phillip_k_naithram Patrick,thank you so much for joining us. You’re here today on the DC local leaderspodcast coming all the way from Atlanta, Georgia, right?
patrick_gaul yes, we are down in he south
phillip_k_naithram you are the executive director of NTSC, and predominantly, most of your members are CISO’s right. That’s kind of who you tailor your organization to.
patrick_gaul Right.Chief information security officers are, are, , a major part of our organism.
phillip_k_naithram Well,how’d you come to be involved with NTSC are you a cybersecurity Professional orIT?
patrick_gaul Well, inmy background, I did do a cyber’s startup back in 2012, that was wrapped aroundsecure collaboration working with some former colleagues. I did that for a fewyears, but the way I got involved in the NTSC. Is that I I spent about 10 yearsserving on the board of directors of the technology association of Georgia,which is the largest state technology association in north America, about34,000 members.
And in 2014. I was the board director after I finished thatyears, the chair, I stepped down, a few months after I departed, I got a callfrom the president of TAG and he outlined this vision. Of creating an entitywithin the state of Georgia that had a national identity, which is focused oncyber security, which is at the nexus of everything that, happens these days.Most people think about Georgia. They think about peaches and peanuts, but, ,the reality is Georgia ranks fourth in the nation and cyber revenue. , we have150 cyber startups in the state. We have. , Fort Gordon, we have nine militaryinstallations. So it’s, it’s, it is a major cyber state. so I came in to dosome consulting and advising and it just kind of led to me being an offer therole of executive director.
I felt like the vision. Was really glad and I wanted to be partof it. My charter was to to Build the organization because when I firststarted, it was me and seven board members who formed our founding boardmembers. that was five years ago. And today we. Just, I interviewed myperspective 45th board member and all together we have over 75 seniortechnology security executives involved in the coalition.
phillip_k_naithram Andyou’ve got a number of different councils that go along with that board. Right? Tell us a little bit more about the makeup of NTSC. Is there a missionstatement that you work with
patrick_gaul-2021 sure our mission is to act as the nationalvoice of the chief information security officer in Washington, DC. It’s a voicethat’s been absent of. If you got a re hearing on the hill, around cyber andyou look at those sparks who are testifying.
It’s often the same folks. It’s McCafee Symantec, VMWare IBMsecurity, and they’re all incredibly talented and bright people. But none ofthem are Kevin McKenzie, the chief information security officer at dollar treedefending 18,000 stores across the nation day in and day out. So our mission isto bring the practitioners.
To the hill, so that as legislators consider cyber legislation,cyber policy. Which mostly impact CISOs. They’re actually have some perspectiveon how that’s going to impact a chief information security officer. So , westarted with the idea of bringing their voice to the hill. The board ofdirectors is comprised of chief information security officers, or where theequivalent titles, executive vice president site information security, thingslike that.
We’ve also formed a policy council, which is comprised ofgovernmental affairs executives from our board members. And then we have anadvisory council, which is sort of an eclectic group. It includes people like aretired Lieutenant general, Kevin McLaughlin, who was a former deputy director,us cyber command former retired major general Patricia Frost who ran cybersecurity, electronic warfare for the US Army . Dick Clark, who was the firstcybers are under bill Clinton. So yeah, we got her in those three groups are 75executives involved in supporting the coalition.
phillip_k_naithram ,it’s funny. You mentioned earlier dollar tree and I think for, for a lot ofpeople, it’s really easy not to recognize just how much cybersecurity is. Anissue for things like the retail industry dollar tree, , it’s everydaycompanies, it’s Johnson and Johnson. It’s Pepsi-Cola, it’s it’s everybody thatdoes anything anywhere that has any sort of intellectual property. And itsounds like your membership is made up of all of those.
patrick_gaul it iswe’re. One of the advantages we have when we go to the hero is that we’reindustry agnostic. So , the chief information security officer at Johnson andJohnson doesn’t need any help with lobbying about pharmaceutical industryissues and the suicide rate. JP Morgan charity. Sue’s on my board.
Trust me, they got the financial services laundering alltogether. So we focused on our policies that transcend industries. So we’reindustry agnostic. We’re nonpartisan. We’re not politically oriented. So whenwe’re walking, we’re not a K street from we’re in Atlanta, Georgia. I talked toyou a little bit about the five policies that we’re focused on.
The first one is national data breach notification legislation.Today in the United States, all 50 states have legislation focused on databreach notification. You have to comply with the way they ask you to notifythem and their consumers. You need to make sure if you’re the chief legalcounsel at X, Y says global farm, then you have to make sure you’re prepared tocomply with the notification requirements in each state, which means you haveto constantly be aware of the cause they’re not static.
, some people like to say compliance doesn’t equal security. Idon’t agree with that because studies and study after study shows thatcomplainant firms get breached a lot less than non-compliant firms, but stillthere’s a lot of administrative costs. And if you talked to any of the chiefinformation security officers, they will tell you, you set the bar as high asyou want in security. But give me one place to find. Make it a little lesscomplicated.
So that’s the first policy in closely behind that is creating afederal privacy mandate. So today we have CCPA, the California consumer privacyact, which is the most comprehensive piece of privacy legislation in the UnitedStates. Very similar to the legislation that was passed in Europe called GDPR.
The global data protection act very comprehensive. In fact,it’s sort of CCPA is modeled on GDPR and then recently, Virginia and Coloradopassed privacy legislation. So we’re headed down the same path on privacylegislation that we have on data breach. We liked to have a federal privacy.The FTC would control it, I think would make the most organic federal tradecommission. And in fact, they the, the energy and commerce just passed justapproved the creation of a privacy bureau within FTC and this new legislationthat’s going out like a billion dollars allocated for that. That was justannounced this week. So. Number one, number two, number three is workforcedevelopment cyber workforce development. And with a heavy emphasis on twoareas. One is diversity. If you look at the number of women in cyber it’sappalling, and then if you look at the number of minorities. behind that it’seven more appalling. And you look at the number of chief information. Do , onlythere were only out of the fortune 1000 companies, there’s only 26 femaleCISOs, , and, and believe me, if we had a long time, I’d go over and talk toyou about the root cause, which goes all the way back to middle school.
And rather young women are being encouraged or discouraged totake. And then, , if you walk into an AP calculus class in high school andyou’re 25 students, , you’d be lucky if you have three or four women that aretaking AP calculus and then young women who go into college and take stemprograms, science, technology, engineering, and math a large percentage ofthem.
It was like 66% of all young women who go into college. Focusedon a stem program, drop out of the stem program with if not out of college, butout of the program first 18 months, because they haven’t gone through therigors of math by the time they get to college.
We’re a lot more young women. W we think that, , things aren’tGeorgia did, which , if you, you can take a coding class and it’s the samething as taking a foreign language class. When I was in school, everybody tooktwo years of being a Spanish, French, German. It didn’t necessarily.
Make you a linguist when you finish the two years, but twoyears of coding is what we need two years of computer programming. That’s whatwe need to have kids focused on today. And then the second thing is we want tocreate a national cyber scholarship for service program, similar to I, theanalogy I use, if you go to Annapolis, and you get a great degree out ofAnnapolis, then you’re going to go serve six years in the military for four yearsin college.
So. I want you to go to college for four years, get a degree incyber security and then go work in state and federal government. They work atthe NSA. Go work at cyber command army command as a civilian for six years. Andwhy does that make sense? Well, if you look at the number of openings in theFederalist state governance, it’s it vacillates, but it’s probably in theneighborhood of 45 to 50,000 jobs open right now.
If you look at the kids coming out of university with a degreein cyber the first certification they get is called cyber comp Tia security.Plus, if you look at the number of jobs that are advertised that call for thatcertification only, then there are about 4.5 people for every. If you go up thestack to CCIS, PA some of the higher level certifications that you could onlyget with seven to nine years of experience, and you look at the number ofopenings and you look at the number of people available, it’s like 0.4.
So we want a national program. There are some programs andthey’re really good programs, but they’re very narrow. We have over 5,000institutions of higher learning in this country. Only 86 of them are qualifiedfor cyber scholarship for service. And you take the state of Georgia when youhave eight nationally recognized programs, at universities and colleges acrossthe state and nationally recognized there. Centers of excellence by the NSA.Only two of them are qualified for cyber, for scholarship, for service.
So that’s policy number three. Number four is criticalinfrastructure focusing on protecting the operators and consumers. And thennumber five is, which is really woven through the first four is strengtheningthe public private partnership that you hear that term.
Phillip, , public, private partnership, but when you really digdown, , it needs a lot of work.
phillip_k_naithram Whenyou’re lobbying and when you’re trying to affect these policies, what are someof the things you guys are doing and what does that look like when you, whenyou try to help more women get into stem and more, , other folks get into stemwhen you try to help bring a program where people graduating, or they can go tocollege, get a stem degree, and then work. within the federal or stategovernments. Like, what does it look like to do?
patrick_gaul well,it’s mostly faceted Georgia. I say, arguably has one of the best master’sprogram in cybersecurity in the country. But when they were sending out theironline program, which is the same program you get, when you, when you go toschool which right away is under $10,000 for a master’s program at Georgiatech, which most people don’t realize We’ve actually worked with the folkssetting up the program, brought in 14 CISOs, trying to give them some sense ofsome of the things we’d like to see these kids having when they come out.
It’s kind of, grassroot work there. And then when we go toCongress, it’s about educating people, helping them aware of the fact that only86 universities and, , we have over 5,000 working with congressional leaders inhelping them. I get passionate about this. We were working with one Senatorback in 2020, who had he been reelected?
I think we’d have a, , a barrel on the floor right now. So hedidn’t get reelected. So we, , we had to step back and we’re working withanother congressional leader now. It’s about education. It’s about dialogue.It’s about bringing the stakeholders together so that we can, we can haveserious conversations about what is realistically happening in the marketplace.
, th the whole idea of all these, kids getting out ofuniversity, you hear the, , they’re starting at 80,000. Well, if they can get ajob, maybe but there are 4.5 for every. So you’ll meet kids who are, , workingin internships because they just haven’t found a job and they’ve been out ofschool for 18 months.
But education is a key part of what we do. If you think aboutthe house and the Senate and the number of congressional leaders who are truly,truly conversant with cybersecurity, it’s, it’s a small percentage. I mean, Icould list a number of the names. And we lost some of those folks in 2020, who,who left the house you
phillip_k_naithram itsounds like you, , in some sense, because that’s a natural thing that happens,within government that like you’re constantly. Restarting this conversationwith new people. And then, , part of the challenge is kind of you starting fromone again, every two years.
patrick_gaul or ifyou think of a house Homeland security committee and I don’t hold me to thisnumber, I may be off by one or two. I think there were 20 new members that camein in January to that. We’ve met with every one of them. We’ve hadconversations with every one of them. Helping them understand what we’re about,why we’re here, why, why the voice of the chief information security officer, apractical practitioners voice is important to be heard so it’s constantly.Having to educate, Erin probably next year at the end of next year in 2023,we’ll be educating some more new folks. But that’s okay we have somecongressional leaders who were very focused on cybersecurity, renters,Congressman Langevin who’s speaking at our conference next week.
phillip_k_naithram Ithink that goes to your point, like, you guys are doing this full-time andthat’s specifically what NTSC is dedicated to doing those five things. And sofor the members, the huge benefit is that, , for them to try to recreate whatyou’re already doing, they wouldn’t have the time or the personnel of the bootson the ground to really do. And that’s the biggest value that you guys youprovide to them. You mentioned something just now about your conference. That’scoming up. That’s September 22nd and 23rd.
patrick_gaul The 22ndis sort of an internal day. we have a private lunch with Congressman Katko.Where he’ll come in and talk to our members about, , his, his priorities andwhere he sees us going. And then we have our only face to face board meetingthat afternoon. And that evening we’ll have a reception and a dinner.
And then the following day is the conference. And that kicksoff with Jen Easterly, who was the director, the new director just recentlyappointed of the cyber security and infrastructure security agency. And then wehave Tom bird is one of the topics that Microsoft’s coming in and talking aboutcustomer security. We’re doing a panel on, on the challenges with supply chainwithin healthcare. And we have the chief information security officers fromJohnson and Johnson and Cardinal health and McKesson. It will be moderated by asenior executive from Microsoft.
we finished the morning with Congressman Langevin. He used theco-chair of the, cybersecurity caucus in the house and then we’ll start rightafter lunch with Robert Hannigan. Who’s the former director of GCHQ and he wasthe guy who set up the national cybersecurity center in the UK. So we’re goingto kind of take an international slant. And so w we want to get that, , kind ofthe international perspective what’s happening over there. How does it relateover here? And by the way, sir, your software has huge presence of the U S sothey’re very interested in cyber policy of the U S
We’ll have a chap by the name of, Ray Rothrock, who is theexecutive chair of red seal out in the west coast Serial entrepreneur who wrotea book called digital resilience. And he’s going to come in and talk about theimportance of resilience.
phillip_k_naithram Sois there still time for anyone who may be listening to this to sign up for thisyear’s.
patrick_gaul- nowwe’re closed. However, if you did want to. To join virtually either the entireday where you want to pop in for one or two of the presentations you can go towww.ntsc.org and go to events. And there’s a tab at the top, says events, andyou click on that and then you click on the national conference. It’ll take youto a link and then you can pop in and out virtually. And watch as much or aslittle as you’d like. And , we have well over a hundred people that have signedup virtually mostly senior technology security executives. So, the conferenceis close, to in-person, but you’re, we’re all welcome to join us virtually.
We don’t charge for our conferences. We don’t, , our regionalround tables, our invitation only. Because, the other thing is we never haveany media in the room. And, and the reason for that is we really want to have acandid dialogue between the audience and the speakers.
And so if you’ve got a congressional leader in the room, thelast thing they want to do is get misquoted. And we understand that.
phillip_k_naithram Soany CISOs that are listening or anyone that is on the executive level or evenup and coming that like to participate with NTSC and become a member and lookat some of your events and soak up some of that knowledge. Would they do thaton your website as well? Or what’s the process for doing.
patrick_gaul well, Iwould say the first thing you do is go look. Yeah, that’d be N T S C .org golook at our website. Look at some of our white papers. Probably the one I wouldread first is why the emerging voice of the Cisco is so important on Capitolhill. That white paper will explain why we believe we bringing that practicalvoice practitioners.
Voice is so critical. And then if you’re interested in learningabout the board and becoming a member, then you can reach out to me directly.All of my contact details are on the website. We are planning to launch a newmember program next January. And that program will be. Focus more on the midlevel executives who aren’t ready yet for the board, but I want to have someinsight into policy and legislation.
So we’re vendor like. So if you’re a chief information securityofficer, this is a message. I always tell a candidate who was, , talking to meabout becoming a board member. , if you go to one of our events, you’re notgoing to be, constantly being bugged by 27 year old salespeople trying to getyour business card.
We’re vendor light and we don’t, we don’t allow anysalespeople. So if you’re a Microsoft. Ben Hendricks who’s in the office of thechief architect is the board member. If you’re Palo Alto, Paul who’s, theirchief security officer for the Americas is on the board. So. We create thatpeer to peer relationship with our underwriters and our underwriters areextremely supportive. I mean, they just not just a financial investment. Theysupport us with resources, technical writing, marketing resources, They believein our mission
It’s not about, oh, I want to sell to one of your customers. Imean, Microsoft believes that it’s important that we strengthen the publicprivate dialogue. , their focus is very heavy on secure. I don’t know if yousaw the announcement. They just brought in the former head of security atAmazon 23 years at Amazon Benny king’s going to be the new head of security.Palo Alto is complimentary to Microsoft. They work closely together. So
phillip_k_naithram well,thank you so much for joining us. I’m really, I’m happy that you made some timeto kind of chat with us. I’m glad that we were able to get your message out,make sure that people are aware of. Not just what NTSC is, but the fact thatthis conference, how tailored and a private event it actually is and how muchof a value and benefit it can be for the CISOs of the companies here in DC toparticipate in, in future events or join joining on the.
patrick_gaul well,thank you very much for the invitation to be here. We really are grateful forthe opportunity to get some more exposure and look forward to talking to youagain about the journey side.
phillip_k_naithram,I’d love to have you on to talk a little bit more. , the DC local leaders podcastfocuses on leadership development, mindset of executive and command leaders,military government, and technology. And you’re right there. I know that you’vegot some military background I’d love to find. What makes you tick and how yougot to where you are?
patrick_gaul
Welcome that opportunity, Philip. And thank you.
