Lee Myers is the Senior Director of Security Operations for the Multi-State Information Sharing and Analysis Center (MS-ISAC), which is part of the Center for Internet Security (CIS). Lee is responsible for the supervision and execution of the services provided by the MS-ISAC’s 24×7 Security Operations Center (SOC), which provides real-time network monitoring, cybersecurity event analysis, and cyber threat warnings and advisories to state, local, territorial and tribal governments. Lee is also responsible for coordinating collaborative security operations efforts across analytical MS-ISAC teams aligned with analytical and investigative teams at the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
Lee’s certifications include Global Information Assurance Certification (GIAC), Certified Intrusion Analyst (GCIA), Certified Incident Handler (GCIH), GIAC Information Security Professional (GISP), GIAC Strategic Planning, Policy and Leadership (GSTRT), and Certified Information Security Manager (CISM). Lee earned a Bachelor of Science in Information Security and Forensics from the Rochester Institute of Technology.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Lee Myers, the Senior Director of Security Operations for the Multi-State Information Sharing and Analysis Center (MS-ISAC). They discuss the role of the Center for Internet Security (CIS) in cybersecurity standards and careers.
CIS is a nonprofit organization dedicated to developing and promoting best practices for cybersecurity. Myers explains that the MS-ISAC provides real-time network monitoring, cybersecurity event analysis, and cyber threat warnings and advisories to state, local, territorial, and tribal governments. He also discusses the importance of the CIS controls and benchmarks, which are industry-recognized standards for strengthening cyber defense.
Myers emphasizes the need for aspiring cybersecurity professionals to continuously learn and stay updated on emerging threats, as well as the growing importance of artificial intelligence (AI) in the field. He advises students and early-career professionals to gain hands-on experience through internships and to develop a strong foundation in networking and system administration. Myers also mentions that CIS is working on a web-based portal to provide a centralized platform for accessing their services.
Listen to the episode
A complete transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. Today, our guest is Lee Myers. The topic for today’s show is Securing the Future: Exploring the Center for Internet Security’s Role in Cybersecurity Standards and Careers. Before I bring Lee in, let me tell you a little bit about him. Lee Myers is the Senior Director of Security Operations for the Multi-State Information Sharing and Analysis Center, MS-ISAC, which is part of the Center for Internet Security, CIS. Lee is responsible for the supervision and execution of the services provided by the MS-ISAC’s 24/7 Security Operations Center, which provides real-time network monitoring, cybersecurity event analysis and cyber threat warnings and advisories to state, local, territorial, and tribal governments. Lee is also responsible for coordinating collaborative security operation efforts across analytical MS-ISAC teams, aligned with analytical and investigative teams at DHS and CISA.
Lee has a long list of certifications and let me go through them quickly for you. Lee’s certifications include Global Information Assurance Certification, Certified Intrusion Analyst, Certified Incident Handler, GIAC Information Security Professional, GIAC Strategic Planning, Policy and Leadership, and Certified Information Security Manager. Lee earned his Bachelor of science in Information Security and Forensics from the Rochester Institute of Technology. And with that, welcome Lee. Thank you for joining me today.
Lee Myers:
Hi Steve. Thank you for having me.
Steve Bowcut:
Okay, I’m looking forward to the conversation. I think it’s going to be fascinating. Let’s start, if we can, with kind of a foundation, if you will, tell us about CIS, what it is you do at CIS, or not you specifically, we’ll get to that in a minute, but what the Center for Internet Security, its mission and its role in the cybersecurity landscape.
Lee Myers:
Yeah, absolutely. So the Center for Internet Security, we’re a nonprofit organization. We’re dedicated to making the connected world, as we say in our mission statement, a safer place. And we do this by developing, validating, promoting and providing best practice solutions, services, and guidelines to help people, businesses and governments worldwide protect themselves against pervasive cyber threats.
Steve Bowcut:
Great. So tell us a little bit more about what you do specifically, Lee. So as the Director of the Security Operations Center, what are your key responsibilities and how does what you do impact the overall objectives that you’ve just described to us?
Lee Myers:
Yeah, thank you for the question. So my role leading this 24/7, 365 security operation center team is mainly focused, as you read in the bio, is mainly focused around the security event monitoring services provided by that team as well as the cybersecurity advisories that we send out. And they’re really both on the spectrum of, I would say cyber defense. So these are services offered by CIS that are specifically on that side of cybersecurity, if you will, focused on preparatory defense measures with the cybersecurity advisories. So when there’s a new vulnerability that’s released, right, we actually release an advisory. It’s published to the CIS website and organizations, not just government organizations, but all organizations can review that advisory, get some recommendations on steps to take, possible mitigations, et cetera. And so the other side that I mentioned, the network security event monitoring services, that is, we actually have partners that we have to provide services.
So they have either technology of their own that we deploy or there’s technology of our own that we’ve created and that we manage that has deployed across the space and the security events, the logs, alerts that are generated from that monitoring actually come into the SOC. So my role is leading this team across various time zones. We’re all located within the United States, so we do have folks who work actual overnight hours. It’s very common in a lot of operating centers these days that they do a follow the sun model. And so they’ve got people who are sort of spread across the globe. So it’s always daytime somewhere. Right. And that’s how they accomplish 24/7. But in our case, we actually have folks who are working overnight within the US to provide 24/7 monitoring for those events.
Steve Bowcut:
Okay. And you pointed out maybe some of that would be a key clarification. So it’s not just governmental agencies that have access to the information that you provide. Any organization can do that. So if I’m running a business, can I check your website out and find out what kind of threats are out there that I should be aware of and get mitigation strategies, that kind of thing?
Lee Myers:
Yeah, absolutely. So in the case of the security advisory products that we put out from our SOC, those are absolutely available to everyone. They’re published to the CIS website, so everyone has access to them. We do send out messages and we’re much more catered to the government entities that’s more on the MS-ISAC side as we pointed out. So we’ll actually send them an email directly. Right. “Hey, here’s the latest vulnerability you need to be protected against.” But the product itself for the advisory is published to the website. So it’s available to everyone.
Steve Bowcut:
Okay, awesome. Good to know. Thank you for that. All right, so let’s talk a little bit about controls and benchmarks. Can you explain to us the CIS controls and CIS benchmarks, just kind of briefly what they are and the role they play?
Lee Myers:
Yeah, so I’ll start with CIS controls. They are different. I know people sometimes combine them as if they’re one product, but the CIS controls are their own set of prioritized set of best practices that an organization can use to strengthen their cyber defense. Whereas the CIS benchmarks are actually a set of prescriptive configuration guides for specific systems or operating systems or vendor products that essentially represent a consensus-based effort to be protected against cyber threats affecting that specific system or vendor product. So they are two parts of the same type of strategy of cyber defense, but they are two very different methods or products [inaudible 00:07:11].
Steve Bowcut:
Okay, awesome. So how and does that maybe is the better way to pose that question, implementation of standards and do you have standards that you publish and promote or do you publish and promote other standards like NIST or somebody else that people in the industry may be familiar with?
Lee Myers:
Yeah, so the CIS controls are aligned with NIST and other common standards for cyber defense and cybersecurity. They are a standalone set of standards, the CIS controls, but they’re very closely aligned where if you were to implement the CIS controls, I’m sure you’re checking 90% of a NIST guideline as well. Right. When it comes to implementation of the CIS controls, a lot of times the biggest obstacle that organizations face when they try to do this, and it’s not really unique to the CIS controls, it’s a problem that most people have implementing any standard, is where do I start? This seems like a lot, right? It’s hard to get started because you just feel overwhelmed right from the start.
And so the CIS controls actually being a prioritized list. There are 18 controls and they each have sub standards or measures that you need to implement to accomplish each one of those 18 controls. But they are prioritized and actually CIS has set them into what we refer to as implementation groups. So here’s implementation group one, it has these sets of controls and measures to implement first, and then once you’re done with that, here’s implementation group two and so on. Right. And so it helps make this large obstacle much more manageable and bite-sized for people to get started with.
Steve Bowcut:
Excellent. And so that makes me think as you know, our audience is largely students and or early to mid-career professionals that either are beginning either their career or their academic career in cybersecurity or they’re thinking about it. So let’s talk to them directly here for a second and help them understand how applying and understanding the CIS standards could influence their career path.
Lee Myers:
Well, the CIS controls and the CIS benchmarks both are industry recognized. There’s a lot of visibility and awareness and reputation behind both of those products. And so having an awareness of them or even better if you’re in a position to get some hands-on experience working with them, those are great resume building line items when you’re applying for a job, especially in the space if it’s going to be tied to cyber defense. As I mentioned, both of those products are geared towards being prepared, locking systems down, having the infrastructure built that you can quickly respond to an incident should it occur. And so those are all great ways to kind of set yourself apart from everybody else who may be applying for a position in particular, if that organization is in the midst of trying to implement, say the CIS controls or they know that they use the CIS benchmarks, having knowledge of that already, or like I said, experience actually working with them can be a great way to set you apart.
Steve Bowcut:
Excellent. That’s great advice. Thank you. I appreciate that. So let’s pivot here a little bit. I’m kind of interested in the idea of hardened images. Can you describe the CIS hardened images, how they provide secure scalable computing environments? Just talk to us about that a little bit.
Lee Myers:
Yeah, absolutely. So organizations will, especially with the move to the cloud, organizations are able to set a bunch of infrastructure or even have their host systems be created using machine images in their cloud of choice. And then what they would try and do usually is to harden those images themselves and you could apply the CIS benchmarks or other recommendations to try and do so, but that’s a manual step. You have to have your organization’s IT folks go in and actually harden those images down after you spin them up. The hardened images, the whole use case there is, here’s images you can choose from when you go to spin up a system or a host machine or a server or whatever it may be within one of these cloud environments and it comes pre-configured to the CIS benchmark guideline. And so it saves time. You’re able to spin it up knowing that it’s already locked down and hardened. That’s where the name comes from and you’re good to go. You’re ready to load up your service, load your host user onto that machine and they’re off, they’re good to go.
Steve Bowcut:
Perfect. So you already know that this new implementation is going to meet the CIS guidelines because that’s the way you built it and hardened it, and you can at least start from that foundation. Excellent. I appreciate that explanation. Another thing that I know you have some expertise in that I find fascinating is the Elections Infrastructure Information Sharing and Analysis Center. So you work with both the MS-ISAC and the EI-ISAC. So talk to us about the relationship. Well first of all, tell us a little bit about what the EI-ISAC is and then the relationship between that and the MS-ISAC and how that works.
Lee Myers:
Yeah. So the MS-ISAC and EI-ISAC members, we call them, but the organizations that make up the user base of both of those ISACs are very closely tied together. The MS-ISAC being focused on state, local, tribal and territorial government entities and the Elections Infrastructure ISAC being tied to the Elections Infrastructure entities. It just so happens that in the United States, the Elections Infrastructure is run by state and local Governments.
Steve Bowcut:
Each individual state. Right.
Lee Myers:
Right. Exactly. So in a lot of cases there’s a lot of overlap between the two. The services that we provide to one directly affects the other because they’re, in a lot of cases, they’re built into those environments. Right. And so there’s not a whole lot of difference in particular in terms of the services that we’re providing at a CIS business level to these entities. Where it really comes in, and this is what I think people are most typically find surprising, is that organizations even state to state, city to city, whatever it may be, elections infrastructure to elections infrastructure, no two of these entities are the same. Everyone has unique problems, they have unique environments, tools that they use. And so we’ve had to provide a wide variety of services so that people can kind of pick and choose whatever’s best for them depending on where they are and what their environment looks like.
So everything from the network monitoring that I mentioned that we provide through our SOC, we have incident response services. If someone does experience an incident and they need help, right, whether they’re a state government or all the way down to a K-12 school. Right. Or we also have a cyber threat intelligence that we’re able to provide to try and be a little bit more proactive, hey, we’ve heard about this threat, here’s more information about that. You can protect yourself before it to you kind of thing.
Steve Bowcut:
Yeah.
Lee Myers:
Or direct targeted notifications, right? So because we have this wide network of entities that we’re aware of and who’ve partnered with us when there’s a big breach or something like that, and we receive information at the ISAC level about that, we’re able to tell those directly impacted as opposed to just sort of putting out a broad message about, “Hey, this happened and click here to find out if you’re impacted.” Right. We can notify people directly because we looked through it and we said, “We know that you’re impacted,” and we can notify them, so. But we do that regardless of who they are. And that’s what I was trying to get at there with my comment, is these entities are actually largely the same entities that we were working with for the MS-ISAC.
Steve Bowcut:
Okay. All right, that makes sense. Thank you. It makes me think about emerging threats and particularly with the elections infrastructure, but generally, I mean that’s why we call them emerging because they’re new and they’re unknown. So how is it that you stay ahead of that? What kind of threat intel do you employ or how do you stay ahead of that? And maybe specifically for Elections Infrastructure, do you see threats there that you don’t normally see? Because they’re geared directly at, obviously if you’re a threat actor, your objective with an Elections Infrastructures may be different than some other,-
Lee Myers:
Sure.
Steve Bowcut:
More traditional infrastructure.
Lee Myers:
Yeah, absolutely. So I would say the way that we stay up on emerging threats would be by reading. I know that sounds like a duh answer, but we have to constantly be reading, constantly be researching, and that is a big part of how we’re able to stay ahead. But in addition, and specifically in the election sphere, a lot of it is through partnerships. So strategic partnerships with other vendors, especially in recent years. There’s no shortage of organizations out there who are specifically looking for threats that affect election infrastructure. And so having those key partnerships and relationships we’re able to, it enables us to stay plugged into these new threats as anybody learns about them. Right. We’re able to hear about it through that relationship and in that way, empower those specifically elections infrastructure members to be better protected against those new threats before they are realized in their environments. Right. That’s the hope.
But you’re absolutely right. I would say certainly the Elections Infrastructure, the specifically Elections Infrastructure environments do have different types of threats that would impact them. They are certainly still susceptible to all the threats that everybody else is in addition to that, right? Like ransomware still a problem. Right. But they also have their own set of unique threats that only they specifically really are worried about because they have certain systems or certain tools that are specific to elections.
Steve Bowcut:
Got it. All right, thank you. So we need to kind of start winding down here, but I would like to get you to offer some advice if you could to aspiring cybersecurity professionals. So what kind of advice can you give our primary audience about cybersecurity education and careers and what they need to learn, what they need to do, what they need to know, that kind of thing?
Lee Myers:
Well, I actually, this is a soapbox moment for me. I do a lot of interviews as you might expect, or guests. And so what my best advice that I like to tell people that I interview and that ask me about positions in cybersecurity is that you have to get in the habit of learning and seek out opportunities to learn more. So whether that be through certifications or through internships. Internships are a great way to learn, especially when you’re starting out. So for anybody who may be listening, who’s taking college courses right now, and you’re not sure where to start, see if you can get an internship somewhere, maybe local, maybe not local, but anything to get your foot in the door. That looks great on a resume as well. I was an intern at such and such a place, this is what I did while I was there. That’s a great experience compared to someone who just got out of school who doesn’t have work experience.
So internships are great, but the reason why I say get in the habit of learning is if you make a habit of it now, when you get in the role of cybersecurity, you’re already doing it because otherwise, as we were just talking about emerging threats, if you’re not in the habit of reading and doing research, you will fall behind in the space. So definitely make that a habit. It will help you not only get the job in cybersecurity, but advance the career in cybersecurity. So make that a habit for sure.
When it comes to specific skills or knowledge, if I could just make a quick plug for this too, because I always do this as well in my interviews, is I always recommend that people need to learn the foundation fundamental basics of networking, network services like DNS and even system administration. I know that one’s a bit more specific, but knowing how these systems like a server or even just your Windows operating system, whatever it may be, knowing how those function at a basic foundational level. And the same for networking is, it’s so important when you go in and do those interviews. Those are the questions that the interviewers are going to ask you. How does this work? How does TCP work? How does a process work on the back end of an operating system? They want to know that you know that because it’s really, especially in a SOC position, for example, it’s really hard to spot the bad stuff if you don’t know what normal looks like.
Steve Bowcut:
Yeah.
Lee Myers:
So spend some time. Learn those basics. It may seem boring when you’re in college learning that stuff, but I promise it pays off later.
Steve Bowcut:
Excellent. Thank you. And thank you for emphasizing both the learning and the certifications. I mean, I always say the certifications are going to get you the interview, but they’re not going to get you through the interview. It’s your knowledge that’s going to get you through the interview to the next step. So I appreciate that. So lastly, before we let you go, I thought it would be interesting if we could get you to kind of dust off your crystal ball a little bit and tell us to the degree that you feel comfortable, tell us about what might be coming in the future for CIS.
Lee Myers:
Yeah, so CIS right now we’re hard at work creating and making a web-based portal available. Right now, our services and offerings, a lot of them you get from our website, there’s ways to download them, but there’s not a sort of one-stop place that people can log in securely, get access to their specific information tied to these services. And so that’s one thing that we’re really working toward right now and that we’re really excited about as an organization.
Steve Bowcut:
Okay. Excellent. Thank you for sharing that.
Lee Myers:
When it comes to the crystal ball, I don’t know, did you want to talk about the cybersecurity,-
Steve Bowcut:
Please. Yeah, whatever you could tell us.
Lee Myers:
Most upcoming cybersecurity trend. Yeah, absolutely. So CIS certainly is working on their CIS portal, which is a big initiative for us that we’re excited about. But in the space of cybersecurity as a whole, the trend that I would be on the lookout and I would encourage people to, again, learn more about at your earliest convenience and continue to do so in the near future especially would be AI. So AI is probably not a surprising answer for anyone who is caught up in reading anything in the cyber or really in any space. But cybersecurity specifically, you’re going to start seeing AI make its way into every tool that we use in cybersecurity.
There’s going to be past services that probably become obsolete because they’re replaced by something that AI does in another tool. It’s worth it to spend some time and learn how AI is going to work and how it may be implemented in future tools and services that become available in the space. So that’s my upcoming cybersecurity trend. And the reason it’s important is because I think that malicious actors will also be using AI in the very near future. They’ll probably beat the cyber defenders to it if history has any indication on that. So be reading up on AI for sure.
Steve Bowcut:
Very good. And I must say that everybody that I interview has the same kind of perspective on AI. It is important to know how it may be used by threat actors and how we can use it as defenders. So I appreciate that. Thank you. Well, Lee, we’re going to let you go, but thank you so much for spending some, you have a wealth of experience and knowledge, and I appreciate you sharing some of that with our audience today. It’s been very insightful.
Lee Myers:
Thanks very much, Steven. Happy to be here.
Steve Bowcut:
All right. And thanks for our listeners for being with us, and please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.