU, I think that's a classic example of cyber diplomacy or lack thereof. If that's your opinion, how could an EU say our laws apply in your land?

Chris Sienko: 34:42

Right right.

Tom Siu: 34:44

Yeah, they don't, but by certain types of influence they're going to say they don't, but they do.

Chris Sienko: 34:49

Yeah, yeah exactly.

Tom Siu: 34:50

I mean if you had a footprint in the EU and I advise companies that do have that they follow the GDPR pieces for that data for those employees that are domiciled in those states. But information flow really may mean that's a stateless activity and they're regulating something they really can't. We'll see how that works.

Chris Sienko: 35:14

Yeah, Okay. Well, I want to branch that out to our topic here. So you know, no matter who I bring on the show we decide to talk about, I'm always going to bring it around to the actual work of cybersecurity professionals in the many facets of the industry, and you mentioned risk and compliance as being certain things, whether it's security architecture or you know, I think we can even help move policy in terms of future. Like you said, cyber diplomacy how are we going to interact with other countries and stuff? Do you see roles that are specifically around cyber, foreign policy, cyber diplomacy, becoming more prominent and extensive in the future?

Tom Siu: 35:52

Well, I do. Yes, here you know, the US State Department obviously wants to hire these experts and they receive funding to do so. I did have a sort of skeptical moment. They were given $750,000. And I said you divide that by 25 people, you're going to get $30,000. I'm not sure how that's going to work, and then you can quickly look through the USAjobsgov to see what kind of postings they're posting for. I think, even if these are GS-14 or above, they're not senior executive services, but I think they're trying to.

Tom Siu: 36:28

I think this realm has weight not so much from the commercial sector but from the public sector support and it seems to be a natural role for someone who's been in the technological leadership position and can lend their skills to a national cause and even possibly being deployed overseas. I see some of the skills that come from you know, like a veteran. I've talked with a lot of veterans who are finishing their 20 years of service in the US and then moving into another career field. I mean, imagine you went to the Naval Academy, you started a career at 21 or 22 years old and by the time you're early 40s you can retire and start a whole nother career and still have that sort of military background, all the tons of relationships you get, and many have deployed overseas and lived overseas a long time. So you know you're not so much afraid of having to go to live in. You know paris oh, break my leg, um, but you know they're going to have, uh, some they need to have. Bring that skill in rather than brew them up through the diplomatic corps. Um, I think that in a sense brings you some fresh outsider perspective. But you will definitely have to learn the details of how living in different countries work.

Tom Siu: 37:47

I mentioned France. I lived in France for a while and it was a really good experience. I was in graduate school and I came back to the United States really appreciating the United States. I think that's quite an interesting experience because I just moved and at that percent I lived in a little apartment. I was, for all intents and purposes, just a freshman with American accent, but nonetheless the idea is that if you're representing your country in cyber diplomacy, that's a whole new field. I think this is really new. I haven't heard of anybody talking about that.

Chris Sienko: 38:24

Well, to that end it sounds and you can correct me if I'm wrong here but it sounds like the way you're suggesting a path in is that it's going to be better suited to people who are going to be in the military first, doing international relations first, and then maybe adding cyber to it. So it's less about you're in school, you take cybersecurity of a certain type and then you sort of move into quote unquote, cyber diplomacy. Am I right in thinking that the sort of military and sort of international relations experience comes first in this particular case, right?

Tom Siu: 39:01

Well, yeah, I think the international relationships are key. I was really more alluding to being in the military.

Tom Siu: 39:08

May give you some of those tools not a prerequisite, but on the other side is that you know you still have to have the cybersecurity expertise to look at the problems that are being manifested and those are very strategic and that's why I like doing what I'm doing now.

Tom Siu: 39:26

I'm less focused on program for an organization and I look at multiples and then I have a chance to step back and say, oh, there's a pattern here and I think strategic studies and thinking about cyber strategy all in itself is a harder thought process and actually less compensated. I don't think they actually sometimes want a cso who's thinking so much strategy, um, and they want sometimes operations to be the dominant force of your skills. So I mean, that's part of you know the different flavors of csoOs there are, yeah, for sure. But I see the opportunity here that if you study a little foreign policy or you've worked in a government agency and understand sort of the inner workings of federal agencies like that, you may not be working on the cybersecurity thing. You're going to work on the business end of the State Department and I think that's an exciting opportunity for people who've been looking into you know, especially if they look at the United States as an outreach of our cultural and political influence.

Chris Sienko: 40:28

Can you speak to the business end of how that would differ in terms of what we're versus what we were talking before Like? What would the sort of contours of a job like that be like?

Tom Siu: 40:38

Well, I did look into what their requirements were and you know part of it is they do want people who understand the business cycles. So if I look at this and read between the lines on that, they also realize that a lot of our diplomacy involves economic communication and coordination collaboration. Economic communication and coordination collaboration. If we don't have trade issues with a particular country or trade agreements, we have less influence on whether we're going to sell them products or they become dependent on our market spaces and vice versa. Hence the intricate relationship in the United States and China, in the sense of growing isolationism, if you want to call that, in our nation.

Tom Siu: 41:19

Well, it also means that we boomed economically by pushing some of those work overseas, but then that meant that we had to deal with the political system in a way that we fundamentally are at odds with. So almost as if you were saying my cybersecurity is not going to use the same TCP IP protocols that yours is going to use, and so where we go on, that could really mean that the skill set that's necessary is you got to be, you have to be thinking more about the policy rather than the bits and bytes. Almost, in the sense, you got to peel your fingers back from the keyboard and you know I'm not hunting down, you know phishing attacks. I'm looking at the numbers, the economics and how, the how the systems work, and I think that's a different mindset that you need to cultivate after you develop the cybersecurity foundation.

Chris Sienko: 42:14

Yeah, yeah, yeah, yeah, no, I agree with that. No, I agree with that. And again, one of the big themes of this podcast is that there are a million ways to contribute to cybersecurity that don't all require like the heaviest of technical backgrounds. Like you know, someone with a business background and some cyber, or someone with military background and some cyber, will probably be able to flourish in some of these other positions. Rather than you know, you've been taking computers apart and putting them back together for decades, but it's not necessarily a prerequisite for every type of job in the sort of larger cybersecurity landscape, and I think it's always worth sort of reinforcing.

Chris Sienko: 42:54

So I want to talk now as a fellow library haver and book reader and so forth, because I think one of the things that you know we're insistent on talking about on this podcast all the time with our listeners is that cybersecurity is an industry that's changing radically.

Chris Sienko: 43:11

You know we always say every six months, to say nothing of a year or a decade. So you know we're always sort of letting them know like you need to be on top of everything, you need to be reading, you need to be on top of new developments and keeping up with, you know, spinning templates in the air and so forth. But you know, now we add the world of geopolitical machinations, which is a topic that could occupy all your time all on its own. So, tom, for students and novice security professionals who might want to move into this area of cybersecurity, international relations, diplomacy, whatnot? What are some of the emerging trends, issues or challenges they'll need to absorb to get up to speed with quickly? I mean, I'm sure, like you said, the sort of labyrinthine relationship with China might be one of them, but what are the big topics being discussed in the space at the moment?

Tom Siu: 44:00

Well, I think one piece to think about is cyber warfare. It has really changed the nature. There have always been cyber attacks. We were always being the universities being attacked from either nation states or other people just experimenting because we had a wide, open, high risk environment. But what I think, that what the Ukraine war has shown us, is that besides trying to hack me for fun and profit and that's mostly become profit there is actually hacking for destruction. And I think, if we look at this I've had this book just about a year now Cyberspace and Peace and War by Martin Lubecki, excellent read.

Tom Siu: 44:40

Obviously I've tabbed it all up, but in particular cases it does balance out the business and political reasons why some of these attacks occur. So, for example, russia didn't have to do a whole lot of work to hack the Ukraine telephone system because it was the Russian telephone system at one point, so they knew the weaknesses and strong points on it. But on the other sense, they were actually deploying ransomware just to destroy some of the IT infrastructure. That has only a temporary effect, because with some economic capability I can just bring in new equipment. Actually, there's an interesting story how Microsoft moved all the Ukraine's infrastructure to cloud-based Azure space because the data centers were being targeted by cruise missiles. That's not been in my risk cycle here in the United States.

Chris Sienko: 45:29

No kidding.

Tom Siu: 45:30

Yeah, you know, someone decides to drop a hypersonic cruise missile or a hyperbaric missile into my infrastructure space. Yeah, I would take out the routing, we could reroute, but my data was there. So you know, those different things add to the dimension I think is pertinent and we need to consider. You know, we hear about infrastructure being attacked and really there's a lot of people who haven't really done enough to have their you know, have their systems in a public internet space. That's why I think the higher education space was really a good lab for someone to develop thick skin, if you want to call it that, because you have to accept certain risks. I mean you can't just lock the students out. They're there to learn and, yeah, sometimes they cross the boundary, but it also means that you have to have, you have to enforce what your boundaries are and usually that's a technical thing and sometimes you just choose not to because you want people to learn by failing small Some of the best lessons, some of the students, I've seen really bright students who crossed the line and we gave them the consequences right away Like, oh, I realize that now and they've gotten productive lives.

Tom Siu: 46:42

I just think that's just the approach that Western civilization could do really well with. But also on this other side you hear about other. You have to accept so many different risks in higher education. Which one do you choose? Again, the game of prioritization and that's your communication, so that lends itself to the international space. You need to know how to use that language of well. Understanding the aspects of a cyber war can help you prevent it, right. Didn't Sun Tzu say that you want to peace, study for war?

Chris Sienko: 47:12

Mm-hmm.

Tom Siu: 47:13

So how many CISOs actually have enough time to do that? Well, you need to dedicate something if you're growing into this space or if you already bring it to the space. You know the career space. You can add to that by learning the technical skills underneath. It's an interesting paradigm. Have you heard of? You heard of patent lawyers? Yeah, of course, patent attorneys. So law firms will often hire a PhD in the subject area and then send them to law school to become a patent attorney so they can argue the finer points of whether this was found before or not. They don't send a lawyer to get a technical degree.

Chris Sienko: 47:49

Yeah, sure.

Tom Siu: 47:52

They bring in technicians, and I think this is the cyber diplomacy thing. It's like I need people who have these skills already and then I train you the foreign policy aspects. But you're not alone. Notice, it's only one person per embassy but nonetheless, your rhetorical skills, your argumentative skills, your ability to build logical pathways and then see the big picture and help them see that is that you're part of the team. I think that's the last thing that I think is the key skill that may not be talked about in the cybersecurity training circles. They say you want to learn networking, you want to learn applications, you want to learn vulnerabilities, you want to learn how business processes work and how they fail, because I could say you could spend a lot of time on identity and access management. But is there an international policy on IAM?

Chris Sienko: 48:37

No, right, yeah, yeah.

Tom Siu: 48:39

And would we say you have to use this network ID space? No, the market is doing that and I don't think governments would ever be able to catch up to that. But the skills you will need is to say I have enough, but I can look to the problem that hasn't been found yet.

Chris Sienko: 48:52

Yes, ok, well, speaking to the part that you need in your toolbox, I want to talk more in terms of someone who's been in the space for a long time and probably does some hiring and has people underneath them For listeners who want to get a toehold into cybersecurity. More generally, what are some things in your mind that you would want to see in someone's background, especially if they're just learning and haven't maybe gotten their first job yet, but like what are some experiences or certs or things that would indicate that they're putting in the effort at least and ready to do the work to you?

Tom Siu: 49:24

Sure. So I've done entry-level hiring and then I'm also, as I mentioned earlier, key to bringing people mid-career, yeah, okay. So let's start with the mid-career. I've got someone who's done IT processes and some business processes and they're poised to fit in specific roles in the cybersecurity if you want to call it the sizzle mind map activities, okay, cybersecurity. If you want to call it the CISO mind map activities. So, for example, if you spent some time in audit or you spent some time in analytics, you are very likely to be able to flourish well in the government's risk and compliance activity space. That's looking for risk, performing assessments and then using standards. But you still need to be able to discern what's going on between the lines. If you're just gonna say this control is here or not, you're not helping there. But the idea is to help find out which risks are more pertinent and thinking about the time base of when it's gonna occur. That's where I found I found personally the best place to learn. If you bring someone with an abstract thinking capability, that's the place to go.

Tom Siu: 50:32

Sometimes we would hire people from the help desk because then they learn the business. Actually, this took place at the insurance company. We hired people from the call centers who were answering calls and filling out those questionnaires. They understood what was happening to sell the insurance policies and the claim side. We taught them how to program that. So, similarly, if you worked at the help desk and you knew the business problems, you could actually flow into some training for instant response where you would do forensics, e-discovery, you may look at longer-term trends and how to use the specific tools to whether the controls are working and sometimes vulnerability management. I've seen many people flourish by starting in vulnerability management because they've worked in the help desk so they understood the technology stack a little bit. Similarly, if there's one place where someone's almost say they've been in the career 10 years and the place to start them is if they understand business process, is the resilience. That's the DR business continuity side and I always encourage people to see this as a.

Tom Siu: 51:39

If you look at a security incident starts out as event I mean, make sure I'm doing the right way starts out an event. It gets more serious, becomes an incident, a series of incidents become a disaster and it requires different levels of response once you escalate. And then the business continuity which could include, like a flood a fire alarm went off in the flood building and now all the servers are off. You have to. How are we going to move them? Put them in different places, so that continuum between event, incident, disaster, business continuity and maybe emergency operations.

Tom Siu: 52:11

Someone who understands that big picture can go right into the resilience section and see the end product of a cyber incident response and then learn their way back forth towards the front. So it's almost like you get a math book. You went to the answers in the back and then you've learned how to solve the problems and you're like, oh, I can't understand it. Yeah, that makes sense, that's one way, but so you know, those are some examples of how entry level and more senior level people can get in the field. And then I think even sense of management is a whole other capability there. Just because you're the manager shouldn't mean you're the most technically astute person. It means you're the manager shouldn't mean you're the most technically astute person, it means you're the best at organizing the troops yeah, you're managing, yeah, great.

Tom Siu: 52:56

And sometimes we promote people to the manager and they're actually not developed the people skills yet. Right, and I think that's where the CISO has been and should be. But sometimes people hire CISOs for their technical skills and early on I was expected to know all of them and that was good. But on the other side, I think, as we fill out the sort of the skills matrix overall, yeah.

Tom Siu: 53:18

There's going to be only a couple of unicorns that can do all those things, and so sometimes you need a team that carries different parts of those things. Much like you know, basketball teams got the center, got the shooters, they got LeBron James and they don't need anybody else.

Chris Sienko: 53:31

Right, exactly, and also I think that not every company has the wherewithal to hire multiples. But I think that's we're seeing that division between the CISO and an advanced security practitioner, someone who is not going to want to go into the management side. Maybe they're never going to develop the management side but still want to be doing the actual implementation. If you have, you know, get you a company that can do both, you know, kind of thing.

Tom Siu: 53:55

Well, ibm had that. They had this, the expertise, the experts, engineers, who didn't necessarily have to have a team reporting to them, and they had these sort of parallel careers. You could jump back and forth between them. It just depends on where your best benefit for the company was, and I think that's possibly happening. Microsoft hired three or four different deputy CISOs to handle different pieces of it, because they realize it's not one thing their CISO could do.

Chris Sienko: 54:20

Yeah, all right. Well, so we're coming up on the hour here, tom, so before we go, I would want to ask you something. I ask all of our guests what is the best piece of career advice you've ever received, whether it's from a parent or a mentor or a teacher or colleague, or even just something you read?

Tom Siu: 54:36

Well, I read a lot and I'd say most recently, the best career advice, is from this book called Turn the Ship Around by L David Marquet. I thought it was about submarines. My wife bought it for me for Christmas one year and I read it. I'm like this is not about submarines, it's about leadership, and for me personally it actually was a new set of thinking and I think, as a CISO, you need to inject some new set of thinking into your practice.

Tom Siu: 55:06

I was successful in what I was doing and I liked it, but I realized that I needed to think a little differently and that's called intent-based leadership and what I started doing as opposed to being the CISO that knew everybody and everything and knew which button to push to the CISO, you know, I moved to a different organization.

Tom Siu: 55:25

I didn't know anybody, I didn't know the infrastructure, I didn't know the IP spaces, like I know, and I didn't know where all the business nooks and crannies were. So I found that I had to develop a team and develop their competence and then I guess the main principle of that is push decisions to where the information is. Then you're not the bottleneck, you are stepping back and seeing what the process is like and putting your finger on different situations. That was the most transformative career decision for me was to think hey, I'm not so much a technician, I should be a leader. Yeah, I understand the technology. I'm curious about how things break and how to break them. But the other side of it is I've started, in a sense, hacking the organization, if you want to call it that.

Chris Sienko: 56:12

Interesting. That's great advice, thank you. I've never heard that variant of it before, so it's always good. So we're just about out of time here, but before we go, tell our listeners about Inversion 6 and the products or services you provide for your clients.

Tom Siu: 56:25

Oh, gladly so. Inversion 6, we're Western Cleveland, based on Westlake actually, and we are part of a group of companies, and our in version 6, is the cybersecurity managed security service provider. We include a SOC service and in a sense, we have a group of CISOs a group of CISOs, excuse me and this group of CISOs comes from different industries. So, as we alluded to earlier, no one CISO can know everything. So what we end up doing is we support our clients with almost like a team. You would hire virtual CISO services from us and that gets you that kind of high level leadership. We're all experienced CISOs, if you want to call it, grizzled and scarred CISOs who've done these other environments, and then we bring that to a small to medium-sized business, even if they do have a CISO. Sometimes we actually fill in the gaps for them. But what usually help an organization is solidify their security programs, to command the basics, but also sometimes having someone around like us who can wear the executive hat, so to speak. And sometimes your technicians haven't really had those skills or things developed and we developed them, and that's part of what I think is a big draw, because I think that's a logical progression for a CISO If you can do this sort of virtual CISO thing. What's exciting for me is I see a whole lot of different businesses and different business problems, and I'm not, you know. I don't have to say I have one tool In higher education it was there for a long time which is unusual to you know, you see the patterns and you pretty much know what you're doing this one.

Tom Siu: 58:06

You do have to figure things out. You got to listen more. You want to enable those clients to be able to do the things that are best for them. It may not be the same for each client, but most everybody has a challenge with prioritization. Which are the big risks? Which ones are going to accept? What are we going to do?

Tom Siu: 58:23

Seeing all those different areas is really the best part of what Inversion 6, what I like most about what Inversion 6 is doing. That being said, I was speaking with one of my colleagues who's a CSO and we were saying, like, what's the future pathway for what CISOs should do? And he and I agreed mostly that the emergency operations piece is where CISOs can lend their skills to organizations. So running EOCs, which fuse the cyber-physical space crises, power outages, system failures that create large public issues, and you need to have that cool head that's developed over the years of being a CISO to help organize and deal with these highly stressful situations, fema type of activities, and I think that's, you know, in a sense, where Invergent Six isn't doing that very much in terms of helping people organize those, but it's in our portfolio now.

Chris Sienko: 59:25

Great. Well, Tom, thank you very much for this great conversation. I really enjoyed learning from you today. Thank you.

Tom Siu: 59:31

Thank you, Chris. It was a pleasure speaking with you.

Chris Sienko: 59:33

And thank you to everyone who watches, listens and writes into the podcast with feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop them in the comments below. We're always looking and we're always checking that. So before you go, don't forget infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for CyberWorks listeners, including our security awareness training series. Workbytes Still the best place to go for your cybersecurity talent development e-book, and we have a couple more new things on there recently. So again, check everything out there. Infosecinstitutecom slash free Link is in the description, as well as the link to Inversion 6. So one last time, thank you very much to tom. See you, and thank you all for watching and listening until next week. This is chris senko signing off, saying happy learning.

Cyber Work

Cybersecurity’s role in U.S. foreign relations | Guest Tom Siu

Listen to this podcast on