This Framework in Focus interview was featured in the Spring 2021 NICE eNewsletter.
Title/Organization: Information Systems Security Officer, U.S. Food and Drug Administration
NICE Framework Category: Oversee and Govern
NICE Framework Work Roles: Information Systems Security Manager
Academic Degrees: B.S., Information Systems, Capitol Technology University
Certifications: Certified Information Systems Security Professional (CISSP)
Karen Wetzel: In this edition of the NICE eNewsletter series “Framework in Focus,” it is my pleasure to speak with Charles Britt, Information Systems Security Officer (ISSO) at the U.S. Food and Drug Administration (FDA). Charles, thank you for letting us learn more about your career pathway and understand the NICE Framework from the lens of someone like yourself who is performing cybersecurity work.
Charles Britt: Good afternoon and thank you for the invitation.
Karen: I wonder if you can start of by explaining about your role and responsibilities as an Information Systems Security Officer at the FDA?
Charles: I am one of about seven or eight ISSOs who are responsible for carrying out cybersecurity activities across different centers and offices across the FDA. In this role I am responsible for managing and coordinating the assessment of our security systems against NIST 800-53 standards as well as FDA policies and HHS guidelines. I also provide technical and policy guidance to centers and systems stakeholders, conduct technology evaluations, and support incident response.
Karen: It sounds like you have a lot on your plate! Can you describe a little about your team and the specific roles?
Charles: Each ISSO is responsible for our own center and our portfolios range from one or two systems up to a couple dozen systems within our area of responsibility. On our cybersecurity team as a whole we have approximately 80 individuals who support all aspects of our work. Those individuals consist of cybersecurity engineers, incident response analysts, forensics engineers, SOC analysts, or your watch officers who are watching our systems and the perimeters of our network. In addition are the corresponding senior leadership roles that manage and coordinate all these activities across the program.
Karen: Can you share about the career path you took to become an Information System Security Officer?
Charles: I came on board as an IT support specialist at the Central Intelligence Agency in 2003—a help desk guy running around installing software and troubleshooting for the office I supported, and we were working literally 12-16 hours a day. I was burnt out, so I moved to a systems administrator role. It was behind the scenes, working to maintain critical systems and infrastructure, and I soon missed working with people. That is when an opportunity arose for an ISSO in what was then the growing Information Security Group at the Agency. They were looking for individuals who wanted to dip their toes into the world of cybersecurity and I accepted the challenge. The key to making that transition was having both the technical background and good communications skills. I then moved two or three years ago to my position here at the FDA. It’s a great fit for me because it matches my desire to understand the technology and be impactful in cybersecurity while communicating to individuals within an organization.
Karen: That’s really fascinating. Soft skills—or professional skills—seem to have played a big role in where you are now and in what you want to do in your role. Is that fairly common in cybersecurity—the importance of those kinds of skills in addition to the more traditional cybersecurity ones?
Charles: It’s very important because technology is constantly changing and the people we’re supporting aren’t focused on cybersecurity. At the FDA, they’re focused 99% of the time on protecting the public health, so they don’t have time to keep up with everchanging cybersecurity trends and policy changes. There is a need for cybersecurity folks who not only understand the technology but also can explain to the business owner—who in my case might be a doctor, physicist, or chemist—how the policies and technology we’re implementing impact the security of their systems and data.
Karen: When it comes to skills, what do you do to keep yourself sharp and current?
Charles: The interesting thing about an ISSO role is that you have to know about everything. You’re constantly researching, going to training, and taking online courses, both internally as well as externally. Cyber criminals are keeping up with trends and in some cases making trends and, as a defender of our network and infrastructure, I, too, have to be well versed on those and translate how they affect the work we do every day. It can be difficult to pause your activities for a one-week or three-day course and then come back to your regular workload. It’s not impossible to do, but it does take some balancing. Finding time to get that in is key to your growth. Sometimes you can get stagnant really quick. Putting time aside to stop and make sure you’re keeping your skills up to date keeps you competitive and also ensures you’re contributing great value to the organization.
Karen: Can you share your insights about what kinds of cybersecurity jobs you think are most difficult to fill, either in your organization now or as you’ve seen in your roles in cybersecurity?
Charles: In a large private sector organization or government organization like the FDA there is a lot of institutional knowledge and for a variety of positions it’s difficult to bring someone in fresh out of college or a boot camp to delve deep and fast in the vast networks and infrastructures that these offices are running. Roles like mine, the ISSO role, are also difficult to fill because of the mix between the technical, project management, and stakeholder management skills you have to bring to the table. Another area we find difficult to fill is in counter-intelligence—people looking at insider threats. There is a high demand in very large organizations such as Amazon and Facebook for people who are looking at the bigger picture of threats and intelligence, but it’s another area where you can’t just go to a boot camp or take a couple online courses and be well versed in it.
Karen: Talking a little bit more about workforce—is diversity something you are focusing on at the FDA, and could you share about any efforts you’ve been doing in that space that have been effective?
Charles: Yes, in fact, our Chief Information Security Officer has made diversity a part of our strategic plan. We’ve worked to bring in diverse candidates, specifically women, in our department and in our IT division in general and, as a result, we actually have a very high number of female cybersecurity professionals within our department. That’s not common across many organizations and agencies, so it’s a huge plus for our program. Our leadership is also working to build an inclusive culture overall so that, once we get candidates in, everyone feels welcome and included in the work that’s being done, not just in cybersecurity but across the entire FDA.
Karen: It can be easy to forget the importance of what happens when someone’s in the door. It’s great to hear about your efforts. I know you touched on it some, but can you add a bit more about what you enjoy most about your work?
Charles: I’ve always enjoyed helping people. The ability for me to educate our stakeholders by translating technical and the policy guidance into “plain English,” where they can take actionable steps to protect their systems and data without a lot of back and forth—I like being able to see that lightbulb go off when a stakeholder understands why we are doing something. Then they take the action to ensure that these mechanisms and plans are put into place because they see the value of how these they protect their systems. I also enjoy being responsible for a variety of tasks. In this job every day is different. There are new systems to stand up, issues that arise, patches that need to be deployed, and priorities that can change. This role puts you on the front lines of a lot of the work being done with the Federal Government to protect our systems and, at the end of the day, it’s about ensuring we are safe and secure instead of worrying about being on the front page of the paper because something’s gone wrong.
Karen: It must be really fulfilling to actually see the positive impact you’re making. And certainly in this field you have to want to continuously learn and change—it’s not like you can come in and do the same job that you did five years ago.
Charles: No, not at all. I had taken a break and I worked in academia at Northern Virginia Community College (NOVA) for five years, helping them develop cybersecurity programs for youth and young adults. When I started this job five years later, things that were just ideas or in beta testing when I had left were now being used. It blew my mind. When I talk to folks as a career coach or in speaking opportunities, I tell them that in cybersecurity you have to be a lifelong learner. You have to be willing to learn the technologies and different ways of doing your job and, in order to be competitive, you have to keep up.
Karen: How can training providers and education organizations make sure their students are keeping up to date so they can be effective in the workplace?
Charles: This is definitely a challenge. Teacher professional development is really important. I fought very hard to provide opportunities for teachers at the high school and collegiate level to be able to attend cybersecurity conferences to skill-up the information they’re teaching. In the classroom, it is important to use tools and resources to supplement what’s being taught—virtual environments, guest speakers, connections to work-based learning experiences, connecting with a mentor—so, although you may not be providing the cutting-edge technology in the classroom, the students are aware that these technologies exist and know where they can connect with individuals who understand it a lot better.
Karen: Do you see that the NICE Framework as helping in that regard?
Charles: It’s my go-to. I literally had sheets that I would paste on my board at work so that anytime someone brought up cybersecurity I would say, “Let’s start with the NICE Framework.” Honestly, it is a very simple way to understand the tasks, responsibilities, and skills that are needed to marry up which degree program a student may want to pursue, which job they may be interested in, or whether or not the skills and interests that they have match the type of job they had in mind.
Karen: If you had just one piece of advice to give someone who’s considering a career in cybersecurity what would you say?
Charles: To be specific about what you’re looking to do. What are you good at that someone is willing to pay you for? It’s a very broad field and you have to go back to the basics. Are you a people person or do you prefer to work by yourself? Do you like to communicate? Do you like to write? Are you creative? The answers to questions like these play into how successful you can be in different roles. If you can be more refined and specific about the paths you’d like to go down, you’re going to be a lot better off finding a job. That’s not to say that you have to stay in that particular role. The beauty of the field is that there are tons of opportunities available to you. But throwing a blind dart at a board is not the best approach. Be specific, but then also flexible when it comes to opportunities.
Karen: That really works well for both the employer and the learner. You want to be in a job that’s fulfilling and is makes the most of your abilities, so thinking that carefully through at the beginning versus just going for a title you maybe have heard before is important. Especially since titles from organization to organization can be totally different.
Charles: Totally different. But if you understand the basics of the role and ask the right questions during an interview, you’ll see what they’re really looking for. You can craft your job search to ensure that you’re not being pigeonholed into a job that sounds really good with a lot of technical buzz words but isn’t really about performing the tasks you had in mind. You want to be in a position that you enjoy doing every day instead of setting yourself up for failure because you’ve limited your options.
Karen: It sounds like you found yourself a role like that and I really appreciate you sharing with us about it today, Charles. Thank you so much for your time.
Charles: You’re welcome. It’s been my pleasure.
To listen to the full audio interview with Charles Britt, click on the audio below:
Download a full transcript of the interview.