Introduction. At Gate 15, our team focuses on risk management and organizational security and resilience, with unique expertise in threat analysis, operations and preparedness (planning, training, exercise and continuity) support. Recognizing that clients and partners require additional technology, services and capabilities to effectively manage their complete risk profile, our team partners with organizations that can enhance our competencies and which offer additional risk management resources that complement our capabilities. On the “About Us” page of this website, you’ll see some of our outstanding partners. In a five-part series, we’ll be posting updates with interviews with these partners to share more about what they do and how they can help organizations reduce their risk and enhance preparedness, security and resilience.
Scott, can you provide an overview of the mission and services for Conrad, Inc.? Conrad, Inc. is at the intersection of cybersecurity policy and operations. We provide strategic policy and business consulting services, program management support, and association management services. We are specifically focused on cybersecurity, information sharing and critical infrastructure protection issues. This enables us to build and sustain deep knowledge in the industry, and expand personal relationships in the field. I have been in the field since 2000, but established Conrad, Inc. in 2006. Over this time, we have provided services to global fortune 500 companies, emerging start-ups, non-profit associations, and institutions of higher education, among other customers.
Some of our past work include reviewing corporate vulnerability disclosure policies, doing market, policy or other topical research on specific policies or issues related to cybersecurity or critical infrastructure protection, advising small businesses on market opportunities, and direct engagement with policymakers and thought leaders on our clients’ behalf.
You’ve been a leader in the information sharing environment for a long time. Can you talk a little about what Conrad has been doing for IT-ISAC and some of your other projects? I am proud to say that we are still providing services to our first customer. In 2006, we landed a contract with the Information Technology – Information Sharing and Analysis Center (IT-ISAC), which is the IT sector designated forum for cyber threat information sharing. Through this contract, we provide executive director services to the organization and I serve as the IT-ISAC’s Executive Director and principal spokesperson. However, over the years, the IT-ISAC has asked us to provide more services to them. Today, Conrad, Inc. also provides operational, analytical, and administrative support to the IT-ISAC. We also provide program management support to the Forum of Incident Response and Security Teams (FIRST). We manage FIRST’s Special Interest Groups and the development of their Training and Education work. We also just finished a project with one of our partners, eosedge Legal, where we conducted a cyber risk assessment for a New England based healthcare center. These are just some of our key projects.
You’ve also been a partner to members of your supported communities, a leader for the National Council of ISACs, a regular partner for government in information and analytical exchanges, exercises and supporting real incidents both physical and cyber. As you look to another presidential administration and the expected change of key leaders, what advice would you give new federal leaders in regards to the homeland security mission and collaborating with industry?
My first job in this field was to help build and support the key structures of the public-private partnership. The partnership works best when industry and government are considered equal partners and actively seek and respect the input and positions of the other. When the two sides agree at the beginning on a project’s scope and purpose and share responsibility for the outcome, the partnership can achieve great things. One example of this is the IT Sector Baseline Risk Assessment, which was a joint effort of the IT Sector Coordinating Council and the IT Sector Government Council.
However, too often, we have seen government make key policy decisions and then “partner” with industry on the implementation of those policies. When the government excludes industry from key decisions that impact the partnership, the government cannot get the benefit of industry’s expertise. As a result, policy is developed without a full understanding of its implications, which often results in unintended consequences, including damage to the partnership.
As one example, not too long ago, I was discussing a specific project with a DHS official. This official acknowledged the government made key policy decisions regarding the project without consulting industry, but was nonetheless asking for industry’s help in implementing the policy. This official justified not engaging with industry on the development of the policy by explaining DHS was working on a tight timeline. This official then suggested this was no big deal by saying, “instead of reaching an agreement on 95% or 100% of the issues, we might reach an agreement on 80% or 85%.”
To that official, who I have a great deal of respect for, it was more important to meet a timeline the government imposed on itself than it was to develop the best possible policy that reflects industry and government priorities. So, my advice to the next administration on the public-private partnership is pretty simple–treat industry as an equal partner and engage with industry early in the policy development, not just in the implementation phase. The policy will be better and the partnership will be stronger.
The IT Sector Coordinating Council has a much more detailed list about what the key elements are to a successful public-private partnership. This could be a useful resource for the incoming team.
In your work with IT-ISAC, you’ve built robust member communities with trusted groups for info sharing and collaboration. I’ve had the privilege to brief one of those groups and really appreciate that. What would you say have been some of the keys to your success in building communities of trust? Thank you for the compliment on the IT-ISAC, Andy. I really appreciate that!
One tactic we’ve incorporated over the years at the IT-ISAC is to get people with common interests talking with each other. Many years ago, the IT-ISAC “Technical Committee” was comprised of managers of security operations centers (SOC), product security response team members (PSIRT), malware specialists, and other specialists. This is a great and diverse group, but they do not have much in common to talk about. If a SOC Manager shares information that they are seeing increased activity from a specific port, that information is not of any value to the product security colleague from another company on the call. The SOC person was not getting information in return for what he shared and the PSIRT person was not getting any information of value. To address this, a couple years ago the IT-ISAC started building out communities of interest which they call “Special Interest Groups.” The purpose of these groups is to get people with common interests from our member companies together to collaborate. It also has the benefit of drawing network security analysts and SOC managers to the Technical Committee, where they can engage and share information of value to them.
The homeland security mission is still a new one in many ways. You’ve seen a lot of change in that space over the years and been involved in many unique collaborative activities. Are there are any key successes that stick out to you and any misses that can serve as warnings and lessons learned for the future? One of the biggest successes I have been involved in was the development of the IT Sector Baseline Risk Assessment, which I referenced earlier. That project represents the partnership at its finest.
Overall, the biggest challenge we have in the homeland security mission space is that there is no sense of prioritization. The mission space is almost limitless and the resources are not. Everyone knows this, but, we really are not doing a great job prioritizing where those resources should go.
Just in the cybersecurity space, for example, there is a lot of time and resources being spent on small and medium sized businesses. Don’t get me wrong, small businesses are important. I love them. My company is one. Certainly, small businesses need to take cybersecurity seriously. But are we as a nation better off devoting resources to help Bob’s Pizza Shop defend against cyberattacks, or are we better off as a nation using those resources to protect the critical infrastructure? Is it a better use of taxpayer resources to protect critical infrastructure systems or federal systems? Where is the Risk Assessment that informs the decision making? I know many critical infrastructure sectors have done risk assessments focused on their sectors, but where are those different assessments aggregated and reviewed to determine resource prioritization?
The challenge is even greater when you look at the entire mission space. Is it more effective to spend our homeland security dollars to prepare for a dirty bomb that could render multiple city blocks uninhabitable for an extended period-of-time, or to prepare for a cyberattack that might make certain key functions or services, including life sustaining services, unavailable for several days?
I am not saying I know the answers to these questions. My point is that with over 16 years in the field, I’m not sure I understand the process that policy makers use to prioritize these issues to determine how to most effectively manage risk. It often appears all this work is being done without any sense of prioritization.
If someone reading this post is curious for more information about your products and services, what’s the best way to get more information? Thank you, Andy. I appreciate the opportunity. First, I need to emphasize that the opinions I’ve expressed today are mine, and are not necessarily those of our clients. I am not speaking for them in this blog. I would welcome the opportunity to discuss these topics with your readers and to tell them more about our work at Conrad, Inc. The best way to reach me is through my email: Scott@conradinc.biz. My office phone is 703.686.4438. People can also visit the Conrad, Inc. website, which is www.conradinc.biz. Those interested in the IT-ISAC should visit www.it-isac.org. The FIRST website is www.first.org.
Thank you, Scott! Your partnership, leadership and friendship are greatly appreciated – as is your thoughtful perspective!