Eric Freeman, a retired Marine Corps Officer and combat veteran, served over 20 years on active duty. He has held various IT and Cyber Security leadership roles in both public and private sectors. He is the Chief Information Security Officer for Leidos QTC Health Services. Before QTC, Eric led Cybersecurity Governance, Risk, and Compliance for North America at Atos, managing regulatory and contractual oversight. Prior to Atos, he served as Deputy Director of IT Operations and Supplier Risk Management for the City of San Diego.
Recently, in an exclusive interview with Digital First Magazine, Eric shared his professional trajectory, insights on the evolution of the cybersecurity landscape, the best piece of advice he has ever received, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Eric. Please tell us about your background and areas of expertise.
I was raised in Dallas, TX. And yes, I’m very passionate about BBQ and my Dallas Cowboys. My interest in computers began in a middle school’s computer math class. My career began shortly after graduating high school in the early 90s while serving on Active Duty, in the Marine Corps. My first role in IT and Information Assurance was as a Terminal Area Security Officer, supporting Mainframe systems and applications. I was fortunate enough to have served in many roles found in your traditional IT shop but became an expert in two domains which were Data Systems design and architecture and Network Engineering and Architecture. I retired after 21 years in the Marine Corps as a Cyber Operations Officer.
What do you love the most about your current role?
I love the mission and purpose of the CISO. It is a unique and distinct executive role responsible for fostering a “cyber-conscious” culture through outreach and education; as well as, protecting the crown jewels of the business which are the enterprise business systems and data.
According to you, how has the cybersecurity landscape changed over the last few years?
In the not-so-distant past, sound fundamental Cybersecurity design and architecture began at the enterprise perimeter firewall. The traditional perimeter of the enterprise continues to dissipate through the adoption of cloud services and a growing remote workforce capable of working from anywhere. As a result, the fundamental strategy of securing the organization has shifted from the firewall to the identity of the user or device and restricting access to applications and data.
What are some of the key components to succeeding as a CISO in today’s business environment?
While the CISO is perceived as a technical executive role, I think the fundamental keys to success as a CISO is to get to know and understand the business operations, build executive relationships, and hire technical subject matter experts to focus on 3 key areas: Risk and Compliance, Security Operations, and Architecture and Engineering.
Given your vast years of experience as a CISO leader, what are the main cyber security related challenges that executives face when it comes to embracing new technologies for their business?
The most significant challenge I have faced is that Technical Leaders often fail to take advantage of opportunities to build relationships with non-technical colleagues. This is a critical misstep and hinders what I believe is significant to establishing a “Cyber-aware” organizational culture to minimize risk. A “Cyber-aware” and “Cyber-ready” culture ensures that all business initiatives that involve technology engage with the office of the CISO. The business benefits of engaging the CISO at the onset helps to identify and reduce business risks, facilitate financial decisions are made at the right time to tackle technical debt, increase enterprise visibility of third-party risks, and assurance that business initiatives can meet industry standards and regulatory compliance.
As a leader, what approaches do you use to create a culture of experimentation and innovation within your team?
Security Engineers and Architects can be quite competitive. Being named a Subject Matter Expert by the CISO is an award with recognition that is coveted in our professional discipline. As a leader, I often reward innovation with incentives; up to and including, promotion.
What does working in cybersecurity mean on a practical level, and what kinds o f skills/personality traits are an asset in the field?
Practically speaking, cybersecurity is a very demanding discipline which is not understood by the majority of individuals outside of the profession. Conversely, it’s a profession that is filled with tons of intrinsic rewards. It’s analogous to being an insurance provider…no one thinks about how great insurance benefits are until you’ve experienced an accident. You need to be self-motivated, a catalyst for change, a life-time academic, embrace technology, and a rational, problem solver. I often remind my team that I want facts not feelings.
In your academic or work career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
I’ve had the pleasure of being mentored by some of the greatest military officers and crisis managers on the planet. One of my greatest mentors and dear friend, retired Marine Corps Colonel Ross Adelman would often say to me, “Never present a problem without having at least one recommended solution.”
Where would you like to be in the next 5 years?
I’d like to see the CISO role; whether it’s me or not, continue to evolve to where I believe the role should sit within any organization and that is reporting independently to the Board or directly to the CEO as the Top Technology Executive in any organization responsible for all Technology Strategy, Governance, and Security.
Which technology are you investing in now to prepare for the future?
You can’t have a conversation today without mentioning AI. We are investing in AI-powered technologies to improve upon our existing capabilities to rapidly detect and respond to potential threats. Additionally, we’re also investing in Data Security Platforms to improve our visibility of ability to identify the user and system accessing data, monitor behavior, data flow and more.
What advice would you offer others looking to build their career in cybersecurity?
Cybersecurity is a very broad discipline with multiple domains that include roles responsible for writing policies and procedures, performing security assessments and risk management, to threat hunting and exploitation. Join a local chapter of a Cybersecurity association like ISC2, ISACA or CSA and speak with a professional who can offer insight which can help steer you on a path to success.