In this episode of Speed Data, JR Williamson, SVP & CISO at Leidos, shares his insights on leadership, resilience, staying ahead of the adversary, and introduces his concept of “risk-tasy”—the elasticity of rigor based on risk.
In this episode of Speed Data, JR Williamson, SVP & CISO at Leidos, shares his insights on leadership, resilience, staying ahead of the adversary, and introduces his concept of “risk-tasy”—the elasticity of rigor based on risk.
[00:00:00]
JR Williamson: they only have to compromise one really important system where I have to defend all of them across this entire attack surface.
Megan Garza: I mean, they, they only have to be, like you said, they only have to get it right one time, whereas you literally always have to, you know, be right with that.
JR Williamson: I think it's much more fun being an attacker than it
Megan Garza: I bet it's, I bet it's,
Megan Garza: Welcome to Speed Data, quick Conversations with Cybersecurity Leaders. I'm your host, Megan Garza. Today I'm speaking with JR Williamson, the Senior Vice President and Chief Information Security Officer for Leidos.
Welcome to the show, JR
JR Williamson: Thank you. It's great to be here.
Megan Garza: JR oversees all aspects of the enterprise information security program for Leidos, including strategy, governance, and operations. He's also a founding member of the Okta CSO Forum, which brings cybersecurity leaders together to exchange [00:01:00] insights on how to address dynamic identity challenges and the ever evolving threat landscape.
And speaking of cybersecurity leaders, JR. Was named one of the top 10 CISOs to watch by Washington Exec and was a Northrop Gunman technical fellow selected for achieving the highest caliber of scientific, technical and systems engineering talent. And if that weren't impressive enough, JR has also published numerous articles for organizations like Georgetown University and the Internet Security Alliance.
You stayed busy, JR. tell me what does your day to day look like?
JR Williamson: Lots of meetings. Lots of meetings. daily life is just. Picking up the pieces e every morning. You know, beauty of this field is that it's dynamic. It's changing all the time. And so, you have sort of your schedule, you have your routines, you have your meetings, and then there's stuff, stuff just happens and you're responding very quickly, to that.
So my schedule's very fluid.
Megan Garza: Yeah, I bet it every day looks different, I'm sure.
JR Williamson: Which is part of the excitement. I [00:02:00] mean, this is one of the things that's sort of a joy, know, of a career in cybersecurity. But if you don't really don't like that, you know, you really want things to be a little more nailed down and solid. Probably not the best
Megan Garza: Not the one for you.
JR Williamson: is a very dynamic world.
I.
Megan Garza: Yeah. And how did you get started in cybersecurity?
JR Williamson: You know, ironically, I didn't wanna be in cybersecurity, you know, I'm IT guy growing up through the IT world and everybody wants to, you know, maybe one day become CIO, of a corporation. And so I was on that path. I. was always a, technologist, you know, as a computer science engineer, so I love technology and so this was a very natural fit for me, to be in the IT space.
And I got a little deeper and further into my career and I got tapped on the shoulder to say, Hey, jr. You know, we'd really like for you to get involved in information security. And I'm like, security, what? I mean, those are the no people. Uh, that's not a fun job to do. You know, I'm an engineer like the.
Provide solutions like to fix stuff, you know, like to do the engineer's dance, you know, when you solve a problem and get something done. So [00:03:00] security, no, that's not for me. And so I said, no, that worked. I kept going. and in fact I was at Northrop Grumman at the time and I was running, what we call our one NG program office.
You know, bringing all of many pieces of Northrop Grumman into one now. 'cause we were highly decentralized, back in the days of a tremendous amount of, merger and acquisitions, you know, that helped to, you know. Quadruple the size of the company. And uh, so that was kind of fun. You know, very big technical problem, integration, people, process all that stuff coming together.
And then I get tapped on the shoulder again, Hey, Dar, you know, you're doing a great job over there. We'd really like for you to get involved in this information security thing. And so ultimately I sort of had my arm twisted and. And you know, sometimes you gotta listen to the organization when they come to you and say, we really want you to do something else.
And so I kind of reluctantly got into to information security. We can call it cyber back then. Uh, but information security. And, you know, I was in the job for probably five or six months and said, I. This is amazing. I [00:04:00] mean, this is so cool. You know, you get not only the sort of the technical problems that you have to deal with and I was trying to deal with and the people and process, but also risk and trying to really thread a conversation around risk.
And so my mantra at that time was, it's not about. No and no, it's about no k and OW you know, let's apply a little bit more of an engineering mindset, to these problems and come up with solutions. Get away from that fear, uncertainty, and doubt, and directly into how can we solve this problem within acceptable risk tolerance.
And so that's what got me into it. And then, you know, again, reluctantly. But once I got in, I thought this is the greatest job ever.
Megan Garza: Yeah. And as somebody who was a little bit hesitant to get into that field, um, what do you think most organizations misunderstand about information security? Cybersecurity.
JR Williamson: I think it's largely that it's, a, a dynamic, and strategic risk for the corporation. You know, most people think of cyber as [00:05:00] something else, something special. it's not, it's a business risk and it can be very strategic, to deal with because the effects or the harms that can come from, a cyberattack can be very disruptive.
To the business. And I think that's probably the one thing most people don't understand. You know, I think a lot of times people just imagine, oh, well, you know, you're in the security business, your job's to defend and, and to protect and to say no, know, to things that people want to do. and sure there's those things.
But the mantra that I have is that there's really sort of three key words that define the mission of cybersecurity. It is protect. We understand the technician, it's security, but it's more that it's, it's also partnering. It's partnering with the business. It's partnering with your suppliers. because it's an all hazards kind of problem, and, it takes a village to defend against a common adversary. And
And then the third is transform. So it's really partner protect and transform. And that transform mission is huge because it is so dynamic. the adversary's constantly changing. It is a [00:06:00] battlefield and, and so, you know, sometimes your best plans don't survive first contact. It's essential to make sure that you understand really the key elements and tenets of how this battle is going to occur, so that you can be adaptive, to the changes necessary and effectively protect, uh, your organization.
Megan Garza: Yeah. And you, you mentioned kind of battling that adversary. In your opinion, what is the best way to defend against a cyber attack?
JR Williamson: defense is always challenging, and, and first and foremost, if you don't know what the adversary actually wants, you know, why are they picking on you? Why, why are they knocking on your door? Then it's really hard to defend because you're, you're defending.
Everything, and you're having to defend everything in the exact same way, and that's really not very cost effective. So, so first and foremost, what do you have that's important to them and why do they want it? And so, so I think if you understand that, that really helps to get into the mindset of the attacker, the mindset of the adversary.
[00:07:00] And then you can come up with countermeasures, to, to how to defend it. Obviously, you have to protect your identities. You have to protect your endpoints, you gotta deal with vulnerabilities.
you gotta deal with speed, because the adversary is using tools and technology to rapidly discover and to exploit, those vulnerabilities. You've gotta detect them quickly and. Fix 'em before they get the opportunity, uh, to take advantage of those. believe me, it's, it's a, it's a fast-paced game, uh, that's happening, uh, you know, every day and, and unfortunately. They have the advantage, uh, because they only really know what's in their minds, to, to achieve.
And they have almost unlimited resources depending on, you know, what, sort of category of threat actor they are, to, to continuously pound on your, on your front door, in order to, uh, to get in. So it's, it's hard. I mean, they only have to compromise one really important system where I have to defend all of them across this entire attack surface.
Megan Garza: I mean, they, they only have to be, like you said, they only have to get it right one time, whereas you [00:08:00] literally always have to, you know, be right with that.
JR Williamson: I think it's much more fun being an attacker than it
Megan Garza: I bet it's, I bet it's, what is your personal, most dreaded type of cyber attack?
JR Williamson: Well, I think anything that is really destructive, you know, so, people just exploiting vulnerabilities and that kind of stuff, can, Create problems for, for sure. Uh, but you can tend to respond to those pretty quickly. I think the most heinous ones are the ones that actually destroy, and they're destroying infrastructure.
They're destroying data, and that can be almost instantly disruptive to the business. And so those are the ones that I think you fear the most, fortunately in the. Defense industrial base, we don't have to deal with ransomware a great deal. you know, typically those sort of criminal threat actors don't come after organizations like ours.
You know, 'cause we have the entire nation behind us. And, and I don't think you really want, you know, to poke the bear in that way. And so it's important that, that we create defense in depth, that we have isolation, that [00:09:00] we are dynamic in our monitoring. We, we penetrate, test ourselves, act like the threat actors themselves, find those holes, fix those holes before the adversary's able to do it.
Megan Garza: Sure.
JR Williamson: So those are, those are very, Challenging things and, and when you work on sort of national security, you know, one of the big concerns of course are, secrets and the adversary wants to, from an espionage perspective to get in and persist so that they can be in the infrastructure and to be able to find those secrets and kind of, you know.
Stay low and, and, and be very deliberate and undetected, so that they can surveil, uh, and persist that that presence. And so those are also fairly heinous. And, and so that's something we spend a lot of time and energy on to sort of root out where those type of attackers are, how they're living off the land.
I think you'll hear, a lot these days, to remain sort of undetected and, Obviously we'd like to prevent them from getting there in the first place, [00:10:00] but when they do get in, we want to find them quickly and root them out.
Megan Garza: Yeah. And if they do get in, uh, what advice do you have for other security leaders on those first steps when discovering a vulnerability or exploit?
JR Williamson: Sure. Well, it's like, it's like any other sort of breach response. You know, you, you deal with isolation. You know, okay, I'm, they're on this system, how did they get here? I'm gonna isolate that. I'm gonna do my forensics. I'm gonna figure out, uh, how they got in. Uh, and then I have to hunt. Because if they got in there, it's possible they got in somewhere else.
And, and again, you got this whole large attack surface that you're trying to defend. Uh, so once you do find, uh, a foothold, uh, and you isolate that and you begin your forensics, you're on the clock. You're on the clock because if you disrupt that command and control, uh, signal that they have, then they know that they've been detected, which means they could pivot and shift to another location.
So again, now we're in this little game where [00:11:00] we're, we're trying to protect, uh, appropriately, but we now need to discover. So it's a threat hunting type of thing. Where else are they potentially. At, uh, so understanding how they got in is really important. You create these indicators of compromise. You go hunt, uh, across your entire, uh, global infrastructure.
Try to find where they're at, uh, create isolation techniques once you discover them. And then. Pull the trigger, boot 'em out, you know, all at the same time. And then look continuously for the behaviors and patterns of behaviors, uh, that allowed them to persist into the environment. So then it's that continuous learning thing, you know, so when you, when you look at the, uh, you know, NIST cybersecurity framework and you, you identify and you protect, and then it's detect, respond, and recover.
And a big part of that is this learning loop, you know, about how you, uh. You know, continuously approve so that you keep the threat actor out of the environment.
Megan Garza: Yeah. And lastly, [00:12:00] can you share one thing that you wish future cybersecurity professionals knew?
JR Williamson: really work with the business, understand what your risk tolerances are. not everything can or should be protected to the same level because it's inefficient.
In fact, I invented a word, I'm an engineer. You know, we make up words. And I invented this word called, uh, risk tasy. And risk ity is all about the elasticity of rigor based on risk. So when risk is high, you need more rigor. Because you're trying to assure an outcome, and so you gotta put more rigor to it.
You know, more checking, more tooling, more capability, more quality control, all those kinds of things. Why? Because risk is high, higher rigor. But when, when risk is low, why are you finding all that rigor? I mean, that's just cost. You know, that's friction with the business. You know, that's not really leading to an outcome.
It doesn't help you compete, I guarantee you. And nobody ever won by spending one more dollar on compliance than the next guy. You know, so, so your dollars [00:13:00] need to go into innovation. You need to differentiate you the capabilities that you have. And so that, that understanding of risk tasy is really important.
Megan Garza: Yeah. I love that phrase, risk tasy. I'm, I'm definitely stealing it.
JR Williamson: Ity, yes, we make up words. That's what we do as engineers.
Megan Garza: Love it. Well, thank you so much for chatting with me today, Jr. I had wonderful conversation with you and, uh, for our audience, if you would like to be a guest on Speed Data, please visit veronas.com/speed data. Thanks again, JR.
JR Williamson: My pleasure. Thanks for having me.