Government Contracting

Chris Hughes had a fantastic career in the military which he then parlayed into a solid career in cybersecurity with a focus on cloud security. Today Chris serves as co-founder and the Chief Information Security Officer of Aquia. In this episode we talk extensively about how Chris developed the area of interest and his admirable discipline for constantly learning. We also talk about supply chain attacks, how the cloud has become ubiquitous, and the security needed to keep the cloud safe.

Transcript

Erin Keating:
Welcome to Neo Cast. Join us each week as we discuss challenges in government contracting, strategies and solutions for your businesses. We’ll dive into managed IT, cybersecurity, workforce advancement and much, much more. Sharing is caring and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.

Erin Keating:
Hi everybody and welcome back to another episode of Neocast. This is an exciting series we’re doing called Cyber Seen and Heard. For those of you that tuned into the first episode of this series, you were treated to a lovely conversation with Tatyana Bolton of the R Street Institute. And what we’re really trying to focus this series on is getting to know individuals in the cybersecurity industry, their stories, how they got to their roles, areas of expertise for them and then particular passion projects they have. And we couldn’t be more excited than to invite back a friend of Neo systems, Chris Hughes. Welcome.

Chris Hughes:
Thank you. Thank you for having me.

Erin Keating:
Absolutely. So Chris, you are a co-founder and CISO of a relatively new company Aquia, right?

Chris Hughes:
Yep. Aquia. That’s right.

Erin Keating:
Aquia. Sorry I mispronounced it. I knew I was going to do that. Could you tell us a little bit about the organization that you’re with right now and this company and what sort of led you to found it and then we want to dig in a little bit to how you even got to this point in your career.

Chris Hughes:
Yeah, definitely. So the company Aquia, as I mentioned, I co-founded and serve as a CISO as well with two partners, one of which comes from… They’re both actually veterans of the army, one of which has an extensive background in public service in the federal health space as an executive, both inside and outside of government and various leadership positions. And then the other individual has an extensive technical background at Apple and Amazon and companies like that out in Silicon Valley and brings that technical expertise to go along with the other individual’s business acumen. And then me, my background is mostly insecurity in the public sector and DOD, the federal civilian government in industry working with those, those entities basically.

Erin Keating:
And former military or are you?

Chris Hughes:
Yes, I was… That’s right. Yeah, I was active duty air force 2008, 2012. And then I was also a Navy civilian from 2000 and, what was it? For about four and a half years? I don’t remember. 2012 to 16 or so roughly.

Erin Keating:
Great. Well, thank you for your service. We should say that first and foremost. We appreciate that. So I took a look at your profile. We talked a little bit about your background and what I found was super interesting is just the lengthy number of certifications you have, perhaps the non-traditional education path you chose, the multiple degrees you have. It just is really exciting to meet someone who’s obviously very seeped in knowledge and seeking multiple degrees, multiple certifications to really build out your ability to help combat cyber security issues. Could you tell us a little bit about that path, why you chose the different path, which different certifications and how you would encourage others who are looking at cyber security as a profession?

Chris Hughes:
Yeah, definitely. It’s a topic I’m passionate about and it comes up a lot in this, in this industry and space, it’s always kind of binary between should you get certifications or should you get a degree or do you want someone who has experience or do you want someone who has an education? As if like you can’t have both and I’ve never really liked that dichotomy that we always put the conversation around. But for me, I started off in cybersecurity when I joined the air force. I had no traditional formal background in it or cybersecurity, but went through their tech school and training that they put you through and started learning in that route as well as then just being thrown into on the job training and education. And while I was active duty, I picked up maybe one certification in that four-year window.

Chris Hughes:
When you’re a young person in the military, you don’t feel a ton of pressure to pursue a bunch of certifications or anything. You’re kind of pre preoccupied with other things when you’re young. But for me, when I got out of the military, it was kind of twofold. One was in the sense that I no longer had that guaranteed pay so I needed to explore my VA, GI Bill benefit, right? That’s a source of income, essentially it became for a young man. But also I was eager to learn and I wanted to get a degree because I didn’t have a degree at the time. I knew it definitely would help with career opportunities basically. So from there, I went for a bachelor’s in IT systems with a focus on networking.

Chris Hughes:
And then I wanted to diversify after that a bit and went for an MBA, go towards the business side a bit and focus on IT systems. And then after I finished that that, I felt like I needed to get more technical again. So I went for a master’s in cybersecurity from a university called Dakota State University. I’ve also kicked around the idea of a doctorate. Actually started one at one point, but, I have four kids and at the time I had three kids and that in addition to the family commitments was just kind of drowning me. So I put that on pause, but I hope to circle back to it one day.

Chris Hughes:
And on the certification front, I have, it has to be like at least 20 or more certifications. And the reason for that is I feel like it’s, for me personally, one of the best ways I learn is kind of put myself in a time box like I have a certain time to really focus on a topic and having some kind of thing to hold me committed to that at the end like an exam. That’s something that’s really helped me focus my learning. And then it helps from an employment perspective too seeing what certifications are in demand, what technologies are interesting and employers are looking for. So that’s kind of how I focus my learning. And it’s just like the more I learn, the more I realize I don’t know and it sends me down another path of looking into a different topic or a different specialty basically.

Erin Keating:
Yeah. No, I think it’s fine. I love the discipline around it because I think a lot of people feel that there’s not very easy ways to find time or financial resources to pursue certifications and degrees. And it seems like you’ve really put that forefront. And frankly with cyber security, I would imagine the knowledge is changing consistently. The landscape of what the threats are, how to tackle them are changing consistently. Have you found that staying on top of your education is helping you to maybe even prognosticate what’s coming down the line, what you might need to be preparing for or would you say that also has something to do with your military background? I mean, I’m curious because a lot of people from the military do go into cyber security and it’s an interesting transition.

Chris Hughes:
Yeah. I would definitely say it’s… You touched on a lot of good points there. Basically one thing it’s helped me do is stay ahead of the trend of if I see an emerging technology, that’s kind of like hot or buzzwordy and I know organizations are going to adopt it, I’ll start to focus on it for learning. And it served me well in my career in that regard too. But yes, things move super fast in cybersecurity and I feel like some people would like to throw out like how certifications don’t mean much, experience means more, right? But you’re limited sometimes. You may be in a role, you might not get experienced with certain things. So you need to go out of your way to learn those.

Chris Hughes:
Now on the topic of pursuing certification and affording them, nowadays, the education and the resources that are available, I can name so many websites like Udemy, A Cloud Guru, Linux Academy, Pearl site. They go on and on and on. And you can get either buy courses like individually for really cheap or you can get subscriptions for definitely affordable prices. So I think the democratization of the learning and the resources out there is something that’s never been at this level. There’s no reason not to learn essentially other than just not taking the initiative to do so in my opinion.

Erin Keating:
Yeah, absolutely. And now those are real technical skills you’re gathering, technical knowledge you’re gathering. I’m just curious. What soft skills do you think you’ve been pulling off of maybe from your military background or just your background in general that helps you with this focus and this discipline and this drive?

Chris Hughes:
I think the discipline aspect is just kind of something I’ve always had. It’s something that served me well in the military. And I still do, like I still wake up early now. I still exercise every day. It just kind of who I am and I apply that to learning too, but soft skills is a good point because many people in our career field may be very, very technical, but they can’t communicate with people very well. You can’t put them in a room full of people or they kind of get locked up. I will say by nature, I’m actually like an introvert so I can communicate and talk very well but then after doing that, I’m drained and I need some alone time to recharge. But I think it definitely serves you well. At the end of the day, yes, it’s technology, but there’s still people behind this, there’s still people driving the organizations and the decisions that get made. You need to be able to talk to people, communicate, build relationships, build rapport. All those things are super important I think.

Erin Keating:
Yeah, it’s a good point because I mean, at the end of the day, a lot of people, I feel I’ve heard a lot of people don’t necessarily make the connection to cyber security and is criminal defense essentially. These are crimes, therefore there are people behind these crimes. And so being able to be in touch with how people and their emotional intelligence is just as important as that technical skill of being able to combat the crime at hand. But you kind of need to know what is motivating them.

Chris Hughes:
Yeah. It’s actually, there’s an area of emerging research and focus called human factors in cybersecurity. And my co-host of my podcast, Dr. Nikki Robinson is actually pursuing a doctorate in that focus. We’ve interviewed individuals like one individual named Calvin Nobles who has a doctorate in that area too. And just like… Because we’re always focusing on like the technical aspects of cybersecurity when really at the end of the day, it’s people making decisions that are often causing problems or that could be addressed to improve security posture for organizations. So we often forget the human aspect, but it’s so critical.

Erin Keating:
Yep. Yeah. The human firewall. It’s one of the most important, critical factors of safety as well, because I think most companies, what’s the statistic these days? Somewhere in 95, 99% of all cyber security attacks are by human phishing attacks and-

Chris Hughes:
It’s often, yeah, often a person in the loop or in the mix somewhere there. Yeah.

Erin Keating:
Yeah, exactly. Well, I could go on and on about your background, but let’s get into a topic that’s real specific to a lot of the work that Neo systems does, but cybersecurity is really hot right now and is certainly your area of expertise, cloud security, cloud computing. So one of the things that raised this thought for me was when we talked about this before we got on the show, how are we going to pronounce it? But the Kaseya? Kaseya? I don’t know what we said we would do, but the Kaseya attack. One of the things I brought to market or light was the fact that it was affecting MSSPs or MSPs and being a supply chain attack where all of a sudden, you’re supposed to be the middleman of helping small to mid-sized businesses keep their businesses safe and unfortunately your system gets broken into and therefore leads them vulnerable.

Erin Keating:
The cloud seems to make that a little easier perhaps for the cyber attackers, the cyber threat actors, but it also makes it easier to fix it because you actually aren’t… A lot of the stories we heard in that particular attack were half the companies were physically driving to locations to try to get laptops back and checking the server rooms. But then a lot of them who were able to close the loop quicker were utilizing cloud security. So I’m just curious if you could start to dive into the topic of cloud computing and cloud security and how we need to be thinking about it today in light of ransomware attacks that are happening day by day and then maybe specifically this particular example.

Chris Hughes:
Yeah, it is actually an interesting dichotomy. I think we’re seeing like an increase. Supply chain attacks are not new, but we’re definitely seeing an increased focus on it. And I think it’s because adversaries have realized I can target one company and maybe compromise them, or I can target a company that supplies or services many companies and pretty much amplify my reach and impact in that way. It is a kind of a double-edged sword. On one hand, we have a lot of small and mid-sized businesses that don’t have expert cybersecurity and IT staff so they need a managed service provider or managed security service provider, for example, to help them basically. But the challenge is that if that organization gets compromised, now it’s like a cascading impact across all the companies that they service.

Chris Hughes:
So it’s certainly a challenge. And on the front of cloud computing, I don’t want to dive in like what a definition of cloud is and things like that. But as you know, you can get on-demand compute resources, super easy to go in there and start building things out and being creative and respond to changes in the market very fast. But at the same time, if I’m an adversary or a malicious actor, I can go in there and quickly start spinning up resources and conducting malicious activities against entities too. So it’s very difficult in that regard. And it also provides an additional level of anonymity to them, because they can just go on there and use a throw away a credit card or something and start a fake account and just start doing malicious activities.

Chris Hughes:
And so it’s definitely challenging in that regard, but versus traditional architecture and systems, like you said, that you’re running around and trying to find all these servers that may be impacted and things like that, where if you’re in the cloud, you know exactly where your resources are, you can look and see who has access to them. You can even use modern technologies like infrastructure as code to tear things down quickly and restore them back to a previously known good state. So there’s a lot of advantages to cloud computing when done correctly, but the challenge is it’s often not done correctly. People don’t have the knowledge or expertise around cloud computing, maybe their organization moved to the cloud very quickly, but they didn’t upscale their workforce, whether it’s the existing workforce or they didn’t hire additional staff and resources that have those competencies to help compliment their transition to the cloud. So it’s a very tricky situation when not done correctly, basically.

Erin Keating:
Yeah. And so one thing we’ve talked about is FedRAMP, and organizations like Neo Systems who have a cloud infrastructure and are working with organizations that are actually working with the government. And so CMMC has come into play now. And a lot of people when they’re thinking about cybersecurity, they’re thinking about these massive organizations that can afford the infrastructure to create tight, secure environments. But most businesses are small to midsize and are having to rely on MSPs and MSSPs to provide those services. So when you’re thinking about FedRAMP, maybe you could just sort of reiterate to the audience what FedRAMP means and what it is and how it secure, how it can offer security to individuals who are looking to use a cloud provider. But then also your own take on how cloud security providers ensure their customers that they are safe.

Chris Hughes:
Yeah, definitely. It’s a topic I discuss often and I think I’ve actually discussed it in a previous Neocast with folks there. But FedRAMP is essentially a program to vet and assess pro cost service offerings and cloud service providers that want to do business with the federal marketplace. And it takes them through a rigorous process based on NIST 853 security controls, through an initial authorization and there’s continuous monitoring requirements to make sure you’re still meeting the controls and your security posture hasn’t changed in a negative direction, things of that nature. And the reason that’s valuable is if I’m using our cloud service provider that has not done FedRAMP or not done anything similar to FedRAMP, I really have no assurance that they’ve implemented any kind of security rigor or practices at their organization.

Chris Hughes:
They may self attest to that because they may say, yeah, of course we’ve done that. We’ve done all the security activities that we need to do. You’re very secure to use our platform. But the problem with that is that’s just their word. And when business is online, they need to have revenue, they’re inclined to tell you that. And as far as the CMMC goes, I think we saw with the defense industrial base, it was the same situation. Prior to CMMC, whether it was just 800 or 171 with no assessment requirements essentially by third-party, everyone was saying, yeah, we’ve done that. Yes, we’re good.

Chris Hughes:
And then it became very apparent that no one had really done it, they just said they did it. So now when you bring a third-party assessment into the mix, like with CMMC or FedRAMP, which both use like third-party assessment organizations, that kind of gives you a second set of eyes like an independent party to go and validate that yes, these things have been done. And that’s why that’s so important. So when I look to a managed service provider or cybersecurity service provider or a cloud service offering cloud service provider, I want to have a third party attestation that these things are being done. And that’s why that’s so important.

Erin Keating:
Yeah. So that speaks to what some of the customers might be concerned about. CMMC for right now, at least primarily focuses on any individual companies that are working with the Defense Department. So I’m wondering when I’m on the business side and I’m thinking, okay, another barrier for me to be able to do business, to innovate, to be a small, mid-sized cloud services company to come into the market. I can’t beat the other guys. How would you help them figure out… Where does the third party attestation come into effect for maybe people who are not catering to DOD businesses?

Chris Hughes:
Yeah. So when you talk about… You talked about kind of the, to go back to the MSP conversation essentially, we talked about how leaning into MSPs and small mid-sized businesses don’t have the expertise around IT and cybersecurity and things like that. If I want to do business with the federal government, the reason that FedRAMP or programs like that and managed service providers are important is that it lets me use what’s called the shared responsibility model. So it lets me lean into their service offerings, whether it’s infrastructure as a service, platform as a service, software as a service, et cetera, and lets me lean into what they’ve done already and inherit some security controls from them, which is a major, major task or burden essentially lifted off of me and kind of put onto the cloud service provider or managed service provider.

Chris Hughes:
And that’s super valuable because it lets me as a small business, right, focus on my core competencies. What is it that we do that provides value to our customers versus trying to do all these other things just to get to the market to be able to do business. And that’s incredibly problematic and costly and time consuming. So that’s the value of leaning into that shared responsibility model. And it’s also worth iterating that, and Gartner and many others have kind of talked about this and the overwhelming majority of cloud data breaches, for example, occur due to customer misconfiguration. So leaning into that shared responsibility model, putting more on the cloud service provider, this is what they do. Managed service providers, this is what they do, this is what they’re great at. Let them do that for me so that I can focus on what I’m good at and what makes my company business and makes us profitable.

Erin Keating:
Yeah. And so when I was reading about the shared responsibility model, it made sense to say, okay, well, here’s what the cloud security company does and offers and here’s what my responsibility is in that environment. What I’m hearing from you is saying that, do you see the barrier there is that most customers are going it’s added expense, I can configure this on my own. I’ve got an IT manager. It’s fine. Thank you for providing me the cloud. I’m going to go ahead and take over internally. And rather they should be actually allowing those types of configuration projects to stay with the cloud’s… Is that where the breakdown is or what’s happening there?

Chris Hughes:
I think that’s maybe part of it. For some decision makers at some organizations they may say, we can do this ourselves. We have Bob, he does all of our cybersecurity work for everything but Bob has a full plate already, right? He may not be able to focus on all of these things and he may not be as great as you think he is. And then also in my opinion from the CMMC perspective, the value is like the concept of a secure enclave. If I can keep that CY, that data that’s critical to be secured, right? If I’m keeping it in a certain location, I know where it is, I know who has access to it, it hasn’t spread across my entire on-premise infrastructure for example, that helps you scope your assessment activities. With the third-party assessment kind of activity, it helps you scope that much easier because you know exactly where CUI is. You’ve kept it in a certain location. I think that’s part of the value right there.

Chris Hughes:
And I think the shared responsibility model too sometimes it can go the other direction where companies don’t think they can do it all, but they just think, oh, we’re in the car. We’re good. We’re good to go. But they don’t understand that the shared responsibility model means there’s a shared responsibility. There’s things that they’re still responsible for, things that they need to still be doing for themselves and they need to know… It’s typically referred to as like a customer responsibility matrix. It breaks down what the cloud service provider or managed service provider does in terms of controls and what’s left for you as a consumer of those organizations. What’s left for you to do. And most companies don’t understand that and I think that’s where things kind of start to go off the rails.

Erin Keating:
Yeah. So let’s talk about that. What are a couple of things that the customers do need to be thinking about when implementing a cloud system?

Chris Hughes:
I think… And sticking on the topic of the shared responsibility model is just knowing what are we consuming from a cloud service perspective. Infrastructure as a service, platform as a service or software, whatever the case is. And then getting those customer responsibility matrices and seeing what are they doing? What controls are we inheriting from them? The managed service provider or the CSP, for example, and then what’s left to us and making sure that you’re closing the gap and you have all your bases covered and you’re not leaving things undone because you assume that the MSP or CSP for example is doing them and just making sure you truly understand what you’re taking on as an organization, what’s left for you to be doing.

Erin Keating:
Right. And I mean, I would think that some of these things are pretty basic, but a lot of people, again, might just, when they’re going through organizational changes like this, they leave these little things off and change management is really difficult. I know we did an entire podcast series about change management and changing behavior, but little things like user IDs and latent IDs and password and passcode. All of these things are very important for the internal company to take care of. Don’t leave that up to your CSP. Just because you think you have something in the cloud doesn’t mean that they’re constantly monitoring that some employee has been fired and that you’ve cut off all their access and that you’ve… That type of stuff. Are there some other things that people are forgetting?

Chris Hughes:
Yeah. It’s definitely a great example. I mean, the overwhelming number of cases that occur around incidents regarding compromised credentials, for example, or abused credentials is extremely high and in almost no shared responsibility scenario do you offset total control of user management, data security, data accountability, things like that. Ultimately you can’t offset, you can’t put the accountability aspect right onto the cloud service provider or MSP. It’s something you’re still accountable for. And I think that’s something that many people overlook for sure.

Erin Keating:
Yeah. Well, and that’s the human component that we were talking about earlier is you have the humans in your office, you have the employees, so training them well and their shared responsibility as well and even all the way down to the employee is probably really important. So what else would you want us to know about cloud security right now, given the environment we’re in just to keep people safe, whether it’s the customer end or the cloud service providers? What do people need to be thinking about and ahead of right now?

Chris Hughes:
I’d say from the cloud service provider perspective, and we’re already seeing this from some of the major leading cloud service providers, is making more secure default configurations kind of baked in because there’s many cases where a user would to start using something and they didn’t realize it was an insecure by default, right? As soon as they use something, it was already opened up to the world and that’s problematic. So cloud service providers can help in the sense of making more default secure configurations for customers. That way it’s less room for error, less room for mistakes. And then from the organizational perspective, I think definitely invest in your workforce. Right? I know it seems you don’t want to see the ROI on it right away, but not having a competent workforce, whether it’s your direct employees, your partners, your consultants, your advisors, your managed service providers, whatever, be willing to spend in that direction to ensure that you don’t get compromised or run to a situation where your security is kind of a haphazard and open.

Erin Keating:
Right. Right. Well, and I know that in your organization right now, one of the areas of offerings that you have are advisory services. And it’s interesting, a lot of companies will say, okay, I need an accountant advisory service. I need a financial advisory service. I need a marketing agency to help. I’ll use that as an example since I’m usually in marketing, but they don’t necessarily think of, oh, I need to go to an organization to get advisory knowledge around how I need to set up my security system. And it seems like that’s an area where we need to improve knowledge for procurement departments and business owners so that they understand that this is an area that truly does need expertise and you should lean into those experts to help you configure and design your systems, yeah?

Chris Hughes:
Yeah. I definitely think so. I think it comes down to like being honest with yourself around the limitations of your workforce. What are we good at? What aren’t we good at? What do we have core competencies and specialties in and where those gaps exist? And if we do have gaps, being willing to bring in an external party to help kind of close the gaps and then even in some cases a second set of eyes, right? Just to make sure that… We like our internal team, they’re great, but maybe they missed something. That’s where you need that second set of eyes to come in and assist. And it can help you get up to speed, find things you may have missed and find glaring gaps that may be out there.

Erin Keating:
Right. Yeah. We all know this as people, we keep all our records all year round, but you know what? When it comes time to filing your taxes, you do typically farm that out to someone, even if it’s just Intuit’s QuickBooks program. A lot of people will still turn to TurboTax just to make sure it’s done well. So that’s a good piece of advice. Well, I’d love to wrap up the episode as we did with Tatyana and talk a little bit about something that may be a little bit more personal for you. In the beginning of the episode, we talked about how much education and knowledge and certifications you’ve gone after. And that seems to be coming out in how you’re paying it forward to others. I know that you have the Resilient Cyber Podcast. It sounds like you have a few other podcast projects as well. And you write a lot of articles, you do a lot of webinars. Just can you tell me a little bit about where does that passion come from to democratize that type of knowledge that you’ve been given or you’ve pursued and giving it to others?

Chris Hughes:
Yeah, it’s definitely… I have the podcast presents, our podcasts, like you said. I also teach at a couple of different universities. I didn’t touch on this in the beginning, but I teach at University of Maryland global campus in their graduate cybersecurity program. I teach at Capital Technology University in their graduate cybersecurity program. I’m involved with groups like Cloud Security Alliance on white papers and publications. I do some work with the Cloud Native Computing Foundation working group. It’s kind of multifaceted. On one hand, I do it because in order to teach or help others, I need to learn things. So it helps me really learn things very well because I’m not a big public speaker or things like that and if I’m going to get out there and say something, I want to make sure I really know it.

Chris Hughes:
And so being able to do that, it helps me learn. But also just knowing when I was coming up in cybersecurity, there was definitely a lot of resources. It wasn’t that long ago, for sure, but it wasn’t like it is now. I can just jump on and listen to a podcast by everyone breaking down all the lessons learned, all the experiences they’ve had, things like that. Jump on all of these learning platforms like Udemy and others and just grab a course for 10 bucks and learn something really quick. I can grab tons and tons of white papers breaking down complex topics for me. So it’s just getting it out there and helping kind of pull up others who may be earlier in their career trajectory and help them learn things that could be beneficial.

Chris Hughes:
And so, as I go through like on LinkedIn, for example, I share a lot of content, but it’s really just me learning. I learn something, I read it, I learn it and I’m like, this is great. I need to share this. And then I share it and it helps others learn too and then also it starts like some interesting conversations like maybe I think a certain way, a certain perspective about something. And I kind of share that and then some others chime in, I’m like okay, wait, I never thought about it like that. So it helps me hear other perspectives too. And so I do for a lot of reasons, honestly. I think it’s something that people should do and not feel putting themselves out there, learn and share information with others and be willing to just give your perspective. Everyone should be willing to share her perspective honestly.

Erin Keating:
Sure. Well, I think it’s really cool and somewhat unusual. I mean, I came from automotive where things were highly secret. You didn’t see a lot of people democratizing their knowledge around vehicle systems and so forth because there’s so much competition. And cybersecurity, as I’ve been in it now for over two years, it’s a unique industry where it is our security. It’s our nation’s security, it’s our company’s security. And there is seemingly a growing desire for everyone to truly become collaborative and knowledge sharing, which is unusual because there are a lot of competitors in the market, so.

Chris Hughes:
Yeah, definitely. And I’ll say a couple of things about that: One is this career field is so diverse. There’s so many different niches: digital forensics, cloud security, you can just go on and on. There’s so many niches you’ll never know everything. So you’ll always be able to learn from other people. And then also it helps, we know there’s a major workforce gap that helps bring up that aspect of things and then bring others into the career field. And then also we know organizations of all sorts of sizes are struggling with cybersecurity. So it helps lift, kind of raise the tide for everyone. And then also I will say from the competitive perspective, a friend of mine had a quote that kind of was like information is free, but execution, you got pay for. And anyone can know how to repeat things to you, but executing that is a whole another story. And I think that’s what differentiates in the career field and in the market, for example.

Erin Keating:
That’s a very good point. So yeah, democratize the information because trust me, there’s still some special sauce in the way in which someone might bring that to market and execute against it. My last important question here would be to your point, there’s so many different areas of cybersecurity and I think that’s why it’s really great that the information is being brought out because it gives people a lot of different ways to look at the industry. A lot of different ways to cut it and say, oh, I could get into there. How did you choose cloud security?

Chris Hughes:
So it was kind of voluntary and kind of involuntary. I was at the Navy at the time as a civilian and I was working with an agency called the Defense Health Agency. They had some early cloud migration projects going on and I happened to be like the ISSM which is kind of like the lead security person right on this project. And they were moving to the cloud. That was kind of the mandate from their leadership and I didn’t know anything about cloud. And like I said, I don’t, I don’t feel comfortable not knowing something. So if I have to do it and I have to be involved with it, I want to make sure I know it. So it just kind of sent me down that path of really learning and learning AWS and cloud security across different platforms in general too.

Chris Hughes:
And it kind of what led me down that path but also, I started looking around and seeing like where things were heading in the industry, organizations were increasingly adopting cloud, talking about cloud. And then beyond that, it was like security is kind of this afterthought. It always is. And I was like I don’t want to be kind of an individual that didn’t keep up with the career field. So I just kept on learning and it’s really served me well. And seeing, like I said, in the beginning, just seeing where technology is going, now we see a push for things like DevSecOps and Kubernetes and containers and just seeing where things are going and staying on top of that, it benefits your organization because they have a competent individual to help them or your customers or clients, but it also benefits your career because it keeps you having opportunities to assist in those ways.

Erin Keating:
Yeah. So it looks like you go up to the broad issue of cloud computing and then you’re able to bring it back down to specialization in cloud security and other things. And so, yeah, I think that it’s important because again, you’re saying that we have a workforce issue in cybersecurity, but a lot of people have a very distorted view of what cybersecurity is and they might just be sitting there going I’m not qualified. I can’t. I couldn’t possibly figure out. I don’t know ones and zeros so therefore I’m not going to be capable of jumping into this field and being able to show people that there’s various ways to enter the field is really important.

Chris Hughes:
Yeah. I mean, that’s what I was trying to stress. It’s like there’s so many different niches in this career field. I mean, we have people that come from every background like legal backgrounds, healthcare, liberal arts, everything you could think of. And you don’t need to be like an expert programmer, for example. There’s so many different niches around policy and around compliance and all kinds of different things you can specialize in that lean towards your competencies or things that you are passionate about as well. So don’t feel reluctant to do that. Just find something that you like or that interests you and kind of focus on that, double down on that.

Erin Keating:
Yeah. Well, this has been a great conversation Chris. I really appreciate you sharing, not just your personal insights, but then also some really hardcore knowledge that we need to know around cloud computing and security. And I hope that that benefited those who listen. So we hope we can speak to you again. I know again, you’re a good friend of Neo Systems. We appreciate all the time you’ve given us to share your knowledge and we look forward to being able to disseminate more of your knowledge in the future. Thanks for joining us on Neocast.

Chris Hughes:
Absolutely. Thank you for having.

Erin Keating:
Sure. The Neo Systems difference, we specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. Neo Systems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and it advanced technical infrastructure. From software hosting and security solutions to manage accounting services, Neo Systems custom build solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystemsC-O-R-P.com. That’s neosystemscorp com.