The National Cybersecurity Center’s new chief operating officer can point to a couple of major turning points in his career — and the most recent persuaded him to leave Texas for the Springs.
Jonathan Steenland was principal of chief information security officer services with Zyston, and before that served as CISO at Fujitsu, where he developed strategic security programs for its 500-plus companies and 170,000 employees. He also served as the executive vice president of the North Texas chapter of InfraGard, an FBI-sponsored public-private partnership that shares intelligence to prevent hostile acts against the United States.
This week Steenland talked to the Business Journal about his turning points, building the cyber workforce, and how to make a difference.
Where are you from?
I was born in North Carolina and then the military took me to Oklahoma and then Fujitsu took me to Dallas, Texas, where we were for 19 years. I joined the Army right out of high school — that’s where it all started. I had not had any proper coaching in terms of how to exploit military service to your advantage, but at the end of the day it still worked out well for me.
I told them I wanted to get into computers and technology so I was placed in a unit that was called fire direction control for field artillery systems. So that was a very good way for me to get familiar with the technology and the systems, which enabled me to go work for a defense contractor in the [Department of Defense] after I got out of the Army, while I was going to school. And that background in the military was what really allowed me to get into that more hardcore security environment, which is where I got into cybersecurity.
At what point did you know you wanted to go into cybersecurity?
When I was given the opportunity to take a security training class in Atlanta, Ga. It was for some firewall training which is specific security technology, and it was the ‘aha’ moment — and I’ve only had a couple of those in my life. I vividly remember calling my wife and saying, ‘Sweetheart, there’s two things I know. One, I want to do cybersecurity for the rest of my life; and two, I don’t want to do it in Oklahoma.’ So we really started looking and Fujitsu came along and took us on a white-glove move to Dallas, Texas, and being in our early 20s we just thought we’d hit the jackpot. I mean this was at the tip — right before the telecom bubble burst, late ’90s, early 2000 — and it was just spectacular. Everything was still just hot — go, go, go. And Fujitsu was a great company to work for.
But I quickly realized I was a bit out of my element, because from a security perspective, I had left an environment where nobody questioned why we were doing security — because in the DoD it was our business. Or how we were going to do security, because we had programs like the DITSCAP — the Defense Information Technology System Certification and Accreditation Program — and the fact I can still remember that 20 years later should tell you how ingrained it is. Fujitsu was anything but that. It was, and is, a conglomerate of 510 companies, each with their CEO all the way down. Third-largest technology company in the world, basically the Asian version of IBM, and at that time, in 2000, zero security program. And it was mind blowing to me.
What attracted you to this role at the NCC?
It all goes back to another ‘aha’ moment, which was at the National Cyber Symposium at The Broadmoor in 2017. I thought I was just walking into another speaking engagement at yet another security conference — and since I’ve been doing this for 20-plus years I’ve been to hundreds and hundreds of these. But this one was very different. In fact I remember, vividly, calling my wife again and saying ‘Sweetheart, there’s something going on here. Something is different.’ And one of the many things I experienced that was notable was this genuine desire across all elements of the ecosystem here in Colorado Springs, both public and private, to really embrace the NCC and make it be successful — and accomplish the mission that it was designed to do, set forth by Governor Hickenlooper.
Despite my involvement in a lot of public-private initiatives over the years, I have not seen that strong of a commitment to it. And it was enough to make me at least ask my wife if she and my kids would be open to moving from our home of 19 years to Colorado Springs. And surprisingly, they were open to it.
How do you plan to make a difference?
My theme word for 2019 is ‘focus.’ I believe that, especially for the NCC, is more important than ever — because our mission is complex, because the ecosystem is complex. And because I have experience working in those complex environments like Fujitsu, I have learned through trial and error that if you are not laser-focused on what it is that you want to build and do and accomplish, then ultimately the fire will just fizzle out. And none of us want the fire to fizzle out on this thing, myself included. So what we’re really looking to do is focus on three specific areas in 2019 that are capabilities that will allow us to accomplish the mission and the objectives, and really be that community glue — or as General Hayden said at the symposium, the ‘connective tissue.’
We have a lot of people who I have experienced just in the short time I’ve been here who really want to be engaged and involved with the NCC, but we need to develop these capabilities and these programs that allow them to be involved, and to give them a reason and something tangible to do. So we’ve really focused on the three areas that are aligned with our pillars — our pillars being in terms of [working with] industry, government and military to affect public policy; job creation; and [cyber] workforce development. At the end of the day this really is our primary mission … everything that we do has to have alignment with creating jobs, and then those jobs need to go somewhere.
The nation has great needs in terms of cyber workforce and a lot of people aren’t considering cybersecurity as a career path. Who should be?
First of all, it is still just amazing to me that we are now creeping up on a shortage of 3 million for the cybersecurity jobs — especially when I consider all of the benefits that I’ve received, personally, over a 20-plus year career. … I believe the biggest reason why we’re having a hard time filling those job openings is not because people aren’t interested in it, it’s because people have a very myopic, siloed perspective on what cybersecurity is and what it is not — and we have to bust that myth. And that’s going to be through awareness and training, which is a key, key, key element of the NCC’s mission.
Who would get into it? Well of course people with technical skills, yes. Let’s face it, cybersecurity has a very technical element to it. However, what most people have a hard time grasping is the fact that every single attack doesn’t end or start with a computer or a technology. There’s a human on both sides of the fence. So whether you’re pursuing a degree in psychology or marketing or … digital architecture, there’s a cybersecurity aspect to that. We’re fortunate here in the Springs to have a number of schools that are really embracing that diverse mindset and creating curriculum and programs that allow more nontraditional students to get into this. We still need the computer science degrees and things of that nature, but we need a lot, lot more than that.
What’s the best advice you’ve received?
I had the privilege of knowing Zig Ziglar and he was an amazing, amazing guy. Everybody knows he was a great motivational speaker, but we knew him and his family on a more personal level. … One of his many sayings was that people don’t care how much you know until they know how much you care about them. And the second one: You can have everything in life you want, if you’ll just help enough other people get what they want.
When I look back over my career, there were opportunities that I was afforded that I certainly didn’t deserve. And there were a handful of mentors in my life, especially during difficult transitions and seasons of life, that made all the difference. So I think my mission in life now is to give back, like I was given by some of those mentors, and to create the opportunities and the platforms like my first boss at Fujitsu did for me. And that, I think, is very rewarding.