Podcasts
Special Editions
Ep 55
Special Editions 11.5.23
Ep 55 | 11.5.23

CyberCon 2023: A unique mix of critical infrastructure and cybersecurity.

Show Notes
Transcript

Dave Bittner: I recently had the pleasure of being invited to be a keynote speaker at CyberCon 2023 in Bismarck, North Dakota. It was my first time to the Roughrider State, but I was well aware of their reputation for innovative leadership in cybersecurity. To learn more, I sat down for one-on-one conversations with the organizers and founders of CyberCon. In this CyberWire Special Edition, I speak with Troy Walker, Director of Sales and Marketing at Dakota Carrier Network; John Nagel, President of CyberNet Security; Tony Aukland, Technology Outreach Manager for the State of North Dakota IT; and Bill Heinzen, Information Security Team Lead at National Information Solutions Cooperative. We begin with Troy Walker, Director of Sales and Marketing at Dakota Carrier Network and chair of this year's CyberCon. Can we talk a little bit about the history of this conference here and, ultimately, what led you to taking the reins?

Troy Walker: Sure. I believe it started six years ago. This is the sixth one. We -- we did maintain the event during COVID, so that was our only non in-person. That was 100% virtual event. We brought speakers to a common place. They spoke, but we didn't have an audience. The audience was all virtual, which I think went really well. We looked at it as more of a critical security, critical infrastructure doesn't stop during COVID. So we felt it was important not to stop the event, which I think says a lot about the core of what's at the committee. So you're going to hear Tony. You're going to hear Bill. You're going to hear John. There's probably -- I wasn't one of the original people in the meeting. I was probably the second or third meeting, I think, when I came in. There was a core group of state employees and business employees that were in the region of this central North Dakota that thought it'd be a good idea to work with BSC. They were offering a cybersecurity program at that time when probably Black Hills maybe had the -- one of the only ones in the region, I'd say. Strong focus on cybersecurity. Put an event together. Really get students and industry together talking about ideas. Our first year, I think we had about six employees, maybe, six -- or six students that we had that were a part of the event. And I think we've got over 150 students that are either in person or virtual, which I think is the biggest test of how well the committee has done to get the event. I think it's great to get people together, industry. But we need students to become advocates, to be in the field, to get into the workforce. And that's a great way for us to start that process. Give them scholarships, get them invited, and get them excited for cybersecurity, as well as a little unique to us, Tony and his coworker, I think, at the time, which was Darin Hanson, who came from critical infrastructure, they had the idea of putting the two committees together to have critical infrastructure and cybersecurity together. I think that's a bit unique for us, which I think is also really fantastic for us to meld two groups together. Today, you would have heard Robert talk about physical security. And then that's not really cyber, but it is related. There's a tie between both of those. And I think the more we can tie them together the better.

Dave Bittner: Here we are on campus at Bismarck State College. Beautiful campus here. Can you tell us a little bit about the school itself and the students who attend here? What is it made up of?

Troy Walker: Sure. This is their highest record year of enrollment. I think the school itself, Bismarck State College, is somewhere between 3200 and 3500 students this year. It's one of two colleges, I believe, in the state of North Dakota that had an increase in students from 2022 to 2023, which I think is a direct reflection of how quickly they can move and adapt their programs. So, on the cyber side, there's a group of us, most of us that are on the board in this room, have talked with them to say how can we change and teach the students what we need for employers, from an employee standpoint and the employer standpoint? And they've done a fantastic job; and they have for probably -- I bet you eight or nine years now. I was at a previous company. I hired their employees. I worked with their instructors. They -- it seemed like maybe for them either being a two-year school or maybe just the mindset they could adapt a little bit better than a bigger college could. We talked to bigger colleges. Not as easy to move the needle for them, where a smaller college at that time, they could be a little more nimble.

Dave Bittner: What are the goals for the students leaving here in terms of being them being prepared for the workforce?

Troy Walker: That's a great question. I think a couple-fold. One is they've got to be able to interact with people. And I think that's a key for any industry, especially the technology industry is talk to a number of students that said, hey. I want to be in a cube. I want to do something. I don't want to interact with people. Nobody's got those jobs anymore. You have to have an ability to solve a problem, communicate with people, talk at a level that's not technical in nature to someone who doesn't understand technology. And I think that's what BSC is doing is bringing in a group of students, trying to create some diversity, bring those students in, bring them into the workforce so the workforce has got that same ability to have diversity.

Dave Bittner: Let's talk about the event itself. I mean, as it's grown, what opportunities have you all had to expand on the types of offerings that you are providing over these couple days?

Troy Walker: Yeah. I think we've had a great opportunity to increase our speakers. And take you, for example. I listened to you, and I've listened to you for probably as long as you've been on CyberWire. I listen to Smashing Security. I listen to you on there. I think to get somebody like you to come to our event wouldn't have happened our first year. Maybe it's -- we're just got lucky. But John, Tony has done a ton. Bill has done. Art Bocke did a ton. We've got a really good subcommittee that goes out and challenges us, I think, to find people who have an advocacy to talk about something. And they're not asking for $100,000 to speak, which I think is beneficial to us. We have a budget. We've really never had to spend a lot of money on speakers, which I think is unique for us. We have spent some money on speakers. Some has been good, some maybe not so good. We've had some really timely presentations. We had the NFL security talk about security to the Super Bowl. We had the Route 94 shooting in Vegas, the next year after that speak about what it was like to be in that facility. When those two spoke, nobody looked at their phones. I mean, nobody looked which you don't see that nowadays. You have 350 people. Everybody's listening to somebody, that that tells us as a committee, I think, we've got the right speakers there. We've had some speakers that we've closed at that maybe haven't brought that. And I think that's a good thing for us to really take stock, look at who we have for speakers and see maybe not to do that again.

Dave Bittner: Where do you see this conference going? What's your aspirations for the future?

Troy Walker: I think -- I think from a committee standpoint, I don't think any one of us sees it separately. I think we all see the future of it growing, being more of a Midwest event. If you notice, BSC has got an addition on here. That's a bigger facility. We can add more people. I think it's going to -- COVID showed us that we can do virtual, in-person together, like it or not. Some of us like the in person because we like the camaraderie. You do not get that virtually. I think we've got the ability to grow the event as large as we want to have it.

Dave Bittner: I'll tell you, I mean, one thing that caught my eye when we were coming in today was that you had to bring in more chairs. There were -- many people were -- as people were starting the presentations, they are bringing in more seats because the demand was there. So you must be onto something good here.

Troy Walker: It's a good problem to have, to have not enough seats and more people than seats.

Dave Bittner: Right, right. We continue our conversation with Tony Aukland, Technology Outreach Manager for the state of North Dakota IT. So, in the conversations that we've had in this room, it seems as though you are a bit of an instigator here in terms of getting this started and up and running. Can you give us your version of the origin story.

Tony Aukland: I was really glad you asked that because I was going to tell you, I'm not kidding. Now let's listen to the truth about how this went.

Dave Bittner: Okay. Fair enough.

Tony Aukland: Originally, actually, the idea was at that time, the Director of Homeland Security and Emergency Services here in North Dakota, Greg Wills, he had a vision for bringing critical infrastructure and cybersecurity. We didn't have a lot of IT cybersecurity events out this way. There was a lot on the eastern side of the state, Red River Valley; Fargo, North Dakota. And so, at the time, Troy had mentioned that one of my coworkers Darin Hanson, who was the Critical Infrastructure Chief at the North Dakota SLIC. At the time, I was the North Dakota SLIC, which is our State Intelligence Center, Fusion Center. I was the Cybersecurity Analyst from ND IT for them. And we started talking back and forth and getting some ideas. And Greg had wondered, you know, what we could start pulling off. And we contacted as many of the people as you see here. And -- and on the committee, you know, we have a very strong committee of like 15 people, 16 people, strong partnership with Bismarck State College; and it's what it is today. You know, it was we took a lot of time in trying to make sure that we -- this is a critical infrastructure and cybersecurity event, not just a cybersecurity event. So that's really important to us.

Dave Bittner: Can we touch on that critical infrastructure element here? I mean, for folks who aren't familiar with this part of the nation, what are the critical infrastructure sectors that you have here in the state?

Tony Aukland: Yeah. Like John was saying earlier, we do have a lot of the critical infrastructures. We don't have necessarily nuclear. I'm not sure if we can use this analogy as necessarily stating it, but we have a lot of energy out here, a lot of oil producing in North Dakota. We have a lot of agriculture in North Dakota. We have a large military presence with we have two Air Force bases, as well as the National Guard for both Army and Air. And we have a great deal of education, transportation, and so forth. So we've had -- we've been very fortunate in a lot of the things that have come through the state of North Dakota in the last however many years you want to start at.

Dave Bittner: And how does that work for those of you who are looking to provide a pipeline for people to fill those jobs, those var -- those critical jobs within the state? How has it been for you all to source those? In other words, how many come from in the state, and how much are you pulling from the area?

Tony Aukland: So one of the things, I liked the way Bill was talking about his experience with how he became into -- or how he came into cybersecurity. You know, I like to talk about it as an interstate rather than a pipeline because there's so many on ramps and off ramps and different ways that you can get to places. I actually originally got that from Kevin Nolten when he was with cyber.org. And one of the things that's really interesting with that is we do a lot with student outreach, as we were mentioning, not just at BSC and CyberCon but all the tribal partners in North Dakota, the K12 partners. ND IT has a division called Edutech that does a great deal with that. And this conference actually helps support another event called Cyber Madness, and Cyber Madness is the state high school and middle school cybersecurity tournament. So we bring in here at Bismarck State every February, we have the State High School Cybersecurity Tournament. Now, when I say every year, it's only been two years that it's actually run.

Dave Bittner: Okay.

Tony Aukland: We originally started the planning in '21. And then, '22, we hosted the first one. There was only 50 students, roughly 11 schools. The next year in '22 we doubled the amount of students. We had 100 students, and we had 21 schools in attendance.

Dave Bittner: Wow.

Tony Aukland: That was so popular that some people wondered, could we do a middle school event? We actually run them both slightly different. We have one partner for the high school side, Palo Alto Networks. Partner on the middle school side is cyber.org. And we would actually see a virtual event before on the middle school side that led to 36 teams. Four students per team are the maximum. We had well over 120 kids participate in the virtual event. Then we brought the top 10 teams for that into an in-person event. And those students also can win scholarships and such for the event. So, when we talk about how are we getting to North Dakota, we have PK-20W here in North Dakota, and it's preschool for kindergarten all the way through high school, college, doctorate. PK-20W, the W stands for workforce. And so we say every student, every school, cyber-educated. And that doesn't mean every one of them's got to be a cyber analyst like a lot of the people in this room or anything like that, but they are certainly at least cyber aware of security awareness. And this conference was planned on purpose in October for the kickoff of it being National Cybersecurity Awareness Month. And that was not by any stretch of the imagination some kind of random throw at the dartboard. We -- we did that. The committee did that on purpose. So we do that across schools. We have -- for those who take a different route through their careers, or reskilling, there's a skills for all website free through the state of North Dakota that we have available and many other resources. We talk to many schools. We have Hour of Code. We have Cyber Madness. We have all kinds of events that we support and try to expose students to the jobs that are here in North Dakota. And you asked about, you know, what's in state and out of state. We allow a lot of times here in North Dakota, like the state of North Dakota, we allow remote work. So many of the people that work for us actually live in other states. And they may live in the state, or they may live in other cities in the state. It's no longer if you're a State of North Dakota employee you had to move to Bismarck, North Dakota to work at the state government or the capital.

Dave Bittner: That's really interesting. I mean, that's an interesting, competitive approach, you know, because that's not that way in many states where, if you want to work in the state government, you have to live there in the state. And you can understand the legacy of that. But I think it also points towards this whole of state approach, which honestly was one of the reasons I was really looking forward to coming here was to talking to you all about that because that is unique in North Dakota. That -- I think that is an area where you all are leading the rest of the nation in being so intentional about having cybersecurity from every level of the state.

Tony Aukland: And you saw, as you heard CIO Kuldip Mohanty talk at his presentation and probably here at this podcast, you know, there's a lot of that collaboration here in North Dakota. A lot of times when John made the joke about then I called him, we may not know everybody, but we're a small enough state and population wise that we might know somebody that does know somebody. And so we're probably able to find out who a lot of those people are. We've had great leadership from Governor Burgum. He's got a great technology base mindset for these kinds of things. And that support is not lost, you know, on any of us. And that collaboration is seen here at this committee. I mean, just the committee alone at CyberCon has private industry, has the government, has education, has, you know, all the different facts or sectors that are involved.

Dave Bittner: Do you have advice or words of wisdom for folks who may be thinking about starting their own conference, using you all as inspiration?

Tony Aukland: Well, I really enjoy it. I have a blast with it. I cold call a lot of speakers. I love it when people say how did you get this person or that person. I was like, I just called them and asked her, you know? And she said yes and so we showed up. You know, it takes a large group of individuals to put these things on. Everybody has to have an active role. It can't be something that everybody's just showing up for the meeting, and three people are doing all of the lifting. One of the most important pieces I'd like to brag about Allison Zarr and Bismarck State College is continuing education. They really do a lot. And somebody like Allison, it would be very difficult to do this without her. Her and their team really, really put in a lot of effort. You know, we don't have to worry about necessarily what room are we going to be in, what time can we get into the building, all that. They can take care of all that for us. And when you have that coordinating partner who can take care of not just logistical but a lot of the financial budgetary wise and such, it really takes a lot of pressure off you to explore into the creative side of who could we get to speak, who could we get to do things. You know, things that we've done every year have been slightly different. Last year, we had a capture the flag event that ND IT's team won. Stay in North Dakota is IT won it. This year we have focus groups that are being led by four members of State of North Dakota, Michael Greg, our CISO; Jess Newby and Josh Kadrmas, who are both leads for our GRC team; and Christopher Gergen, who's the director of the SOC for the State of North Dakota. They'll do focus groups tomorrow as well. So we've always had something new, something a little introduced that shook it up a little different every year. But we've had great, you know, support with everybody showing up and being here and participating as they do.

Dave Bittner: And what are your aspirations? Where do you hope that this goes?

Tony Aukland: I share similar aspirations as you've heard today. I would like to see us maybe expand half a day or another day. I would like to see us involve more of our tribal partners in the state. We do have online today Turtle Mountain Community College. And we have had United Tribes Technical College. We do a lot with them. They bring students down as well. So we do have a presence there. But, you know these kinds of careers are really important, especially when you start talking about that remote work because a lot of our tribal partners, that community doesn't see themselves necessarily moving out of their community to go to a bigger metropolitan area. They want to stay in their community. So that remote work becomes really important when they can stay with their families and stay with their loved ones and stay with their community and still be able to work these kinds of jobs. We all need the support and help. Every -- every culture, every career, every -- and every sector out there is looking for protections that cybersecurity and critical infrastructure can provide. So we've been very fortunate to have that strong partnership over the years.

Dave Bittner: Do you feel as though there -- there any unique opportunities that -- that you all have being North Dakota, the makeup of the state itself, the people, the way -- where people are -- are situated, you know, the pockets of population? Many people are spread out.

Tony Aukland: Yeah. Well, we're very fortunate. We have a very strong technological network in the Dakota Carrier Network and other partners who we have high speed internet to every school. You know, we have a large ring around the whole state that many of us are very familiar of and what that brings, fiber and everything to the background of that, allowing everyone to be able to access those education resources remotely, being able to access those jobs remotely, and also to be able to communicate with all of us that we do. You know, we can have some rough winters in North Dakota so --

Dave Bittner: I've head that that is the case. Yeah.

Tony Aukland: From time to time we might get socked with something. So, from that standpoint, we do spend a lot of time, you know, doing remote meetings and such as you heard our CIO talk about when the interstate gets closed --

Dave Bittner: Right.

Tony Aukland: -- and so forth. So that's been a big part of that. I do a lot of remote presentations to K12. Our Edutech team does way more than I do to K12 across the state. So the other side of that, when you're looking at planning conferences and so forth, North Dakota is often a place many speakers have not been. Is this your first? Yes. So I will say that works a bit of an advantage when we say, Yeah. It's in Bismarck, North Dakota. And they're like, Oh, my gosh. I'd like to go there, you know.

Dave Bittner: Yeah.

Tony Aukland: And, as you can see, we are not buried in snow and cold year round. It's a beautiful fall day here in North Dakota where the -- situated right along the banks of the Missouri River for this conference.

Dave Bittner: Right.

Tony Aukland: It's a nice 65-, 70-degree day and such. That happens. You know, we have a summer that doesn't include snow or anything like that and so forth.

Dave Bittner: Yeah. What's your advice to that up-and-coming person? I'm thinking of either a student coming up or maybe someone who's considering a career shift. Any words of wisdom there?

Tony Aukland: Yeah. One of my favorite sayings Michael Gregg has, the CISO for the State of North Dakota, is sharpen the saw, which means furthering your education, learning more skill sets. He often jokes with me that I started that -- he totally started that phrase. I didn't do that. But I use it all the time. And so I encourage people to not only do two-year, four-year education and all of that, but there's certificates out there. And there's podcasts to listen to. There's the CyberWire and so forth. I mean, there's so much you can do now to become educated on all of these topics, you know. Are you struggling with this type of topic or that topic? You can probably find a YouTube video pretty quickly or another educational resource to do that. The State of North Dakota, we have very strong education platform for employees. We allow educational growth. We believe in growth mindset. I am somebody who just completed my MBA. I have a couple GIAC certifications. I have a SANS Security Awareness Professional. Every member of our team on the State of North Dakota side is getting a new certificate every one or two times a year. And those things show in their skill sets. You know, they're learning things cybersecurity, IT. It's amazing, I mean, when people talk about, you know, how quickly it changes. That was old talk. It's just constantly changing. I mean, it's just not -- it's not slowing down by any stretch of the imagination. There's new threats and new attack vectors and new things going on all the time. So anybody coming up, I also encourage them to put their effort into their vocation, you know. The days of I might be from the last century in the '80s, and we might have done some of our school, done some homework, played football after school, and then maybe hung out with our friends all night. I find myself now doing all kinds of furthering education, even in the evening, you know, where I like to spend a lot more time maybe researching a lot of the things that we're talking about, listening to a podcast, watching a talk through some type of conference or event that I didn't get a chance to attend during the day. So you never stop learning. Never stop growing. And don't think that your college career or whatever it is -- but you also don't have to go to college all the time for everything, but you -- you do need furthering education of some sort. It's not you graduate high school and, bam, we make you a cybersecurity analyst. But there's many companies out there that are looking to hire people that have the drive and the desire to be in it and helping them pay for furthering college and furthering education. There's so many avenues and so many ways to get into it today. Explore it. There's so much that you can do.

Dave Bittner: Next up is Bill Heinzen, Information Security Team Lead at National Information Solutions Cooperative. So what is it that draws you to this conference? Why do you choose to spend your time being involved with this?

Bill Heinzen: Absolutely. It is a topic that is relevant to the community. And one of the things that I really find to value about the Bismarck Mandan area is that the organizations here, whether it's NISC, whether it's Dakota Carrier Networks, we act as partners in this endeavor. It's not an area where each of us is trying to compete or outdo the other, but it is about providing a valuable service by educating people on a topic that is becoming increasingly relevant.

Dave Bittner: What is it like for you when you're out there hiring, trying to attract a potential candidates? How is the candidate pool in this area?

Bill Heinzen: It's -- it's phenomenal. You know, I would say one of the things that is worth being aware of as an employer and in terms of going out and looking for candidates to fill a position is that cybersecurity, information security can be a really nebulous concept, right, in terms of the skill set you're looking for. So someone who is, for example, very experienced at IT forensics may not be a good fit for a security compliance audit. And so when it comes to the employers and when it comes to the topics that we touched on in CyberCon is we try to emphasize some of the different facets of the information security profession. I think that that worked on a couple of fronts. One for us as the employers, it continues to reinforce the notion that cybersecurity is a multifaceted profession. There's not going to be a single skill set you're looking for. Like Troy had mentioned earlier, you're looking for people that can leverage critical thinking and powers of reason to answer questions that don't always have a clear-cut answer. So, from the employer side, it helps us emphasize the diverse nature of the profession and what we're trying to hire for within it. Now, on the student side, right, to sell the Bismarck State College, I think it also helps emphasize for them that, even though they may not know exactly where they want to be in five years, 10 years, and the truth is a student -- I remember when I was a student, we very rarely didn't know that, right? But it can be helpful to know that, if cybersecurity as a broad topic is your passion, you don't have to feel locked into one aspect of it. You -- you might start out having an interest in infrastructure security, for example, in learning how to develop systems and networks that are hardened against cyber intrusion. But you might find later on that perhaps your real passion is for application security. And you want to learn how to code apps defensively for things like defending against SQL injection and cross-site scripting. And the great thing is, is as long as you are interested in the subject overall, you really have the ability to change what your specialization is over time.

Dave Bittner: What about that nontraditional student who's coming up?

Bill Heinzen: Yeah.

Dave Bittner: You know, somebody who may be coming from a different place, a different -- had different interests, but now they find, wait. This is something that sparks my interest. So that person who, you know, came up in life and maybe cybersecurity had never crossed their mind, but at some point they recognize it. They saw it, and it sparks something in them; and they want to take their place. What's -- what are your insights on that person?

Bill Heinzen: That was me because I was that person. My background is not in cybersecurity. My background was in accounting. I originally saw myself as going to school, getting an accounting degree, and becoming a CPA. And that's what I did. That was -- that was what my undergraduate was. And one of the things that they have begun testing for on the CPA examination is actually cybersecurity. There -- there is a very small subset of questions that are related to that topic. And the reason that that's the case is, if we go back to the nuts and bolts of why are people breaking into systems, there can be a variety of motives. But, oftentimes, the motive is financial. And, from an accounting perspective, the notion that people have cooked the books, so to speak, or used financial systems to -- to achieve personal financial gain in unethical ways, that is not a concept that is new to the accounting profession whatsoever. For example, the practice of going through a financial statement audit is -- is literally the process of bringing in a third party to go over a company's set of bookkeeping records to see if someone has manipulated them or not in order to, for example, misrepresent company's earnings, things like that. And, as the accounting profession evolved to include technology as -- as a more regular part of the bookkeeping process, right, you would -- you would use different IT systems to create your vendors to -- to cut the checks, et cetera. It quickly became apparent to people that were preparing accountants for that profession, it quickly became apparent for them to know that you are going to have to have a workforce that is educated on the topic of cybersecurity because it is so relevant to the profession. And so that was me. I actually early on wanted to get involved in forensic accounting. I was curious in pursuing a profession that allowed me to help root out and prevent white collar fraud. I found out soon enough that all of the white collar fraud is happening through -- or not all the white collar fraud but a substantial portion of -- of financial crimes is being achieved through malicious cyber intrusions. So for me that was a shift in focus to say, hey. This -- this passion that I have always had is something that the most cutting edge work that's being done in that area is being done in the cybersecurity profession. And to kind of answer the initial part of your question, I would not discourage anyone at all that has a nontraditional background from finding ways that they can pivot into the cybersecurity profession. The way I was able to do it was, again, going back to the auditing example. I was looking to get involved in cybersecurity more often. And I said, Okay. What do I know about cybersecurity to begin with? Well, I know that viruses are bad, and firewalls are good. That was basically where I was starting.

Dave Bittner: Okay.

Bill Heinzen: But then I said, okay, okay. Cybersecurity compliance audits are becoming an important part of the profession. You've got attestation standards like, for example, the PCI DSS that involves, again, a third party going in to a company saying, okay. This is the PCI DSS rulebook over here. This is what you're doing over there. We are going to gather evidence to attest to whether or not you're following the rulebook. And I said, I know how to do that. That's a financial statement audit. You're -- just the evidence you're collecting is, rather than collecting evidence regarding how a company is conducting its bookkeeping operations, you are collecting evidence to see how a company conducts their IT operations. And, from there, I was still able to build up my skill set and just I took that -- I took that one area where I had a frame of reference that I was able to familiar with, and then I built on that and developed my IT and cybersecurity skill set from there on out.

Dave Bittner: It seems to me like part of what you're saying is, you know, don't exclude the opportunity to pivot, that there may be something parallel to your -- you had a preexisting set of expertise.

Bill Heinzen: Correct.

Dave Bittner: You were able to take that and apply that to this new vertical that was attractive to you. It turns out you had a skill set that was -- that was in need in cyber.

Bill Heinzen: Correct. And, again, that's where we would -- you know, going back to the topic of students at this conference and what employers are looking forward is that's just a message I would -- I would put out to them, right, is that very idea is take what you know, take what you're passionate about, and apply it to the cybersecurity vertical.

Dave Bittner: Last but not least is my conversation with John Nagel, President of CyberNet Security. So let's start off with some high-level stuff with you. What led to your involvement with this conference?

John Nagel: It was an interesting phone call one day from a gentleman named Tony Aukland and was discussing the opportunity for a conference built on critical infrastructure. It's kind of gone unnoticed, you know, when you talk about cybersecurity. But we have 16 of them, maybe soon to be 18; and nobody was really talking about the infrastructures as it relates to securing the important things in our day-to-day life in the United States. And, you know, it was about time. And Tony made a call and says, Hey. Would you be interested in helping to create this conference? And it just took off from there. The next thing, you know, we're into this seven years later.

Dave Bittner: Is critical infrastructure your background? Is that your particular area?

John Nagel: No. My background really was formed in IT. Most of my career was at General Electric, coming up to -- through the ranks to be a CIO of a $2 billion division of theirs and then into the e-commerce side and running some e-commerce at an $8 billion division for them. So I started there. But, as I came back to North Dakota, quite honestly, to make sure my parents can stay in their home as they have aged and they got me where I'm at, it's like, now might be an opportunity to come back home and do something a little different. And out of that evolved starting a new cybersecurity business up here.

Dave Bittner: What was the landscape like when you came up to start that business?

John Nagel: Kind of nascent in some ways. I mean, it was there in pockets with different companies. But to go out and find a business that was focused solely on cybersecurity that was not an IT based company, not an IT services company, etc., That was a challenge. I quite honestly didn't find any that that was solely their focus, that was their mission was pure cybersecurity. And so, you know, talked to a couple people, met a few people and said, You know what? Let's give this a shot. And, several years later, we did some work for Beck Communications. They loved what we did and said, You know what? We think there's an opportunity here, so they acquired us in 2021.

Dave Bittner: Very nice. So back to the conference itself, as you were conference chair, was that -- were those early years really focused on critical infrastructure?

John Nagel: It was, yes. It really was. We actually had some nice sponsorship from our emergency services department here. They were one of the core. We were just starting up a cybersecurity program here or writing in letters in support of BSC becoming a cybersecurity institution that could provide talent to the world. And I say the world literally because the world needs cybersecurity experts, not just North Dakota. And as we started to focus on it, we had different focuses. We have 15 of the 16 critical infrastructures located right here in our state. The only one that's missing is nuclear. And I guess we could make the -- the argument that we do have that, too, with all the missiles located here so.

Dave Bittner: Fair enough. So as you were all were developing this program and -- and, you know, not just for that one year, you wanted to build something that was going to be lasting, what went into that planning process?

John Nagel: We wanted sustainability, right. And, to start out, we really weren't sure. We approached Bismarck State College here and talked about, you know, we have an idea. We'd love to leverage your institution here to host this. Would you like to be part of it? And during that first year, we kind of went back and forth and finally said, You know, this might be a good thing long-term. And it's like, well, let's try it the first year. How do we -- how do we get started? What do we do? How do we get the message out there? Do we have the right players in place? And, for the most part, I would say we did. We just didn't know a lot of things. You know, this was the first true critical infrastructure conference but then tied to education, which presented some different challenges. How do you involve the students yet have the seriousness of critical infrastructure and then make the public aware of both spectrums? That was our challenge. I thought we did a pretty darn good job because here we are seven years later providing scholarships back to BSC.

Dave Bittner: How did you do that? How did you cover that gamut?

John Nagel: You know, it was the diversity of the group, I think. We ranged from manufacturing to defense to the National Guard here to the State, private sector players. They all came to the table. And I've got to tip my hat to Tony Aukland when he gave me a call and, like, are you crazy? You know, but it was just crazy enough that I wanted to jump in. And so, when we got that mixed together, I remember some of the first early meetings as, you know, what should we do? Who should we get? What do we bring? How many days should it be? What do we charge? Should we charge? And all those things came into play. And it took about a year of planning to figure it out, and then we just did it. You know, you learn from that first year. And coming out of that, we've continually met every single year after each conference. We do a quick debrief. I like to call them lessons learned versus post mortem because I prefer the positive. I don't like looking for buried bodies. And so we've done a really good job of that so far, and it's just evolved.

Dave Bittner: What are your thoughts here today as, you know, we look around, as I mentioned, to one of your colleagues, you know, there's -- the rooms are packed, and there's a lot of energy there in the room. You must have quite a sense of pride.

John Nagel: We do. I do personally. It's more of a team thing than an individual thing. You know, as tired as I was this morning, had calls from different, you know, customers having issues this morning. You get here and you flip a switch and -- and the energy level goes up, the smile comes on your face, and you're all in. So that's what it does for me personally is, you know, transforms me as soon as I walk in the door and I see all the different people. So it's uplifting. And then you take a sense of pride in what you've done. But you can't rest on your laurels in this industry. That's -- that's the thing. Cybersecurity is an omnipresent threat today. The landscape changes hourly, and the inflection of AI probably will make a change minute by minute.

Dave Bittner: Where do you hope this goes? What are your aspirations?

John Nagel: I'd like to see it bigger and better. But I'd like to see it maybe get split out a little bit more. And we start talking about some student-specific, you know, conference activities, whether it's, you know, geared toward what they're doing the class, whether it's geared toward tools, bringing professionals in and gear that side, and then have the business side here because our businesses, we would love to have more of them involved. They just don't know what they're facing right now. Or they may choose to ignore it. You know, it's all about risk management. You know, out of sight, out of mind. And I think we have two tracks here that we can take this really to the next level. So we start out with a nice opening. I love to see that. You know, then split it up a little bit for students and educators and -- and then the business world and then keep moving forward and bring everybody together for the close. I mean, that's a personal vision. I just got to look at my peers in this room here as we're talking today and see how we get there. And we do pretty well with those conversations. So I could see this evolving into a multifaceted conference that might last two days, three days, depending on -- or have separate days as we bring everybody together. So I'm looking forward to the next five, six, seven years.

Dave Bittner: Our thanks to Troy Walker, John Nagel, Tony Aukland, and Bill Heinzen for taking the time to share their insights. And thanks to everyone at CyberCon in North Dakota for being such warm and gracious hosts. If you're in the area and you're a cybersecurity professional or student, do check out the conference. It's time well spent. I'm Dave Bittner. Thanks for listening.

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Creator: CyberWire, Inc.