NEWS + ADVICE
Cyber Credit Scores and More with ICF’s Michael Sanchez
Michael Sanchez, VP Commercial Cybersecurity and Compliance for ICF International, is a native Texan working in IT Audit and Compliance for 27 years. He came out of industry where he ran the IT department for one of the large energy companies in Houston, a $12 billion company. Michael spent 8 years there, for a total of 16 years in industry, and is now in his twelfth year as a consultant. He looks at cybersecurity from both an operational standpoint and as a consultant, having worked for three companies in industry and supported over 50 companies in consulting.
What is Cybersecurity
Cybersecurity is pretty simple. It is how we protect networks, computers, programs, and data from attack, damage, or access. We do this through people, process, and technology.
The linchpin of today’s cybersecurity is people. The attack vector of choice is phishing, which is very hard to defend against. We have seen some technologies available to help companies understand the kind of behaviors they can be looking for, but people and their actions are very difficult to defend against.
As people and companies get more involved in cybersecurity – as it begins to merit more than annual training – there are some useful tools available. We are currently evaluating a tool that sits on top of your network and it looks for behaviors from your users, assigning what is essentially a credit score. You can then identify risky patterns and behavior. With a cyber credit score, you can write Service Level Agreements (SLAs) and if someone’s credit score falls below a specific level, we can to revoke access until that person has taken some training. The training can be specific to the behaviors that the professional was exhibiting that caused the score to drop.
Tell Us about ICF’s Cybersecurity Program
Within ICF, we have over 5,000 employees who serve clients from 70 offices worldwide, and of those 5,000 employees, we have 240 that focus on cybersecurity. Internally, we are organized into Federal and Commercial groups.
On the Federal side, we support contracts for the Department of Energy and Army Research Lab, to name a couple. There are very specific certifications and security backgrounds that these folks need to have. On the commercial side, which is the side that I lead, we are organized by sector, including critical infrastructure – energy, financial, healthcare and transportation. The areas in which we see a tremendous amount of activity are the electric industry, oil and gas, and healthcare. With my background in electric, and oil and gas, I really enjoy serving in those areas. I also appreciate opportunities to help our customers by pulling together strong teams from our company and possibly government agencies.
Share Some of the Cybersecurity Community Organizations that You Are Involved with and Their Possible Impact for Helping Job Seekers Network
I am a board member of Infragard Houston and have been involved with them for 8 years. Infragard is a partnership between the FBI and the private sector. We share information and intelligence from both a physical and cybersecurity perspective to prevent hostile acts against the U.S.
Members of the organization go through a screening to make sure that they don’t have a criminal background, so when you attend the events, you know that other participants have been vetted. We try to organize meetings by industry sector, and we have specific Special Interest Groups (SIGs) so that you are able to network with people who have similar backgrounds, opportunities, and challenges.
Infragard offers good networking opportunities for cybersecurity and physical security professionals and is helpful for professionals pursuing careers in the security industry. If a veteran applies for Infragard membership, we recommend that they fill in their application with their military background.
For more career networking, reaching out through the certification organizations such as ISACA – which has the two certifications CISA and CISM – is very important. When I am interviewing candidates, I look for three certifications: CISA, CISM, and CISSP. CISSP is administered through ISC2 . These are two great networking organizations for security professionals.
Beyond regional organizations for networking, there are several online networking groups for cybersecurity professionals on LinkedIn. We actually created and manage the NERC Cybersecurity Professionals Group.
When You Look for Professionals to Join Your Team, Beyond the Certifications and Technical Skills, What Are You Looking for in a Great Cybersecurity Professional
Because we are a consulting organization, we look for people who are good listeners. We need professionals who can sit down with our customers and understand that our role is to advise, share options, and help select the best option that meets their needs.
Our consultants need to have good oral and written skills as well as the ability to present solution options to their client. The output of our work is typically a report stating that we did a physical security or cybersecurity assessment and listing the controls that we reviewed, what we found, and our recommendations for improvement.
We also look for leadership skills as our consultants will be on client teams and visiting client sites. They need to be able to organize and help manage people to achieve a common goal. We feel that our consultants are advisors to our clients, so it is important that they have the skills, certifications, and experience – this is all very important – but being able to manage teams with members from both ICF and the client’s company or organization is always critical.