Today our guest is John Petrozzelli, the Director of MassCyberCenter.
John has been a featured speaker at the Massachusetts National Cyber Crime Conference and at the Microsoft Digital Crimes Community Conference in Vienna, Austria.
He was a featured speaker at ThreatLocker Zero Trust World and the International Crisis Management Conference in 2023. He has delivered remarks at many universities and professional organizations.
For more info: John Petrozelli’s LinkedIn and the MassCyberCenter.
Listen to the episode
Here are the key takeaways
- MassCyberCenter’s role: Established in 2017 by then-Governor Baker to make Massachusetts a cybersecurity leader and ensure state resilience.
- Collaborations: Engages with state, local, non-profit, federal partners, and private sector for cybersecurity resilience.
- Educational initiatives: Works with higher education via HECCC and CyberTrust Massachusetts to create pathways for students into cybersecurity careers, starting from high school.
- Security Operations Center (SOC) program: University students work as SOC analysts, gaining real-world experience alongside academic learning.
- Mentorship program: Pairs college students with cybersecurity mentors to work on projects, aiming for practical experience and networking.
- Cybersecurity range and MassReconnect program: Offers a sandbox environment for skill practice and a state-funded educational opportunity for residents to upskill or reskill in cybersecurity.
These initiatives represent a comprehensive approach to developing the cybersecurity workforce and infrastructure in Massachusetts.
Here is a full transcript of the episode
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today our guest is John Petrozzelli. John is the director of the MassCyberCenter. Our topic for today is the value and resources offered by the MassCyberCenter. I’m going to let John talk about that here in a minute so he can explain to us exactly what that is.
Before I bring John in, let me tell you a little bit about him. John has been a featured speaker at the Massachusetts National Cyber Crime Conference and at the Microsoft Digital Crimes Community Conference in Vienna, Austria. He was a featured speaker at the Threat Locker Zero Trust World and the International Crisis Management Conference in 2003. He has delivered remarks at many universities and professional organizations, and I am just thrilled to have him here on our show today. Welcome John, thank you for joining me today.
Thanks, Steve. Yeah, it’s great to be here.
All right. This is going to be very useful for our audience and I’m going to find it personally interesting as well, so I really do appreciate you being here. Let’s start with a high level overview of MassCyberCenter, what it is, what its mission is, that kind of thing.
Sure. So I’m the director of the MassCyberCenter, as you said, and this is a new opportunity for me that I just jumped into in May of 2023. It’s been really exciting. Part of really what I like about it is its mission. It was formed in 2017 by Governor Baker, then Governor Baker at the time, and his team, based on what they saw, is the importance of being a cybersecurity leader for the state of Massachusetts in the country. He wanted to try to maintain opportunities for Massachusetts to compete nationally and our Massachusetts cybersecurity ecosystem to really become a leader in the space and to make sure that our communities were resilient and our private sector organizations were resilient as well.
What they did was they put together the MassCyberCenter with the mission of convening state and local officials and private sector participants to come up with ways of making Massachusetts, the whole ecosystem, more cybersecurity resilient.
The way we do that is we do a lot of collaboration with state, local, nonprofit, federal partners, and then private sector to try to bring everybody into the same room and talk about some of the challenges that we face with emerging technologies or with existing technologies, some of which could be 20 something years old, like USBs coming back. Or any type of threats that we face and how we, as an ecosystem, in Massachusetts can confront those threats as a team and what people can bring from a perspective of people, process, and technology to the fight to make ourselves more resilient.
Okay. So it’s clear in my mind, is MassCyberCenter, is it a government agency or is it a quasi-government agency? How would you define that?
Yeah, so we’re a quasi, so we’re a .org versus a .gov.
And we do have a line item in the state budget for our existence. We are codified in state law, but we are a quasi-public organization. So we do have a little more flexibility as a nonprofit, it gives us just that flexibility we need to participate in things we otherwise wouldn’t be able to as a state entity
Okay, cool. And I know when people go to your website, they’ll see that there’s a relationship between MassCyberCenter and MassTech. So can you elaborate, help us understand that relationship, if any, and how that works?
Sure. Yeah, the MassCyberCenter is one of five divisions of the Massachusetts Technology Collaborative. MassTech has been in existence for decades and they have a bunch of great initiatives. CyberCenter is one of the more recent ones, but MassTech has been involved in really trying to make Massachusetts resilient, not just for cybersecurity but for a bunch of different initiatives.
We have the Centers for Advanced Manufacturing that help companies to include startups with manufacturing processes. We have the Massachusetts eHealth Institute, which helps the healthcare sectors in Massachusetts. We have the Mass Broadband Institute, which is working on digital equity and passing our broadband throughout the state to maybe disaffected communities, underprivileged communities, and rural communities, so everybody can get that same level of a good internet broadband that the cities can.
We have the John Adams Innovation Institute, which is another one, and then again, they’re working with startups and helping companies to get development grants and things like that as well.
We have a lot of capability under the Massachusetts Technology Collaborative.
So I want to get to career development and industry partnerships. But before we go there, let’s kind of drill down or focus on educational opportunities.
How does the MassCyberCenter collaborate with educational institutions and what does that mean or what form does that take?
In one situation, we work with the Higher Education Cybersecurity Coordinating committee, which is called HECCC. We work with HECCC, we just recently in June did a tabletop exercise with them where we simulated an attack on a school network and worked with the schools to try to figure out, okay, what would their steps be? What do they have in place now? What should they consider putting in place? And how do they work with not only other schools in their consortiums, but also the state and local government as well as CISA and federal agencies when there is an incident like that.
That’s one of the ways that we work with the higher ed institutions, but what I’m really proud of is, through a nonprofit called CyberTrust Massachusetts, we’re really building out an opportunity, and what I would consider as a vision, for a pipeline for high school students, grades 9 through 12, getting a pipeline into either a community college or a 2 or 4 year institution where they can graduate as more seasoned SOC analysts. And so if you’re okay with it, I’ll just talk about that a little bit, because-
Please. No, that’s perfect. I was hoping that you would mention that because I think that’s so important that we focus on the K-12 and obviously the younger … It’s probably too much for the younger grades, but 9 through 12 and helping them get in a pipeline, if that’s their interest and if that’s where their skillset lies, I think that’s so cool. So go ahead.
Yeah, so what we’re doing is we partnered with community colleges and universities in the state, and what we’re doing is basically two levels of capability for them. Before I came on, Stephanie Helm was the previous director and she and the team really started this, so I’ve just come on to kind of spearhead the continuation of it. But our team created this Security Operations Center and Cybersecurity Range program, and they tried to figure out, okay, should the MassCyberCenter be the ones spearheading this or should it be through a nonprofit, another entity that is not a quasi-government agency?
What they decided was they did a request for proposal and determined that CyberTrust Massachusetts, which was created as a result of that request for proposal, would be the best way to go with this. Because as a nonprofit, they’re not out there to make a buck. They’re out there to do the right thing for the Commonwealth, but they have flexibility we don’t when it comes to procurement and things like that. As a result, they can get better economies of scale and really try to gain a really good value for their constituents, whether it be municipalities or small business or other nonprofits in providing cybersecurity services for them.
But where the universities are coming in is what we’re trying to do, it’s unique for this type of environment, would be using university students or community college students as the SOC analysts. What happens is CyberTrust is partnering with organizations that are now members of CyberTrust. For example, Bridgewater State University and Springfield Technical Community College out in Springfield, Mass, those two universities and community colleges are essentially building Security Operations Centers that their students will be able to sit in and monitor a threat environment in real time for a protected entity.
Now we’re primarily starting looking at municipalities, but long term that could also be startup small businesses, it could also be other nonprofits. So these students are going to start with education in their 2 or 4 year university. And as they go through that education, their part-time job might be working for CyberTrust in these SOCs.
What you have there is a really great combination of a student going to school, learning the principles, working with a great staff at a 2 or 4 year college, but while they’re doing that, their part-time job is in cybersecurity. So what they’re doing is they’re building a portfolio for themselves so that by the time they graduate, they’re not just looking at, okay, how am I going to find a job? Now they’re going to be an in-demand person because they’ve had maybe 2, maybe 4 years of SOC experience as a SOC analyst, so they might be able to graduate and move into not just a tier 1, but my vision would be they move into a tier 2 SOC analyst at maybe a managed services provider or a security analyst for a company, a private company, hopefully in Massachusetts.
That’s the way that we’re working with the colleges to be able to create that opportunity for them. And again, we’ll probably talk about this a little bit later too, but the 9 through 12 is really important to me personally because I’ve seen it with my children about what happens when a child is going from seventh and eighth grade. They’re not really sure what they’re going to do, but they also are looking for options and they’re kind of looking for that path. So what we’re going to do is try to develop that pathway for them so that if a kid wants to go into cybersecurity, they can do so, and the path’s been laid out for them so that they can kind of get a feel for, okay, what am I going to go through in high school? How am I going to deal with that? And then how’s that going to work for me when I get into college and beyond?
Yeah. That is so interesting. I find that fascinating that you’ve got this program where college students can graduate with more than just an academic understanding of cybersecurity. They have actually worked in the field as their part-time job while they’re getting their education. I think that is so awesome. I appreciate that.
And that kind of leads into what I wanted to talk about next. I did want to talk about career development and the kinds of things that you do either for students or people who maybe have already graduated and they want to switch careers or maybe they’re in cybersecurity, but they need to develop that career or advance in that career. Are there programs and trainings and those kinds of things that you either offer or point them towards? How does that work?
Yeah, so there’s a couple of different programs I’ll talk about. One of which is our mentorship program, and that’s a cybersecurity mentorship program that pairs up an existing college student with a mentor from the private sector, or it could be the public sector, but essentially a mentor in the cybersecurity realm already. What they do is they work together for basically about a quarter to a half a semester.
We have a course that’s starting, probably it’ll start in October, a mentorship program series right now, and that’s going to continue through December. A student will be paired up with a private sector mentor or a cybersecurity mentor from the public sector who will basically help that student develop some kind of a project through the course of the semester. At the end of the semester, that student gives a presentation. I’ve seen some really cool ones. One of the first couple weeks that I got in was the end of the culmination of the mentorship program from the spring, and some of the work that these students did was amazing. It was really great. One of them developed a phishing page, was a link page to a very well-known streaming service, and it looked just like that page, and it was essentially a credential capture landing page. This is a college student who developed that with the help of a mentor. There are some really great opportunities for existing students to join that program.
We’ve had 175 students go through that in the last couple of years. This year we have, in this fall semester, we’ve got 70 or so students that are interested. We’re still looking for mentors. We’ve got about 25 to 30 mentors, so the amount of mentors who participate are really the limiting factor for us. We might have 70 students, but if we don’t have 70 mentors, we typically will try to pair up 1 to 1.
1 to 1? Okay.
That way there’s a good ability for someone to build that rapport and get a relationship with someone. Right now we’re probably looking at a class of about 30 or so students going through, unless we get more mentors for this fall program. Our application deadline is September 19th, so we’ve still got a little bit of time.
Got it. Okay.
That’s one of the programs we have.
The other one that we’re developing right now, and I’m really excited about because it’s going to give people that were like me, the opportunity to jump into cybersecurity maybe when they didn’t have a background in it to start. I was lucky as an intelligence officer in the Air Force, I hacked my first computer in 1998, and it was one of those hello world type of messages.
It wasn’t anything substantial, but it was cool, and it gave me the itch. And once I left the military, I really wanted to get into cyber. And I had some issues with the GI Bill where it just didn’t … There were some paperwork issues, so I couldn’t use my GI Bill the way it should have been used. So that gave me a little delay in my professional development for cyber, but I then joined the FBI, did a lot of cyber work with them, and eventually got my master’s at Boston University.
But what I want is for people who want to get into cyber to have a venue to get in there right away. One of the things we’re doing with our Cybersecurity Range is creating a pathway where private citizens, maybe someone who’s in one industry who wants to jump into cyber, can use the Cybersecurity Range that we have, and the Range helps them to learn about different topics like phishing or white hat hacking, surveillance and reconnaissance that they would be doing against a prospective target. A lot of different tools inside of that sandbox environment where they can practice security skills, cybersecurity skills, and get a feel for what the cyber world looks like. And then that might help them to figure out what they’re interested in so that they could try to pursue some kind of a degree.
One thing I wanted to highlight is Massachusetts, this is not the MassCyberCenter, but this is the governor’s office, has essentially just created a program called MassReconnect, and that enables people who don’t already have a college degree to go back to school, paid for by the state, to go back and basically reskill or upskill their current skillset, so that’s pretty amazing.
MassReconnect is a relatively new program, just got signed into law I think a few weeks ago. It’s essentially anybody who’s 25 or older on the first day of classes, they are enrolled in and pursuing a program of higher education at a public community college, they haven’t previously earned a college degree, they’re enrolled in at least six credits per semester, and they have to complete the free application for FAFSA, federal student aid, and they’re a Mass resident. But if they meet those requirements, then they’re eligible for that free college.
Again, if they participate in that, they might be one of these students that can then jump into the SOC programs. So there’s an opportunity there that hasn’t been there before. And that’s really exciting in Massachusetts, and that’s really the best of a lot of private industry that was trying to build something like this, public industry that was trying to push this, and then the governor and the House and Senate coming together to create this.
Okay. Wow. I’m just really impressed with what Massachusetts is doing. It seems like they’re right in the forefront of cybersecurity education and promoting those programs. That’s pretty impressive.
You’ve talked about partnerships with educational institutions. You’ve talked about mentorships with private industry. But are there any other industry partnerships that you either have or are working towards, collaborations to help professionals transition into the cybersecurity roles in industry?
Yeah. We mentioned the mentorship program. Every year for cybersecurity month, we have a cybersecurity forum, and that’s where private sector, typically we try to invite CEOs or higher level members of companies, come to that forum and talk about specific issues of the day. This year we’re going to talk about civil cyber defense and talk about different initiatives in Massachusetts where public and private sector entities are working together to create opportunities for a collective defense, whether that be a consortium of schools that are sharing the burden of a new cybersecurity tool, and they’re basically cost sharing or getting economies of scale by working together as a consortium to get those services or the water districts is another example we’re going to give, I think at the forum. We have some people also looking to try to create a civilian corps of private sector people who’d be willing to jump in as essentially CISOs to help a company who’s going through a breach.
I think that’s still in the kind of the initial phases of development, but we’re going to have that group talk about that in the forum so that companies can hear some of these ideas and maybe come up with ideas of their own that might help to make the rest of the industry more resilient.
We’ve got a lot of different long-term goals with this, particularly reaching deeper into industry to help maybe increase collaboration between people who might be otherwise competitors for certain products working together to try to help themselves and each other to harden their security stacks. But I think that’s probably an aggressive goal, probably for like 2024-2025.
We do have on our website a minimum baseline of IT, which is part of our minimum baseline of cybersecurity. And that’s one of the things that we’ve done in partnership with local, nonprofit, private sector, and public sector entities where we’ve created this minimum baseline of IT that we would recommend for really anybody. Primarily it’s geared toward municipalities at the moment, but we’re changing the format, so it’s going to be available to anybody. And right now anybody could download it, but we’re going to try to gear it more toward the private sector as well over time.
And then lastly, we already work with, like I said, Mass eHealth. We have a monthly cybersecurity call where we do current cybersecurity topics. Last month we talked about the benefits of cyber insurance. This month we’re talking about mobile device policies and mobile device vulnerabilities and how to protect, especially home health workers, how to protect their mobile devices if they’re bringing their own device into the work environment. I’d like to build more of those across different industries over time as well.
Excellent. Thank you. I think our audience would be interested in hearing some of your perspective. Now, this may not necessarily be MassCyberCenter’s part of what your work is, but just given your experience in the industry, and maybe you could talk to us a little bit about cybersecurity trends and needs and what you see coming … I guess I’m picturing a student who’s wanting to make sure they have the right skills for work in cybersecurity, and what would be your perspective on that?
Yeah. Of course it’s growing. Cybersecurity is going to be around, it basically touches any kind of sector, whether it be public or private sector. A lot of physical damage can be done with cybersecurity tools, so cybersecurity incident response is going to be a career path that’s going to be in demand. But one of the things I wanted to mention is what we’re trying to target is underprivileged populations, but in my case, personally, what I see is with my daughter, she’s a little bit afraid. She’s in seventh grade, she’s just starting seventh grade. She’s already a little bit afraid of STEM.
One of the things that we’re trying to push also through the SOC and Range program is you don’t need to be a math wiz to be in cybersecurity. You don’t need to be hacking, you don’t need to be coding in order to be in cybersecurity. Because what cybersecurity and the industry needs is people who can talk to people about what their vulnerabilities are. They can make people less concerned about maybe an incident that’s been occurring. They can talk to them about the incident at a high level. We need people who aren’t just STEM focused in cybersecurity, but we need people who can get a message across to a client as well.
I think one of the things that I would really want to pass over is that cybersecurity is not just a technical skill. It’s not just a technical skillset that you need. We need people who are maybe English majors who want to do stuff like consulting with someone. Consulting is a big part of cybersecurity, and you can be really good on the technical end, but if you can’t get the message across to a customer, then you’re not any help to them because they need to know what are today’s vulnerabilities? What are you doing to stop them? And they need to know that, usually, in reports.
A cybersecurity career might not have to be all technical. Of course, you’ll need to have some idea of what you’re doing in the cyber realm. You’ll need to know the concepts. But if you’re a good report writer, if you’re somebody who enjoys public speaking and things like that, you might have a career in cybersecurity.
I wanted to mention that because a lot of times that’s not talked about, but definitely for people who are coming up and are saying like, “Hey, I’m not good in math or science,” you don’t have to be. You can do other things in cyber. And so I wanted to just pass that on to students and prospective cyber people.
I particularly appreciate that because it’s something that I’ve kind of noticed is that we oftentimes talk over the heads of people who are not technical, end users or people in business who don’t have a technical background. Technical people, when they’re talking about cybersecurity threats and vulnerabilities and those kinds of things, we oftentimes talk right over their heads. They have no idea. They know it’s a problem and they know it’s something they should be concerned about, but it’s hard for them to grasp at what level should I be concerned about it and what should I actually be doing other than ringing my hands and clutching my pearls about all of the cyber threats out there.
I think that is great advice to not shy away from cybersecurity just because you’re not technical because it’s broad. We need much more than just people who can sit behind a keyboard and code. So that’s excellent. Thank you.
That leads right into how I wanted to end here. I was hoping that you could give us some guidance, some advice for aspiring cybersecurity professionals. I think you’ve already done a great job with the don’t shy away if you’re not technical, but is there anything else, advice that you would give to aspiring cybersecurity professionals?
Yeah. The best advice I could give is don’t give up. There’s so much of a demand for cybersecurity … I remember going through my first classes at BU and it was calculus and Java coding, and I was like, “Oh my God.” And every weekend I was spending hours and hours trying to get this Java program to work, and it was literally like parentheses in the wrong place or something like that. I would get to these moments of desperation and all of a sudden something clicks and in the program works and then it’s like success. I think part of that is just grinding it out. If you feel like you’re overwhelmed when you start your cyber classes, just realize that, again, not all of this is technical, that you have to have some capability to understand programming language, which now Python’s coming up and it’s easier than Java to handle, so that’s good. But there has to be some level of understanding of the programming languages that are being used to generate both protective software and malware, so cybersecurity people need to understand that a little bit. But if you’re taking one or two classes like that and they’re really technical, just work hard to get through them because other classes are not going to be that same way.
People could always reach out if they wanted to. I’d be happy to talk to people about that just based on my own experience. But sometimes when it seems like you’re like, “I just don’t think I can get through this.” Once you’re through maybe an individual project on a weekend or through a class, the next class can be so much better in cybersecurity and in that course of study. Just don’t give up would be the one thing I’d say.
And really as best you can, don’t take no for an answer. If you get rejected with one program, go to another one.
Yeah. Awesome. One of the things that we like to do at Cybersecurity Guide, of course, is in our show notes, we try and put resources or links that can help our readers access the things that we’ve talked about. So obviously we’ll put a link to the MassCyberCenter, MassTech, anything else that you can think of that would be useful that we should put a link in our resources?
I’ll send you over my LinkedIn. That’s pretty much the only public profile that I have anywhere.
I’ll send you that over as well if people want to hit me up and ask me. I just had a conversation with someone who is a chef and wants to jump into cyber, and he was concerned that his age would be a limiting factor. And I said, “Not in this world. You can jump in and do anything you want. Doesn’t matter what your age is, and as long as you are willing to do it, willing and capable, that’s what we’re looking for.”
So if people want to reach out to me on LinkedIn, feel free to do that as well.
All right. We’ll put a link to your LinkedIn page as well, so thank you for that. And thank you, John, for being with us today. This has been very helpful. It’s a very valuable resource for people that are thinking about getting into cybersecurity or need some help with their career. So thank you, I really appreciate your time.
Thanks, Steve. This is great for me too. I really enjoyed it.
You bet. And a big thanks to our listeners for being with us. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.