Cyber Policy alumnus Brian Conroy talks about how he’s been able to incorporate what he’s learned into his work.
A conversation with MPS Cyber Policy graduate Brian Conroy
Tell us a little bit about yourself and what you do now.
Currently, I manage programs in the South China Sea, the Arctic, and Washington, DC. I do business development work from an engineering perspective – IT, deployment, cybersecurity, and so on.
Prior to that, I was with the Department of Homeland Security and the Department of Defense. I retired from the Department of Homeland Security as the deputy executive director for Customs Border Protection (CBP). I was responsible for their IT infrastructure; as well as the development, deployment, and sustainment of IT, communication and law enforcement technology along the borders and at the different points of entry into the United States.
Before that, I was with Department of Defense, the Navy. I worked primarily in the submarine arena. My career actually started off as a secondary nuclear propulsion engineer and electric power generation. That morphed into doing special projects for special operations. Somehow or other, my career morphed from being an engineer into the IT arena. I left DoD as a Command Deputy Chief Information Officer for a NAVSEA command.
I learned that security and safeguarding information is a fundamental need that was being ignored early on when I was developing our IT systems and applications. This required us to “back-fit” IT and information security in the mid 1990s. Today, IT and infrastructure security is of critical importance with the development of the Internet. The Internet provides greater ability to steal intelligence, and unknowingly perform surveillance and reconnaissance with greater subterfuge.
Why did you choose the cyber policy program?
What drew me to this program is the fact that for anything we do in the IT arena or information sharing and data analytics space, cybersecurity is really the fundamental base. You need to understand it not only from a technical perspective, but from a legal and policy perspective as well.
Everyone’s looking at cybersecurity from the IT perspective. Until recently, few have been looking at it from the holistic risk management standpoint. You need to consider the policy and legal aspects. You can deploy an IT solution, but if you don't do it correctly you will not establish policies and potentially violate various laws.
Technical capabilities provide the means to use social media, the Internet, public information, financial systems and various applications to harvest personal information in a way that may violate law and could send people to jail.
What’s one of the real-world applications from the Cyber Policy program?
If you want to elevate your career to either the private industry c-level or federal senior executive level, there's a certain accountability that comes from the ability to perform in a fiscally responsible manner. From a federal agency standpoint, you're required to report all expenditure of funds and the value proposition that you provide. You need to spend your funds wisely. To do that, you need to understand the cyber risks and to apply your limited resources in those particular areas of risk so that you're minimizing impact to your agency while minimizing cost. Most folks that get into the technical cyber business don't consider that. In Homeland Security, you do not have the funds to protect everything 100 percent. You need to focus your resources on those areas of highest risk. This will minimize exposure and impact to a cyber incursion.
If you're a c-level executive in private industry, you need to do something similar; however, it's even more challenging because everything in the private sector is financially driven. There’s also accountability at a senior level in any situation where you have to manage how you spend the funds and you do have cyber incursion.
Any situations where you’ve been able to apply what you learned in the Cyber Policy program?
I just returned from Mexico City. I met with several companies down there, as we're looking to potentially expand our partnerships outside of the U.S. They did not realize that their cyber approaches are a limited defensive approach. This is where you have static defense in depth, which includes how you set up your firewalls, etc. I started talking to them a little bit more about cyber risk-based assessment, very similar to what we did in this program. They didn't understand that initially, but I was able to articulate the process based on a lot of the classes I have taken.
They were also interested in a public safety perspective – first responders and disaster recovery. There was a heightened awareness based on the recent earthquake they had while I was in Mexico City. As we had those discussions, they realized they needed a cyber risk management perspective to integrate the IT, critical business function but also a risk-based approach as well. This holistic approach could provide a fundamental guideline for the Command, Control, Computer and Communication (C4).
What part of the course did you find particularly valuable?
What I liked about the program is that it was broad-based. We did a “deep-dive” on the IT piece of cyber security, exploring how you go about cyber exploitation and how you could use technology to mask your identity and IP addresses. The other piece that I thought was really interesting was how the government actually uses some of the policies, and how the laws lag significantly behind IT advances.
In fact, two weeks ago I attended an Intelligence and National Security Summit down in Washington. A lot of challenges that they're having today were addressed in this program. The different classes that I took at Utica College prepared me to have those discussions, and to add value to them.
Senior leaders are not as familiar with the challenges as they should be, not through their fault, but because things are changing so rapidly. A fundamental and limited skill set that is needed is the ability to translate technology jargon (“geek speak”) into a business understanding. The program gives you the fundamental understanding of how to explain cybersecurity and how it impacts and influences business.
Do you think having a technical background is necessary to succeed in the Cyber Policy program?
Actually, that came up in one of our discussions we had as a class. What I saw was that we had a good range of skill sets and experience in the students that were in the class. Some were extremely technical, and others on the other end were not as technical. But we had a lot of diverse experience. We were able to bring the technical, legal, policy and senior management experience to the synergistic “table”. As we had the discussions, we were able to share experiences. I think that added a valuable dimension to our learning experience.
Would you recommend Utica College to your colleagues or anyone else who is considering getting a master's degree in this area?
I personally would recommend Utica College. There are a lot of good colleges out there, but very few offer the policy driven and risk management-based cybersecurity perspective.
The other thing I liked is taking the class remotely. I live in New Hampshire, but I travel a fair amount for work. If I had to physically attend the class, I probably could not do it.
For more information on the online MPS in Cyber Policy and Risk Analysis program, complete the form or call us at 315.732.2640–or toll free at 866.295.3106.