CyberWire Daily - CyberCon 2023: A unique mix of critical infrastructure and cybersecurity. [Special Edition]
Episode Date: November 5, 2023As we progress in this technological age, both cybersecurity and critical infrastructure continue to be at the forefront of prevention, protection, mitigation, and recovery conversation topics. From a... frontline worker to the top of the C-Suite, security is something we all should be aware of and concerned about. The CyberCon event began in 2018 and provides an opportunity to learn more about cybersecurity and critical infrastructure as well as collaborate with fellow security professionals. Dave Bittner recently spoke at CyberCon 2023 at Bismarck State College in North Dakota. While there, he had the opportunity to interview 4 members of the conference planning committee (all past or current chairs of the event) for a better understanding of the event, its focus on a mix of critical infrastructure and cybersecurity, and how the event has evolved over the years. Dave speaks with: Troy Walker, Director of Sales and Marketing at Dakota Carrier Network & 2023 conference chair, sharing the history of CyberCon its unique focus on critical infrastructure and cybersecurity. Tony Aukland, Technology Outreach Manager for the State of North Dakota IT & previous conference chair, giving us the truth about CyberCon and its origin story. Bill Heinzen, Information Security Team Lead at National Information Solutions Cooperative and previous event chair, talking about developing the cybersecurity candidate pool in North Dakota. John Nagel, CEO and Founder of CYBERNET SECURITY and past event chair, discussing sustainability of the CyberCon and its critical infrastructure focus. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Breaking news
happens anywhere, anytime.
Police have warned the protesters repeatedly
get back. CBC News
brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know. Download the free CBC News app or visit cbcnews.ca.
I recently had the pleasure of being invited to be a keynote speaker at CyberCon 2023 in Bismarck, North Dakota.
It was my first time to the Roughrider state, but I was well aware of their reputation for innovative leadership in cybersecurity.
To learn more, I sat down for one-on-one conversations with the organizers and founders of Cybercom.
In this CyberWire special edition, I speak with Troy Walker,
Director of Sales and Marketing at Dakota Carrier Network,
John Nagel, President of Cybernet Security,
Tony Auckland, Technology Outreach Manager for the State of North Dakota IT,
and Bill Heinzen, Information Security Team Lead at National Information Solutions Cooperative.
We begin with Troy Walker, Director of Sales and Marketing at Dakota Carrier Network and Chair of this year's CyberCon.
Can we talk a little bit about the history of this conference here and ultimately what led you to taking the reins?
Sure. I believe it started six years ago. This is the sixth one. We did maintain the event during COVID. So that was our only non-in-person. That was 100% virtual event. We brought speakers to a common place. They spoke, but we didn't have an audience. The audience was all virtual, which I think went really well. We looked at it as more of a critical security,
critical infrastructure doesn't stop during COVID. So we felt it was important not to stop the event,
which I think says a lot about the core of what's at the committee. So you're going to hear Tony,
you're going to hear Bill, you're going to hear John. There's probably, I wasn't one of the original people in the meeting.
I was probably the second or third meeting, I think, when I came in.
There was a core group of state employees and business employees that were in the region
of this central North Dakota that thought it'd be a good idea to work with BSC.
They were offering a cybersecurity program at that time when probably
Black Hills maybe had one of the only ones in the region, I'd say. Strong focus on cybersecurity,
put an event together, really get students and industry together talking about ideas.
Our first year, I think we had about six employees, maybe six students that we had that were part of
the event. Now I think we've
got over 150 students that are either in-person or virtual, which I think is the biggest test of how
well the committee has done to get the event. I think it's great to get people together, industry,
but we need students to become advocates, to be in the field, to get in the workforce, and that's a
great way for us to start that process, give them scholarships, get them invited, and get them excited for cybersecurity.
As well as a little unique to us, Tony and his co-worker, I think at the time, which was
Darren Hanson, who came from critical infrastructure, they had the idea of putting the two
committees together to have critical infrastructure and cybersecurity together.
I think that's a bit unique for us, which I think is also really fantastic for us to meld two groups together.
Today, you would have heard Robert talk about physical security, and then that's not really
cyber, but it is related. There's a tie between both of those, and I think the more we can tie
them together, the better. Here we are on campus at Bismarck State College, a beautiful campus here.
Can you tell us a little bit about the school itself and the students who attend here?
What is it made up of?
Sure.
This is their highest record year of enrollment.
I think the school itself, Bismarck State College, is somewhere between 3,200 and 3,500 students this year.
It's one of two colleges, I believe, in the state of North Dakota that had an increase in students from 2022 to 2023, which I think is a direct reflection of how quickly they
can move and adapt their programs. So on the cyber side, there's a group of us, most of us that are
on the board in this room, have talked with them to say, how can we change and teach the students what we need for employers
from an employee standpoint and an employer standpoint? And they've done a fantastic job,
and they have for probably, I bet you, eight or nine years now. I was at a previous company. I
hired their employees. I worked with their instructors. It seemed like maybe for them,
either being a two-year school or maybe just the mindset,
they could adapt a little bit better than a bigger college could.
We talked to bigger colleges, not as easy to move the needle for them.
We're a smaller college at that time.
They could be a little more nimble.
What are the goals for the students leaving here in terms of them being prepared for the
workforce?
That's a great question.
I think a couple fold. One is they've got to
be able to interact with people. And I think that's a key for any industry, especially the
technology industry, is talk to a number of students that said, hey, I want to be in a cube.
I want to do something. I don't want to interact with people. Nobody's got those jobs anymore.
You have to have an ability to solve a problem, communicate with people,
talk at a level that's not technical in nature to someone who doesn't understand technology.
And I think that's what BSC is doing is bringing in a group of students, trying to create some
diversity, bring those students in, bring them into the workforce so the workforce has got that
same ability to have diversity. Let's talk about the
event itself. I mean, as it's grown, what opportunities have you all had to expand on
the types of offerings that you are providing over these couple days? Yeah, I think we've had a great
opportunity to increase our speakers. And I take you for example. I listened to you and have listened
to you for probably as long as you've been on Cyber Wire.
I listened to Smash and Security.
I listened to you on there.
I think to get somebody like you to come to our event wouldn't have happened our first year.
Maybe it's we just got lucky, but John, Tony has done a ton.
Bill has done a ton.
Art Bakke did a ton.
has done a ton. Art Bakke did a ton. We've got a really good subcommittee that goes out and challenges us, I think, to find people who have an advocacy to talk about something and they're not
asking for $100,000 to speak, which I think is beneficial to us. We have a budget.
We've really never had to spend a lot of money on speakers, which I think is unique for us.
We have spent some money on speakers.
Some has been good, some maybe not so good.
We've had some really timely presentations.
We had the NFL security talk about security to the Super Bowl.
We had the Route 94 shooting in Vegas the next year after that
speak about what it was like to be in that facility.
When those two spoke, nobody looked at their phones.
I mean, nobody looked, which you don't in that facility. When those two spoke, nobody looked at their phones. I mean,
nobody looked, which you don't see that nowadays. You have 350 people. Everybody's listening to somebody. That tells us as a committee, I think, we've got the right speakers there. We've had
some speakers that we've closed at that maybe haven't brought that. And I think that's a good
thing for us to really take stock, look at who we have for speakers, and see maybe not to do
that again. Where do you see this conference going? What's your aspirations for the future?
I think from a committee standpoint, I don't think any one of us sees it separately. I think
we all see the future of it growing, being more of a Midwest event. If you notice, BSC has got an addition
on here. That's a bigger facility. We can have more people. I think it's going to, COVID showed
us that we can do virtual in-person together, like it or not. Some of us like the in-person
because we like the camaraderie. You do not get that virtually. I think we've got the ability to
grow the event as large as we want to have it. I'll tell you, I mean, one thing that caught my eye when we were coming in today was that you had to bring in more chairs.
As people were starting the presentations, they were bringing in more seats because the demand was there.
So you must be on to something good here.
It's a good problem to have not enough seats and more people than seats.
Right, right.
We continue our conversation with Tony Aukland,
Technology Outreach Manager for the state of North Dakota IT.
So in the conversations we've had in this room, it seems as though you are a bit of an
instigator here in terms of getting this started and up and running. Can you give us your version
of the origin story? I was really glad you asked that because I was going to tell you, okay, now
let's listen to the truth about how this went. Okay, fair enough. Originally, actually, the idea
was at that time, the Director of Homeland Security and Emergency Services here in North Dakota, Greg Wills.
He had a vision for bringing critical infrastructure and cybersecurity.
We didn't have a lot of IT cybersecurity events out this way.
There was a lot on the eastern side of the state, Red River Valley, Fargo, North Dakota.
And so at the time, Troy had mentioned that one of my coworkers, Darren Hanson, who was the critical infrastructure chief at the North Dakota SLIC.
At the time, I was the North Dakota SLIC, which is our state intelligence center, fusion center.
I was the cybersecurity analyst from NDIT for them.
And we started talking back and forth and getting some ideas.
And Greg had wondered, you know, what we could start pulling off.
And we contacted as many of the people as you see here and on the committee.
You know, we have a very strong committee of like 15 people, 16 people, strong partnership with Bismarck State College.
And it's what it is today.
You know, it was we took a lot of time in trying to make sure that we this is a critical infrastructure and cybersecurity event,
not just a cybersecurity event.
So that's really important to us.
Can we touch on that critical infrastructure element here?
I mean, for folks who aren't familiar with this part of the nation,
what are the critical infrastructure sectors that you have here in the state?
Yeah, like John was saying earlier, we do have a lot of the critical infrastructures.
We don't have necessarily nuclear.
I'm not sure if we can use this analogy
as necessarily stating it,
but we have a lot of energy out here,
a lot of oil producing in North Dakota.
We have a lot of agriculture in North Dakota.
We have a large military presence.
We have two Air Force bases
as well as a National Guard for both Army and Air.
And we have a great deal of education, transportation, and so forth. So we've been
very fortunate in a lot of the things that have come through the state of North Dakota in the last
however many years you want to start at. And how does that work for those of you who are looking to
provide a pipeline for people to fill those jobs,
those critical jobs within the state, how has it been for you all to source those?
In other words, how many come from in the state and how much are you pulling from the area?
So one of the things I like the way Bill was talking about his experience with how he became into cybersecurity.
I like to talk about
it as an interstate rather than a pipeline because there's so many on-ramps and off-ramps and
different ways that you can get to places. And I actually originally got that from Kevin Knowlton
when he was at cyber.org. And one of the things that's really interesting with that is we do a
lot with student outreach, as we were mentioning, not just at BSC and CyberCon, but all the tribal partners in North Dakota, the K-12 partners.
NDIT has a division called EduTech that does a great deal with that.
And this conference actually helps support another event called Cyber Madness.
And Cyber Madness is the state high school and middle school cybersecurity tournament.
So we bring in here at Bismarck State every February, we have the state high school cybersecurity tournament. So we bring in here at Bismarck State every February, we have the state high school
cybersecurity tournament. Now, when I say every year, it's only been two years that it's actually
run. We originally started the planning in 21. And in 22, we hosted the first one. There was only 50
students, roughly 11 schools. The next year in 22, we doubled the amount of students. We had 100 students, and we had 21 schools in attendance.
Wow.
That was so popular that some people wondered, could we do a middle school event?
We actually run them both slightly different.
We have one partner for the high school side, Palo Alto Networks.
A partner on the middle school side is Cyber.org.
And we would actually see a virtual event before on the middle school side that led to 36 teams, four students per team are the maximum.
We had well over 120 kids participating in the virtual event.
Then we brought the top 10 teams for that into an in-person event.
And those students also can win scholarships and such for the event.
So when we talk about how we're getting to North Dakota, we have PK-20W here in North Dakota, and it's preschool through kindergarten, all the way
through your high school, college, doctorate. PK-20W, the W stands for workforce. And so we
say every student, every school, cyber educated. And that doesn't mean every one of them has got
to be a cyber analyst like a lot of the people in this room or anything like that, but they are certainly least cyber aware, security awareness. And this conference was planned on
purpose in October for the kickoff of it being National Cybersecurity Awareness Month. And that
was not by any stretch of the imagination, some kind of random throw at the dartboard. We did
that, the committee did that on purpose. So we do that across schools. We have, for those who take a
different route through their careers or re-skilling, there's a Skills for All website free through the
state of North Dakota that we have available and many other resources. We talk to many schools.
We have Hour of Code. We have Cyber Madness. We have all kinds of events that we support
and try to expose students to the jobs that are here in North Dakota.
When you asked about, you know, what's in state and out of state, we allow a lot of times here in North Dakota, like the state of North Dakota, we allow remote work.
So many of the people that work for us actually live in other states and they may live in the state or they may live in other cities in the state.
It's no longer if you're a state of North Dakota employee, you had to move to Bismarck, North Dakota to work at the state government or the Capitol. That's really
interesting. I mean, that's an interesting competitive approach, you know, because that's
not that way in many states where if you want to work in the state government, you have to live
there in the state. And you can understand the legacy of that. But I think it also points towards
this whole of state-state approach,
which honestly was one of the reasons I was really looking forward to coming here
was to talking to you all about that because that is unique in North Dakota.
I think that is an area where you all are leading the rest of the nation
in being so intentional about having cybersecurity from every level of the state.
And you saw, as you heard CIO Kuldeep Mohanty talk at his presentation and probably here at
this podcast, there's a lot of that collaboration here in North Dakota. A lot of the times when
John made the joke about, then I called him, we may not know everybody, but we're a small enough
state population-wise that we might know somebody that does know somebody. And so we're probably able to find out who a lot of those people are.
We've had great leadership from Governor Burgum. He's got a great technology-based mindset for
these kinds of things. And that support is not lost on any of us. And that collaboration is
seen here at this committee. I mean, just the committee alone at CyberCon has private industry,
has state government, has education, has all the different sectors that are involved.
Do you have advice or words of wisdom for folks who may be thinking about starting their own
conference, using you all as inspiration? Well, I really enjoy it. I have a blast with it.
I cold call a lot of speakers.
I love it when people say, how did you get this person or that person?
I just called them and asked her.
And she said, yes.
And so we showed up.
It takes a large group of individuals to put these things on.
Everybody has to have an active role.
It can't be something that everybody's just showing up for the meeting
and three people are doing all of the lifting.
One of the most important pieces I'd like to brag about, Allison Czar and Bismarck State College is continuing education.
They really don't. And somebody like Allison, it would be very difficult to do this without her.
Her and their team really, really put in a lot of effort. You know, we don't have to worry about
necessarily what room are we going to be in? What time can we get into the building, all that.
They can take care of all that for us.
And when you have that coordinating partner who can take care of not just logistical, but a lot of the financial, budgetary-wise and such, it really takes a lot of pressure off you to explore into the creative side of who could we get to speak, who could we get to do things.
You know, things that we've done every year have been slightly different.
Last year, we had a Capture the Flag event that NDIT's team won.
The state of North Dakota's IT won it.
This year, we have focus groups that are being led by four members
of the state of North Dakota, Michael Gregg, our CISO,
Jess Newby, and Josh Catermas, who are both leads for our GRC team,
and Christopher Gergen, who is the director of the SOC
for the state of North Dakota.
They'll do focus groups tomorrow as well.
So we've always had something new, something a little introduced that shook it up a little different every year.
But we've had great support with everybody showing up and being here and participating as they do.
And what are your aspirations?
Where do you hope that this goes?
I share similar aspirations as you've heard today.
I would like to see us maybe expand half a day or another day.
I would like to see us involve more of our tribal partners in the state.
We do have online today Turtle Mountain Community College,
and we have had United Tribes Technical College.
We do a lot with them.
They bring students down as well.
So we do have a presence there, but these kinds of careers are really important, especially when you start
talking about that remote work, because a lot of our tribal partners, that community doesn't see
themselves necessarily moving out of their community to go to a bigger metropolitan area.
They want to stay in their community. So that remote work becomes really important when they
can stay with their families and stay with their loved ones and stay with their community and still be able to work these kinds of jobs.
We all need the support and help.
Every culture, every career, every sector out there is looking for protections that cybersecurity and critical infrastructure can provide.
So we've been very fortunate to have that strong partnership over the years.
can provide. So we've been very fortunate to have that strong partnership over the years.
Do you feel as though there are any unique opportunities that you all have? Being North Dakota, the makeup of the state itself, the people, where people are situated,
the pockets of population, many people are spread out. Yeah, well, we're very fortunate. We have a very strong technological network in the Dakota Carrier Network and other partners
who we have high-speed internet to every school.
You know, we have a large ring around the whole state that many of us are very familiar
of and what that brings of fiber and everything to the background of that.
Allowing everyone to be able to access those education resources remotely,
being able to access those jobs remotely,
and also to be able to communicate
with all of us that we do.
You know, we can have some rough winters in North Dakota.
I've heard that that is the case, yeah.
From time to time, we might get socked with something.
So from that standpoint, we do spend a lot of time,
you know, doing remote meetings and such,
as you heard our CIO talk about when the interstate gets closed and so forth.
So that's been a big part of that.
I do a lot of remote presentations to K-12.
Our edutech team does way more than I do to K-12 across the state.
So the other side of that, when you're looking at planning conferences and so forth,
North Dakota is often a place many speakers have not been.
Is this your first?
Yes.
So I will say that works a bit of an advantage when we say, yeah,
it's in Bismarck, North Dakota.
And they're like, oh, my gosh, I'd like to go there.
As you can see, we are not buried in snow and cold year round.
It's a beautiful fall day here in North Dakota.
We're situated right along the banks of the Missouri River for this conference.
It's a nice 65, 70-degree day, and such that happens.
You know, we have a summer that doesn't include snow or anything like that and so forth.
Yeah.
What's your advice to that up-and-coming person?
I'm thinking of either a student coming up or maybe someone who's considering a career shift.
Any words of wisdom there?
Yeah. either a student coming up or maybe someone who's considering a career shift. Any words of wisdom there?
Yeah, one of my favorite sayings, Michael Gregg has the CISO for the state of North Dakota,
sharpen the saw, which means furthering your education, learning more skill sets.
He often jokes with me that I started that phrase.
He totally started that phrase.
I didn't do that, but I use it all the time.
And so I encourage people to not only do two-year, four-year education and all of
that, but there's certificates out there and there's podcasts to listen to. There's the Cyber
Wire and so forth. I mean, there's so much you can do now to become educated on all of these topics.
You know, are you struggling with this type of topic or that topic? You can probably find a
YouTube video pretty quickly or another educational resource to do that. The state of North Dakota, we have a very strong education platform for
employees. We allow educational growth. We believe in growth mindset. I am somebody who just
completed my MBA. I have a couple of GAC certifications. I have a SANS security awareness
professional. Every member of our team on the
state of North Dakota side is getting a new certificate every one or two times a year.
And those things show in their skill sets. They're learning things, cybersecurity, IT.
It's amazing to me when people talk about how quickly it changes. That was old talk. It's just
constantly changing. I mean, it's not slowing down by any stretch of the imagination.
There's new threats, new attack vectors, and new things going on all the time.
So anybody coming up, I also encourage them to put their effort into their vocation.
You know, the days of, I might be from the last century in the 80s, and we might have done some school, done some homework, played football after school,
and then maybe hung out with our friends all night. I find myself now doing all kinds of
furthering education, even in the evening, where I like to spend a little more time,
maybe researching a lot of the things that we're talking about, listening to a podcast,
watching a talk through some type of conference or event that I didn't get a chance to attend
during the
day. So never stop learning, never stop growing, and don't think that your college career or
whatever it is. But you also don't have to go to college all the time for everything, but you
do need furthering education of some sort. It's not you graduate high school and bam, we make you
a cybersecurity analyst. But there's many companies out there that are looking to hire people that
have the drive and the desire to be in it
and helping them pay for furthering college and furthering education.
There's so many avenues and so many ways to get into it today.
Explore it.
There's so much that you can do.
Next up is Bill Heinsohn, Information Security Team Lead at National Information Solutions Cooperative. So what is it that draws you to this conference? Why do you choose to spend your time being involved with this?
Absolutely. It is a topic that is relevant to the community.
Absolutely. It is a topic that is relevant to the community. And one of the things that I really find to value about the Bismarck-Mandan area is that the organizations here, whether it's NISC, whether it's Dakota Carrier Networks, we act as partners in this endeavor.
It's not an area where each of us is trying to compete or outdo the other, but it is about providing a valuable service by educating people on a topic that is becoming increasingly relevant.
What is it like for you when you're out there hiring, trying to attract potential candidates?
How is the candidate pool in this area?
It's phenomenal. You know, I would say one
of the things that is worth being aware of as an employer and in terms of going out and looking for
candidates to fill a position is that cybersecurity, information security can be a really nebulous
concept, right, in terms of the skill set you're looking for. So someone who is,
for example, very experienced at IT forensics may not be a good fit for a security compliance audit.
And so when it comes to the employers and when it comes to the topics that we touched on in CyberCon
is we try to emphasize some of the different facets of the information
security profession. And I think that that works on a couple of fronts. One for us as the employers,
it continues to reinforce the notion that cybersecurity is a multifaceted profession.
There's not going to be a single skill set you're looking for. Like Troy had mentioned earlier, you're looking for people that can leverage critical thinking and powers of reason to answer questions that don't
always have a clear-cut answer. So from the employer side, it helps us emphasize the diverse
nature of the profession and what we're trying to hire for within it. Now on the student side,
right as hell that Bismarck State College, I think it also helps emphasize for them that even though they may not know exactly where they want to be in five years, ten years, and the truth is as a student, I remember when I was a student, we very rarely did know that, right?
But it can be helpful to know that if cybersecurity as a broad topic is your passion,
you don't have to feel locked into one aspect of it. You might start out having an interest in infrastructure security, for example,
in learning how to develop systems and networks that are hardened against cyber intrusion.
But you might find later on that perhaps your real passion is for application security.
And you want to learn how to code apps defensively for things like defending against SQL injection and cross-site scripting.
And the great thing is as long as you are interested in the subject overall, you really have the ability to change what your specialization is over time.
What about that nontraditional student who's coming up?
You know, somebody who may be coming from a different place,
had different interests, but now they find,
wait, this is something that sparks my interest.
So that person who, you know, came up in life
and maybe cybersecurity had never crossed their mind,
but at some point they recognized it,
they saw it and it sparked something in them and they want to take their place. What are your
insights on that person? That was me because I was that person. My background is not in
cybersecurity. My background was in accounting. I originally saw myself as going to school,
getting an accounting degree and becoming a CPA.
And that's what I did.
That was what my undergraduate was.
And one of the things that they have begun testing for on the CPA examination is actually cybersecurity.
There is a very small subset of questions that are related to that
topic. And the reason that that's the case is if we go back to the nuts and bolts of why are people
breaking into systems, there can be a variety of motives, but oftentimes the motive is financial.
And from an accounting perspective, the notion that people have cooked the book,
so to speak, or used financial systems to achieve personal financial gain in unethical ways,
that is not a concept that is new to the accounting profession whatsoever. For example, the practice of going through
a financial statement audit is literally the process of bringing in a third party to go over
a company's set of bookkeeping records to see if someone has manipulated them or not in order to,
for example, misrepresent companies' earnings or things like
that. And as the accounting profession evolved to include technology as a more regular part of the
bookkeeping process, right, you would use different IT systems to create your vendors, to cut the
checks, et cetera, it quickly became apparent to people that were preparing accounts
for that profession, it quickly became apparent for them to know that you are going to have to have
a workforce that is educated on the topic of cybersecurity because it is so relevant to the
profession. And so that was me. I actually early on wanted to get involved in forensic accounting.
I was curious in pursuing a profession that allowed me to help root out
and prevent white-collar fraud.
I found out soon enough that all of the white-collar fraud is happening through,
or not all the white collar fraud, but a substantial portion of financial
crimes is being achieved through malicious cyber intrusions. So for me, that was a shift in focus
to say, hey, this passion that I have always had is something that the most cutting edge
is something that the most cutting edge work that's being done in that area is being done in the cybersecurity profession. And to kind of answer the initial part of your question,
I would not discourage anyone at all that has a non-traditional background from finding ways
that they can pivot into the cybersecurity profession. The way I was able to do it was, again, going back to the auditing example.
I was looking to get involved in cybersecurity more often,
and I said, okay, what do I know about cybersecurity to begin with?
Well, I know that viruses are bad and firewalls are good.
That was basically where I was starting.
But then I said, okay, okay,
cybersecurity compliance audits are becoming an important part of the profession. You've got attestation standards, like, for example, the PCI DSS. That involves, again, a third party going in to a company saying, okay, this is the PCI DSS rulebook over here. This is what you're doing over there. We are going to gather evidence to attest to whether or not you're following the rule book. And I said, I know how to do that. That's a financial statement audit. You're just, the evidence you're collecting is
rather than collecting evidence regarding how a company is conducting its bookkeeping operations,
you are collecting evidence to see how a company conducts their IT operations.
And from there, I was still able to build up my skillset in just, I took that, I took that one
area where I had a frame of reference that I was able to familiar
with. And then I built on that and developed my IT and cybersecurity skillset from there on out.
It seems to me like part of what you're saying is, you know, don't exclude the opportunity to
pivot, that there may be something parallel to your, you had a preexisting set of expertise.
Correct. And you were able to take that and apply that to this new vertical that was attractive to you. It turns out you
had a skill set that was in need in cyber. Correct. And again, that's what we would,
you know, going back to the topic of students at this conference and what employers are looking
forward, that's just a message I would put out to them, right, is that very idea.
Take what you know, take what you're passionate about,
and apply it to the cybersecurity vertical.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
Last but not least is my conversation with John Nagel,
president of Cybernet Security.
So let's start off with some high-level stuff with you.
What led to your involvement with this conference?
It was an interesting phone call one day from a gentleman named Tony Auckland.
And we were discussing the opportunity for a conference built on critical infrastructure.
It's kind of gone unnoticed, you know, when you talk about cybersecurity.
But we have 16 of them, maybe soon to be 18.
And nobody was really talking about the infrastructures as it relates to securing the important things in our day-to-day life in the United States.
And, you know, it was about time.
And Tony made a call one day and said, hey, would you be interested in helping to create this conference?
And it just took off from there.
And the next thing you know, we're into the seven years later.
Is critical infrastructure your background?
Is that your particular area?
No, my background really was formed in IT. Most of my career was at General Electric. Is critical infrastructure your background? Is that your particular area? So I started there. But as I came back to North Dakota, quite honestly, to make sure my parents can stay in their home as they have aged and they got me where I'm at,
it's like, you know, it might be an opportunity to come back home and do something a little different.
And out of that evolved starting a new cybersecurity business up here.
What was the landscape like when you came up to start that business?
Kind of nascent in some ways.
came up to start that business? Kind of nascent in some ways. I mean, it was there in pockets with different companies, but to go out and find a business that was focused solely on cybersecurity,
that was not an IT-based company, not an IT services company, et cetera, that was a challenge.
Quite honestly, I didn't find any of that. That was solely their focus. That was their mission,
was pure cybersecurity. And so, you know, talked to a couple of people, met a few people and said,
you know what, let's give this a shot.
And several years later,
we did some work for Beck Communications.
I loved what we did and said,
you know what, we think there's an opportunity here.
So they acquired us in 2021.
Very nice.
So back to the conference itself,
as you were conference chair,
were those early years really focused
on critical infrastructure?
It was, yes, it really was.
We actually had some nice sponsorship
from our emergency services department here.
They were one of the core.
We were just starting up a cybersecurity program here
or writing in letters in support of BSC
becoming a cybersecurity institution
that could provide talent to the world.
And I say the world literally because the world needs cybersecurity experts, not just North Dakota.
And as we started to focus on it, we had different focuses.
We have 15 of the 16 critical infrastructures located right here in our state.
The only one that's missing is nuclear.
And I guess we could make the argument that we do have that too with all the missiles
located here. Fair enough. So as you were all were developing this program and not just for
that one year, you wanted to build something that was going to be lasting. What went into
that planning process? We wanted sustainability, right? And to start out, we really weren't sure. We approached
Bismarck State College here and talked about, you know, we have an idea. We'd love to leverage
your institution here to host this. Would you like to be part of it? And during that first year,
we kind of went back and forth and finally said, you know, this might be a good thing long-term.
And it's like, well, let's try it the first year. How do we get started? What do we do? How do we get the message out there? Do we have the right players in place? And
for the most part, I would say we did. We just didn't know a lot of things. You know, this was
the first true critical infrastructure conference, but then tied to education, which presented
some different challenges. How do you involve the students yet have the seriousness of critical
infrastructure and then make the public aware of both spectrums.
That was our challenge.
I thought we did a pretty darn good job because here we are seven years later providing scholarships
back to BSC.
How did you do that?
How did you cover that gamut?
You know, it was the diversity of the group.
I think we ranged from manufacturing to defense to the National Guard here to the state, private sector players.
They all came to the table, and I got to tip my hat to Tony Ockler when he gave me a call.
And I was like, are you crazy?
But it was just crazy enough that I wanted to jump in.
And so when we got that mixed together, I remember some of the first early meetings is, you know, what should we do?
Who should we get?
What do we bring?
How many days should it be?
What do we charge?
Should we charge?
You know, all those things came into play.
And it took about a year of planning to figure it out.
And then we just did it.
You know, you learn from that first year.
And coming out of that, we've continually met every single year after each conference.
We do a quick debrief.
I like to call them lessons learned versus postmortem because I prefer the positive.
I don't like looking for buried bodies.
And so we've done a really good job of that so far.
It's just evolved.
What are your thoughts here today as we look around?
As I mentioned to one of your colleagues, the rooms are packed and there's a lot of
energy there in the room. You must have quite a sense of pride. We do. I do personally. It's more of a team
thing than an individual thing. You know, as tired as I was this morning, had calls from different,
you know, customers having issues this morning, you get here and you flip a switch and the energy
level goes up, the smile comes on your face and you're all in. So that's what it does for me
personally is, you know, it transforms me as soon as I walk in face, and you're all in. So that's what it does for me personally.
It transforms me as soon as I walk in the door and I see all the different people.
So it's uplifting, and then you take a sense of pride in what you've done,
but you can't rest on your laurels in this industry. That's the thing. Cybersecurity is an omnipresent threat today. The landscape changes hourly, and the inflection of AI probably
will make a change minute by minute. Where do you hope this goes? What are your aspirations?
I'd like to see it bigger and better, but I'd like to see it maybe
split out a little bit more and we start talking about
some student-specific
conference activities, whether it's geared
toward what they're doing in the class, whether it's geared toward what they're doing in the class,
whether it's geared toward tools, bringing professionals in and gear that side, and then
have the business side here. Because our businesses, we would love to have more of them involved. They
just don't know what they're facing right now, or they may choose to ignore it. It's all about
risk management. It is out of sight, out of mind. And I think we have two tracks here that we can
take this really to the next level. So we start out with a nice opening. I'd love to see that,
you know, then split it up a little bit for students and educators and then the business
world, and then keep moving forward and bring everybody together for the close. I mean,
that's a personal vision. I just got to look at my peers in this room here as we're talking today
and see how we get there. And we do pretty well with those conversations. So I could see this evolving into a multifaceted conference
that might last two days, three days, depending on, or have separate days as we bring everybody
together. So I'm looking forward to the next five, six, seven years.
Our thanks to Troy Walker, John Nagel, Tony Auckland, and Bill Heinsohn for taking the time to share their insights,
and thanks to everyone at CyberCon in North Dakota
for being such warm and gracious hosts.
If you're in the area and you're a cybersecurity professional or student,
do check out the conference.
It's time well spent.
I'm Dave Bittner.
Thanks for listening.