Ensure existing perimeter defenses are enabled and implement basic cyber-hygiene.
Remain wary of phishing attacks.
Don’t underestimate the wealth of sophisticated threat vectors cybercriminals can deploy.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing John DeSimone, vice-president of Cybersecurity, Training and Services for Raytheon Intelligence & Space, a business of Raytheon Technologies. Most recently, DeSimone led the business’ Cybersecurity and Special Missions organization where he oversaw strategy and operations for the cybersecurity solutions and services business. DeSimone previously led the Cybersecurity and Special Missions mission area at Raytheon Company’s Intelligence, Information and Services business prior to Raytheon Company’s merger with United Technologies Corporation in 2020.
Before joining Raytheon in 2016, DeSimone served as an executive vice president of delivery and operations at CSRA Inc. He also served as vice president and general manager of Computer Sciences Corporation’s North American Public Sector Enterprise Services group, where he led the strategic direction, planning and execution of the group’s growth and development initiatives, driving and delivering next-generation technology solutions for customers across NPS’ portfolio.
DeSimone has held executive roles at IBM’s public sector and at Northrop Grumman Corporation. He also held a leadership position at Motorola, Inc. as the head of its public safety software business. DeSimone earned a bachelor’s degree in computer science from Columbia University in New York and attended the Motorola Chairman’s Leadership Institute at the Kellogg School of Management at Northwestern University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up outside of Pittsburgh, PA in a small coal mining “patch” town called Grindstone. Both my Father and Mother’s family immigrated from Italy and I enjoyed growing up not only with my two sisters, but also our extended family that all lived in close proximity. I played football, baseball, basketball and ran track growing up; playing football in college following my Father and two Uncles’ footsteps.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I actually began my career as a software developer, and I still miss the pleasure of coding every now and then. It was in this role that I found an opportunity to run business software early in my career, expanding into enterprise infrastructure services as well. I found myself shifting to a cybersecurity career because there was a need for these horizontal cyber capabilities among enterprises.
Can you share the most interesting story that happened to you since you began this fascinating career?
Around 2010, I created the first Cybersecurity product line within the business unit I ran and I have helped to create one in every business I’ve led since. If you have a vision for something, advocate for it. You never know where it might lead.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I have been extremely lucky to have so many great people to help me grow throughout the years. To name a few, Preston Augenbaum at IBM, Rick Neal at Motorola, and Dave Wajsgras at Raytheon, have each helped to develop my skills as a cyber expert at significant points in my career. Having worked for Dave Wajsgras at Raytheon over a few years, I learned an immense deal from not only a great leader, but a great person as well. Now, with the Raytheon-United Technologies merger creating Raytheon Intelligence & Space, I am fortunate to have recently started working with and for another great leader, Roy Azevedo.
I must say, the person that has had the greatest impact on my career is Dave Zolet. I’ve had the pleasure to know Dave for 20 years and he’s the reason I moved to Washington DC and began working in the Public Sector. Dave has taught me many important lessons, but the most important one emphasized that leading and managing people is a privilege not to be taken lightly.
Are you working on any exciting new projects now? How do you think that will help people?
Here at Raytheon Intelligence & Space, we have a particular focus on educating and empowering the next generation of cyber defenders. According to a 2019 (ISC)2 Cybersecurity Workforce Study, the current cybersecurity workforce needs to grow by 145 percent to meet global demand. Already this year’s crop of talent has demonstrated their work ethic in a virtual environment under unprecedented circumstances while exercising their skills through practical offerings such as the National Collegiate Cyber Defense Competition (NCCDC). What sets many of them apart from their more tenured counterparts is that they have experienced and successfully performed while facing real-world threats even before earning their degree.
To further support this cyber growth, Raytheon Technologies has announced a 4 million dollars grant to the newly formed Alabama School of Cyber Technology and Engineering (ASCTE) to help prepare students for cybersecurity careers in government and industry. ASCTE is Alabama’s only fully public, residential high school for students from across the state’s 137 school districts seeking advanced studies in engineering and cyber technology.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Among those recently surveyed, 70% of professionals across all industries feel their employers aren’t doing enough to prevent burnout. Another 21% of professionals say their company does not offer any programs or incentives to alleviate stress. These numbers are alarming, especially now, when employees are working from home, and are lacking a commute and usual routine that helps to separate work from home.
With this in mind, it’s important for cyber professionals to arm themselves with mentors spanning various departments, to create a support system encouraging collaboration, and for cyber leaders to grant their teams the flexibility to walk away from work when they need to. This also means cyber leaders should be consistently checking in with their employees (via phone and video calls) to ensure they are empowered to prioritize their own personal and mental health. Cybersecurity is filled with frequent high-stress and high-risk discussions. A good leader will know how to disclose this information in an effective way that limits this stress as much as possible in order for teams to overcome a challenge instead of being crushed by the pressure it can cause.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The speed of innovation is top of mind as an exciting area to explore. The technology we can use to address rapidly evolving threats grows by leaps and bounds. It’s all moving fast, so seeing what’s around the corner fascinates me.
- Building strong partnerships is extremely important in today’s cybersecurity landscape. No single organization can be all things to all people, so we must join our expertise with the companies that have complementary services. What we can do together is always exciting.
- Developing the next generation of cyber warriors is an exhilarating initiative. We have a strong commitment to university partnerships and STEM programs, including the National Collegiate Cyber Defense Competition (NCCDC). Seeing our young people who are incredibly smart and ready to tackle hard problems is inspiring.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
U.S. supply chain attacks increased by 78 percent between 2017 and 2018. With thousands of suppliers supporting the government system, there is a critical need for risk management services, as well as scalable tools and software that can identify threats and mitigate risk throughout the supply chain. This is a continuous process, it requires time and resources, and can only be done if the private and public sectors work together to create baseline security standards for the Department of Defense and its partners.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I am extremely focused on the speed of innovation and its constantly evolving challenges. As such, I know how great it is to be on the cutting edge and tackling the toughest problems. When it comes to combating associated cybersecurity breaches, I’ve learned how exciting it is to work on the collaboration taking place between industry and Government. Everyone agrees you can’t go it alone and partnering is critical to build the strongest defense.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I primarily utilize Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools. Used in conjunction, they provide a powerful cyber defense. SIEM relies more on people to operate whereas SOAR takes advantage of automation in order to take action and help mitigate the shortage of cyber talent while ensuring actions are immediately taken when intrusions are detected.
I also can’t stress enough the importance of enabling automatic updates, the use of a secure communications tool (such as Signal) for texting, voice and video, as well as a network attached storage (NAS) tool at home to ensure a secure backup of personal information. Although cloud based services are good for some backups, they will periodically change their policies on what types and how many files can be protected, and may even discontinue offering services.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
When an organization lacks a larger cybersecurity team, MSSP Services are its best choice. Organizations will never be able to outhire the cyber threat, but an outcomes-based and as-a-service cybersecurity strategy will remove the burden of ownership and staffing.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Unfortunately most people notice a data breach or cyber attack when it’s too late. With that said, when ransomware strikes, organizations will notice the attack when its computers are locked or when additional unusual network activity is present. Penetration testing, table top exercises and preventative measures are key in order to notice this activity as soon as possible.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
At this point, organizations must call in the experts. They should not try to recover on their own as it requires an immense amount of effort and resources to mitigate the consequences of a data or security breach.
Privacy laws are one of several types of laws applicable to cybersecurity. Whenever new laws are passed, we must carefully analyze our cyber products and services and adjust them as necessary to ensure we offer legally compliant solutions.
What are the most common data security and cybersecurity mistakes you have seen companies make?
We can no longer think about cyber vulnerabilities after they’re breached by malicious actors. Instead, organizations must proactively institute innovative and scalable solutions that track and deter threats for agencies of all sizes. Cybersecurity practices must be built into society’s infrastructure, improving resiliency and mitigating the severity of attacks that disrupt global security.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
The COVID-19 pandemic has changed the way we live and work. For the first time, millions of Americans are working from home, and those numbers will only increase as new restrictions on public gatherings are considered. This means stressed VPNs and swamped computer servers. It also means new cyber risks as more of us take our computers outside our workplaces into home based networks. In many ways, this new normal will become a test for an organization’s cyber defenses, and perhaps our country’s national security.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently issued an alert, warning organizations about specific vulnerabilities regarding teleworking. We should expect an uptick in malicious attacks as hackers will exploit this crisis to assault critical infrastructure and disrupt essential systems. If our adversaries like Russia or North Korea breached our systems/networks, they could severely hamper efforts to decelerate the spread of the virus or steal our nation’s most guarded secrets.
Now, as a nation, we’re seeing firsthand the importance of having processes in place to ensure that our most critical systems and sensitive assets are protected at all costs. But there are companies, both large and small, that do not have the necessary security infrastructure and processes in place to stave off cyberattacks in a remote working environment.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.) Every company needs to take the following immediate steps to tighten up its approach to data privacy and cybersecurity:
- Ensure existing perimeter defenses are enabled and implement basic cyber-hygiene.
- Implement multi-factor authentication.
- Remain wary of phishing attacks.
- Keep employees from using public Wi-Fi.
- Don’t underestimate the wealth of sophisticated threat vectors cybercriminals can deploy.
But limiting an approach to data privacy and cybersecurity to these five steps is simply not enough to effectively defend an organization’s perimeter and endpoints that are now increasingly permeable. If a bad actor gains access to the system, absent a zero trust environment, they’re easily able to hop around inside a network and tamper with or steal sensitive information. Organizations must treat the enterprise as a battlefield and assume that criminals already have access.
Going forward, businesses must also implement enterprise resiliency capabilities and a holistic architecture that provides a zero-trust solution, which verifies everybody and offers enterprise-scale data protection and cyber resiliency. It prevents attackers from compromising a network, or for those criminals already inside the system, from moving laterally.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Really listen to people. Make sure you understand everyone’s perspective. It’s often a habit to think about what to say next, but if we all would really listen to different ideas from others, they feel heard and empowered and the listener has the gift of benefitting from a new perspective.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!