The Dual Role of a CISO: Security and IT with Dr. Jeff Baldwin | Part 2

Show Notes

In this episode of the Cyber Savvy Podcast, Dr. Jeff Baldwin discusses his dual role as a cybersecurity trainer and college professor. He shares insights on navigating the complexities of CMMC compliance, the importance of cloud environments, and the use of virtual desktop infrastructure in cybersecurity. Dr. Baldwin also addresses the challenges of breaking into the cybersecurity industry, particularly in a competitive job market, and emphasizes the importance of taking control of one's career path.

Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Transcript

Mike Shelah (00:02.169)
 Hello, Podcast Universe. We are back with Dr. Jeff Baldwin on the Cyber Savvy Podcast. Hello, Dr. Baldwin. Great to see you again.
 
 Dr. Jeff Baldwin (00:10.35)
 Thanks for having me. Good to see you.
 
 Mike Shelah (00:11.954)
 Yeah, so last time we did a little nerdy goodness. talked about CMMC, we talked about control requirements, we talked about environments, we talked about the difference between compliance and security. I would like to sit on the other side of the work that you do now, because I love that you're sort of at both ends of the spectrum. You're helping the young people in college who know everything, just ask them, and you're also helping...
 
 you know, numerous people with their certifications and their audits and getting eligible to whether they want to be an RPO, whether they want to be a C3PAO, you know, whether they want to get all the hoops that you must jump through to be in the cyber world. you know, let's start there, know, big picture. How do you balance the two between being the CMMC trainer and being the college professor?
 
 Dr. Jeff Baldwin (01:10.606)
 All right, so I have been what's called an adjunct professor since 2010. So when I first started with that, I had gotten my master's in 2009. And typically, if you're teaching at the bachelor level, they like you have the master's. Teaching at the master's level, they like to have a doctorate. So I started teaching in the undergrad for where I went for my undergrad. So just...
 
 through circumstances, they said, hey, do need anybody? And they're like, sure. So I started teaching there and a variety of different courses for that. And I did that for about five years. And then back in 2014, I believe, maybe it was 2013, but I started teaching through University of University of Maryland Global Campus at the time, their University of Maryland University College, which was a silly name, because it was like university, university colleges, like.
 
 So now I like the new name a lot better. So University of Maryland Global Campus. So the real cool thing is teach people all around the world. And most of the time they are either in the military or just got out of the military using their, you know, GI bill. So it's a lot of adult learners. So it's been really great working with them, which I've taught, you know, the, the 18 year olds and the 20 year olds before, like you're saying. And it's definitely a different experience working with, you know, transitioning as adults moving into their next careers and things.
 
 Now, I started there, and again, I don't remember if was 2013 or 2014, but it's been a long time. So I started one department in their cybersecurity doing more of the security management sort of roles, more of the CISP, more of the security plus oriented training. And then a few years back, I transitioned into more of their cloud security department. So...
 
 things that are more aligned to the AWS certified professional and cloud plus and the course that I developed for them is the Cloud in the security in the cloud course. So that one is more mapped and geared around ISC twos Certified cloud security professional so it's more of an agnostic not vendor centric
 
 Dr. Jeff Baldwin (03:33.086)
 course that deals with security and aspects for when you're working in the cloud. So I've been teaching that for the last several years. And as an adjunct real quick is that they don't necessarily guarantee you teaching thing and you give you a contract every semester and say here's the course that you're going to teach, accept or deny, know, accept or reject. So, yep, they give me a course every semester basically and I just teach it.
 
 Mike Shelah (03:42.927)
 Yeah, you just
 
 Mike Shelah (04:04.2)
 So you just made a good point that I would love to just go into a little deeper, the idea of agnostic certifications, because again, if I go back to CMMC, there are certain environments that are benchmark approved to work in CMMC, and there are certain environments that are not there and have been very candid about saying, we're not gonna make the effort. It's too much expense for us to make our environment.
 
 benchmark approved for CMMC. So I'm curious to hear your thoughts on different environments and kind of giving the bad news to a client to say, look, I know you invested a lot of money in this environment, but if you're going to stay in the government contracting space, you're going to have to move.
 
 Dr. Jeff Baldwin (04:53.134)
 interesting. Yeah. So thinking about that one a little bit, the main one that comes to my mind is the Azure commercial environment. So can you get CMMC certified with an Azure commercial environment? And the answer that nobody likes, but is the answer that everybody should give in InfoSec for all time is it depends.
 
 Mike Shelah (05:19.188)
 You
 
 Dr. Jeff Baldwin (05:20.418)
 So could you do it? Theoretically, yes. Is it worth doing it? Or instead of you could just move to one of the clouds that Microsoft says they'll actually support. You probably want to move to the ones that they say they'll support. So when you're just using, you know, CUI Basic, GCC, which is also built on the commercial cloud, you can move to that one. If you think you're going to work with anything that's export controlled or has aspects of no foreign and no foreign nationals.
 
 then they really push you towards the GCCI cloud, which is part of the Azure government cloud. So when you're working with somebody and they're like in the commercial and they're like, they don't want to leave, then that's a piece. And they're like, well, I use this other thing. I use this other thing and I Frankenstein this monster together. Can I get certified? Yes, you still can as long as you're meeting all those requirements. So I'm not saying that you can't. I'm just saying it gets a little bit more complex and complicated. And then when you want to have
 
 DFAR's C through G for incident reporting support and support for Microsoft on your DFAR's 70-12 clause, they won't really give it to you for that particular environment. Now, if you have other tools that you've integrated in, like I said, Frankenstein together, you can still do it. So other clouds out there, people have been successful with Google's cloud and AWS is late to the game, but they're also working through that one. There's a couple out there that use AWS.
 
 And I've not really seen Oracle in this play yet. But they could get into it too. But it's really building on the infrastructures of service that they have there anyways. So you can build it out, and you can architecture and engineer it and make it
 
 Mike Shelah (07:08.444)
 And I think that's the point that if you're a government contractor that you really want to have a clear understanding of. Meaning, it can be done, but when you look at all the time and all the money that you would invest to keep what you have, you're probably better off just biting the bullet, moving to this other environment because
 
 Yes, you're going to lose some money because you made an investment and maybe you still have a contract and you're going to have termination calls. You could be smart about those things. You can sort of tail them out so that they're less impactful. But the administration going forward, the simplicity of having a benchmarked approved platform is going to make the Dr. Jeff Baldwin's of the world a lot happier as to see so when they have to administer and they have to run their team through it.
 
 Dr. Jeff Baldwin (08:09.538)
 Yeah, and there's less to you'd have to demonstrate to an assessor. And this is actually one of the things that's part of the QuickTrack design is QuickTrack, again, is a managed enclave as a service. And then you're like, well, okay, what's an enclave? So an enclave in this context is you can either do your complete enterprise. So you can go get CMMC certified for an incomplete enterprise, or you can take a sliver of that, carve it out, call it an enclave, put it behind a firewall.
 
 and you can move your CUI workflows into that environment. for an organization that doesn't have the ability to create an enclave within their environment, we have that managed enclave as a service. So you can work through us, have us build out an enclave for you, and then you can move your CUI workflows into that environment with a virtual desktop. What I like about that approach is you can keep your commercial environment and everything that you do on a day-to-day basis
 
 Like I do this, I do this, I took my email, I do this. But if only 10 % of your job is CUI, then 90 % of your job's not related to CUI. So that 90 % of your workload, keep doing it in the commercial environment, keep everything that you have. For that 10 % of your workload that's CUI, go work in an enclave. So with a Azure Virtual Desktop, you can do it from the same machine. So I'm on this computer in front of me doing my commercial work. I got another monitor over here.
 
 I'll open up my VDI session or virtual desktop infrastructure session. And if the only thing that I'm receiving back to this local physical computer is the keyboard, video, mouse traffic that I'm getting, getting sent back and forth, I can't copy paste, I can't click and drag things, then by the CMMC rule in 32 CFR part 170, this physical machine in front of me can be considered out of scope of the CMMC scope. So I can keep my commercial environment
 
 everything that I do on a day-to-day basis exactly the same. When I need to do CUI workflow, I will open up a virtual desktop session, have that desktop there, do the work that I need to do in that desktop. And then when I'm done, I just close that session. And I didn't have to change too much about my life because the hardest thing in security is changing behavior and changing culture. So if I'm only changing 10 % of your culture instead of 100 % of your culture,
 
 Dr. Jeff Baldwin (10:33.698)
 then it gets a little bit more accepted by the users.
 
 Mike Shelah (10:37.576)
 Now that is an interesting point that I would love to dive a little deeper. In our last segment, you talked about technology and security work together, but they're not completely meshed. In that example that you just gave, are you often finding that the customer has to buy more robust endpoints so that they can handle
 
 the virtual platform as well as all the other tasks that the machine has to run. And I'm guessing there are certain other requirements that will go into that machine running more efficiently so that, as we said, the employees don't revolt and walk out.
 
 Dr. Jeff Baldwin (11:19.598)
 Well, when you have a VDI session, your physical machine that's in front of you, the computing resources are actually coming from the cloud. So really all you're getting back is the visual representation of something. So I had, let's say a GPU skew, which is one of the things. And I had a virtual machine that was really beefy. Actually, I had more resources than the physical computer in front of me. I could go run AutoCAD in that environment and do all the engineering work.
 
 and it's not using any of the resources on this local computer. What's that local computer is just getting that screen back here. So I can see what's happening, but all that processing is occurring in the cloud.
 
 Mike Shelah (12:01.214)
 So it's a true skinny client.
 
 Dr. Jeff Baldwin (12:03.244)
 Yeah, it's basically a thin client to an extent, except that you have everything else, right? So you can still do all your commercial workloads and things like that. So it's not a true thin client. It's not a thin terminal, right? But anything that can install the Microsoft remote app can access that cloud environment. So...
 
 Macintoshes can install it, Windows can install it, iPad can install it. So if you wanna pull that open in a VDI session, you can. And that's really helpful if you're like walking around in the field somewhere and you're like, I wanna look at things while I'm looking at physical things and not have a computer in front of me.
 
 Mike Shelah (12:51.922)
 Yeah, and I think that's a good distinction, particularly for the government contractors to understand because when you go through
 
 CMMC for the first time you do that that assessment you look at your 110 Control requirements and find out you're you you're basically filing five so now Implement the other hundred and five one of the big concerns is well, I'm gonna have a huge capital expense To get there and I'm not saying that's untrue But there are there are aspects of it that may not be as financially impactful When it's done with a tool like what you've just described
 
 Dr. Jeff Baldwin (13:32.748)
 Yeah, your base expense is usually going to be the licensing. So when you are using a GCCI license, it does cost more than a commercial license. And that's why if you keep your commercial environment and you have the GCCI environment, you have really two choices there. They call it the all in approach or the enclave approach. And the all in approach would be, all right, get rid of every single commercial account we have. The whole environment's moving to GCCI. We're going to relicense everybody with that.
 
 versus the Enclave is like, cool, keep your commercial accounts. And then we're going to have a few users, a subset of users, that are going to also have a second credential, a second account for the GCCI site. So that, I haven't done the math myself, but people that resell us and stuff, they say that breakeven points about 50-50. So if you have more than half of your users that need to use the CUI,
 
 Mike Shelah (14:29.351)
 good to know.
 
 Dr. Jeff Baldwin (14:30.624)
 then it makes sense to do the all-in approach. But if less than half of your users are going to work with CUI, the Enclave approach is more affordable, even though you're paying for two licenses for commercial and GCCI. That's just something a reseller passed along to me when they were doing the math. I haven't done the math myself to confirm.
 
 Mike Shelah (14:42.313)
 That's
 
 Mike Shelah (14:47.796)
 That's an important decision point though for a government contractor because a lot of them, you know, they have a particular set of skills, you know, if you will, and they got good at doing a thing and they're doing that thing for the government. The one thing they weren't good at was security because that's why CMMC has been mandated because everybody was saying, yeah, I'm doing it. I promise.
 
 Cross my heart, hope to die. I'm following the 110 control requirements of NIST and it all fell by the wayside for that. But so to know that there's a reasonable break even point. So if you've got a staff of 100 people and 30 of them are focused on the GovCon piece and the other 70 are not, they're administrative or other aspects of the business, that's a cost effective way.
 
 to approach this necessity so that you can continue having your government contracts.
 
 Dr. Jeff Baldwin (15:45.9)
 Yep. And then when you work with a third party like Berlion or QuickTrack, then we are typically going to be cheaper than if you tried to in-house it yourself. So there's a lot of variables to the cost there, but it's going to cost less than you hiring FTEs to do it for you. our ideal customer does not have a robust security staff. They do not have a robust IT staff. So every once in a while, a customer comes in and they're like,
 
 a giant, you know, multi-billion dollar company and they're like, yeah, we're interested in this. And I'm like, are you though? Couldn't you just hire a couple of people, you know, and do it? But yeah, for those smaller organizations, it makes a ton of sense for them to just, you know, use us and our expertise so that they don't have to hire that expertise because let's say you did try to inhouse it yourself. You somehow went out into the market. You found a really great person that could handle your IT and your security for you.
 
 your entire program relies on that one person. Does that sound like a risk? Because what happens when that person leaves? Yeah, it's a bottleneck. Or when they leave, you have no program anymore because that person is the program. Versus using a third party, if we have staff turnover, that's fine. You're still going to have a security program for that cloud resources that you're going to be consuming.
 
 Mike Shelah (16:50.964)
 Pfft. Bottledec at the very least.
 
 Mike Shelah (17:15.444)
 So when you're talking to your students, again, you have two distinct student pools, if you will. You have your college UMTCs, and then you have the people that you're training and certifying. What are a couple of the big differences you're seeing in the information that you need to deliver to them today?
 
 Dr. Jeff Baldwin (17:36.506)
 well, they're actually both kind of curated. So when you're doing a college course, there is the curriculum, there's the syllabus and there is the assignments and the structure is all pre-built for you. You're executing on that thing. And really what's happening is you are answering the questions that they might have and engaging in the discussions that they have on that stuff. But for both sort of things.
 
 Mike Shelah (17:50.974)
 You're just executing.
 
 Dr. Jeff Baldwin (18:05.14)
 I kind of look at myself as the facilitator of learning. I can't force you to learn, but I can facilitate learning for you, right? And I can be there to answer any questions because you didn't understand something. that on the college side, syllabus, you follow, you know, everything's built out into the learning management system. And then on the other side of it, it's also very similar. There's a learning management system that I built out.
 
 and the different things that we go over for each session and the different quizzes and other things. And same sort of thing there. CMMC requires me to license training materials. So currently I'm just the training provider and I'm licensing materials from the publishing partner. So they publish the material, I pay a licensing fee, I then go deliver that training to the students for CMMC. And again, same sort of thing there.
 
 facilitate the learning, deliver the content, and then answer the questions and help them through any things that they're working through. So very similar in concept at the high level because of that. Now, someday maybe I'll become also a maker of the approved training material so that I don't have to license it anymore and save myself some money. But it just takes time to do that. And I just haven't put that on my roadmap yet.
 
 But eventually I'd like to do that when we update the training. So right now it's really awkward because I'm training old material because the test hasn't been updated. So I have to be like, OK, so here's what the test answer is going to be around. And here's the real answer. If you go do an assessment today, here's the real answer. If you go take your exam tomorrow, here's the old answer. So it's a little bit more confusing. And they're really slow to update the test. But when they update the test, then I want to jump in and do the training.
 
 Mike Shelah (19:48.872)
 So wow.
 
 Dr. Jeff Baldwin (19:59.086)
 pieces to it so that I can license it and really have the full story that I want to do through that training and do things like create, you know, here's an SSP, let's evaluate a control and say, does that look good? What's wrong with this control? And kind of get some more of that practical hands-on rather than just, I'm going to read a slide deck to you.
 
 Mike Shelah (20:23.196)
 So you said that you facilitate learning because you can't make people learn. I love that. You can be a vessel through which people learn. For your UMGC students, what are some of the more interesting questions that are coming up out there as you're going through your course and your syllabus?
 
 Dr. Jeff Baldwin (20:44.43)
 The thing that they're mostly interested in is how to break into the industry, which is another one, those LinkedIn fodder posts out there that you'll see every once in a while. How do you break into the cyber industry? Right? And it's not as easy as it used to be. Let's put it that way. I'd say this is probably the worst job market that I've seen in over a decade. The last time the job market was this bad was...
 
 Mike Shelah (20:54.334)
 Yeah.
 
 Mike Shelah (21:02.025)
 Yes.
 
 Dr. Jeff Baldwin (21:10.254)
 If you remember, do these sequestration days back in like 2010, 2009 or that three year period there where nobody got raises and everything was horrible. So there's that going on. So I think it is one of the worst job markets out there. And there's a lot of competition at the entry level and a lot of people feel that and see that. Um, when you are the military though, they seem to do better at it because they're not.
 
 coming in with like no experience at all. They have their military experience, they might have clearances from the military and they're just transitioning. And you have programs like SkillBridge, which are really good, that help them to transition. So that's where most of the questions are really around. How do I break into security? And then there's a lot of opinions out there and some people will be like, well, you know, I just joined the help desk and then I worked my way up. Does that work? It can. Does it not work? Doesn't guarantee it works, right?
 
 And it's really all driven by some aspects. And one of the aspects that's really important is the continually learning, showing the curiosity. So if you don't have work experience, what are the things that you do then? Then you get into, do you have any projects that you've done? Or have you done any volunteering? Because there's probably nonprofits and other places out there that could use your security expertise that you've learned.
 
 and they may not be able to pay you, but guess what? That's experience. Now, if you go next level, you go next level, it's like a couple hundred bucks to make an LLC, right? Now you have a resume with a job, with an LLC that you own, and you could be doing free labor and other stuff, but you tie it under that position that you now have, and guess what you have? You have experience.
 
 And then if you transition that into paid experience, then you might figure out, I make a lot more money working for myself than I do working for somebody else. And you might say, hey, I'm just going to stay an entrepreneur. Or I really like to work for the big corporate thing and do these little check boxes and say, well, let's do the performance review. And guess what? You can't ever get exceeding because, we're not allocated those ones. And it really goes to the people that are the kiss butts.
 
 Dr. Jeff Baldwin (23:27.719)
 And yeah, I don't have good things to say about corporate America, so don't ask me about corporate America.
 
 Mike Shelah (23:31.7)
 You and I could probably have an offline conversation just about that as someone who has been in technology sales for 26 years now. I've worked for massive companies. I've worked for companies that had five employees and across the spectrum. Yeah, corporate America definitely leaves some things to be desired, but I love your
 
 your thought process there around if you can't find a job, make a job. When I talk to college students all the time about using LinkedIn to find a job and I tell them something very counterintuitive, I go, don't apply to jobs that are on there because you're be one of a thousand people. What you wanna do is you wanna build a list of 10 to 15 companies that you're actually interested in working for.
 
 and you wanna reach out to the owner or the hiring manager within those 10 or 15 companies and say, hey, here's my skillset, here's my background. I don't know if you're looking to hire someone right now, but I would love to discuss that with you if you are, because invariably, if you do that, you'll get two or three people that say, well, sure, let's have a conversation. That may or may not turn into a job, but what they're missing is there's that layer, know, what's public,
 
 is being so beaten up by the thousand candidates and very candidly those thousand candidates would probably all do that job well enough to make corporate America happy. So it's really difficult for corporate America to sift through those thousand candidates and just interview five. So then they start using AI driven keywords. They look for people that have
 
 ridiculous credentials. You know, they were with one company for 15 years. Well, that's the person I want. Why does that matter to you? Wouldn't you rather have somebody that's recently been certified and has gone through some of the newer credentials and trainings and has gotten more of the cutting edge? You know, wouldn't that be valuable? And the answer may be both. Some of them may want that, some of them may not. But yeah, I like your LLC idea that you get out there and what's the worst that could happen?
 
 Dr. Jeff Baldwin (25:54.326)
 Yeah. And a couple of things that you're kind of triggered in my is, yes, in-person stuff as well. So there's ISC two, local chapters that you might be in. There's ISSA local chapters you might be in. There might be meetup groups, that physical going somewhere, networking, meeting people, and they'll keep you in mind when things are available or if there are things that's going to be your really great way to find positions out there.
 
 And if there is an online cold post, like you're going to try to apply to this cold job that's been out there and it's been out there a while, don't even bother. Right? If it's a new post and you set your job agents to say, hey, new post, first day, first day post, you got opportunity to get in there. You can be within the first couple hundred. And really also targeting whether you're going to go for the remote job or like a geolocation job.
 
 If you're going for a location that's not a popular location, there's not going to be that many candidates. And if you are able to move, then you can go there. If you're going for the remote job, same sort of thing. There's now these AI bots out there that will just apply to jobs for you. And you can brute force it that way and just go, boom, apply to everything, and you might get a call. But the other thing that's not spoken about enough is phantom jobs. So why?
 
 Mike Shelah (27:13.982)
 Pfft!
 
 Mike Shelah (27:23.223)
 yes.
 
 Dr. Jeff Baldwin (27:23.564)
 is this job out there. It's not even a real job and they're not actually hiring for it, but they're posting it for a couple reasons. Make it look like they're hiring and they need to remove all tax breaks related to that, right? So one of things they're doing that is, you know, makes it look like we're hiring, we're growing, we're strong, right? And a lot of local governments and other governments, if you pretend like you're hiring, you'll get a tax break. So eliminate that immediately.
 
 Mike Shelah (27:53.384)
 Yeah, I was victim of that probably about 10 years ago. A good friend of mine works for a large company out on the West Coast. That was a good fit for my background and my skillset. And he referred me in and I couldn't get any traction with it. And after a couple of weeks, I reached back out to him. like, Tony, do you know what's going on? He said, let me talk to the hiring manager and fire an arrow. It was exactly what you just described. They said, it's not a real job. They actually have no intent of hiring for it. They just wanted to see what demand would be like.
 
 Dr. Jeff Baldwin (28:24.31)
 Yep. Or yeah, I would say there's a lot of lies out there and who's selling them. It's the training people, right? There's like whatever ISC squared saying there's like millions and millions of jobs. And then it's like, caveated that. And it's like, you're looking at maybe world. And if you're looking at India, China, and you're including those millions in there, yeah, sure. But then you like look at the American market and is not millions of job openings. So that's just complete lie.
 
 Mike Shelah (28:25.042)
 And that's disheartening.
 
 Mike Shelah (28:55.518)
 Well, Dr. Baldwin, this has been a lot of fun. I always enjoy talking to somebody with your depth of skills and background. Any parting comments that you have before we wrap up this episode?
 
 Dr. Jeff Baldwin (29:07.502)
 parting comments. So we hit on some good ones today and it's really one of the things that you learn as well is that you are the one in control of your career. So if you don't like doing something, do something different, right? And you can control where you go with that and the things you want to get into. And you can take a delayed gratification approach. Like if you view it from like, where do I really want to end up and what are the steps to get me there?
 
 So you can say, all right, does this role that I'm about to accept move me towards that end goal that I want to get to? Does it? Yes or no? And some of the times it's just survival, right? Well, I need it for pay just to make money, right? Because I need it survive. Then once you're in a position, it's often easier to then look for another job. Because if you don't have any job at all and you're looking, it's more desperation. When you have your basic necessities covered through
 
 you know, your paycheck, then you're more free to look and be a little bit more discerning. One thing that I'll often do is I'll apply somewhere and I can say, I can always turn this down. And I've turned down a lot of jobs in my career. So I can always turn a job down. There's no harm in having a conversation.
 
 Mike Shelah (30:24.388)
 I love that. What a wonderful way to wrap up this episode. Dr. Jeff Baldwin, CISO of Beryllium InfoSec, thank you so much for your time and your thoughts on what's going on in the IT and cybersecurity marketplace. And to our listening audience, I hope you've enjoyed this as much as I have. Tune in next month. We've got a slate of great guests coming up for you over the summer. Perfect for listening to while you're in the car driving to see your next client or your next opportunity.
 
 Again, I am Mike Schiele with DTC. This episode is powered by DTC. To learn more, go to www.dtctoday.com. And remember at DTC, we make shh IT work.