CISO Liebert's Legacy: 'The Right People in the Right Spots'
At the end of the week, Peter Liebert will end his two-year tenure as the chief information security officer (CISO) for the state of California. As his time winds down, he sat down last week with Techwire to look back — and ahead.
Liebert has a host of degrees, certifications and other bona fides after his name, and he rattles them off: "SANS, GSLC, GISP, GCPM, CEH, CISSP, some COMPtia. I try to do one a year." He has a master's degree in public administration from Harvard University. That followed a bachelor's in English from the Naval Academy and joins master's degrees in international security and cybersecurity. He's aiming to get one more master's degree, then either a juris doctorate or a master's in business, before capping his academic credentials with a doctorate.
Liebert sat down last week with Techwire for one last interview in his role as state CISO. What follows is a transcript of that conversation. It has been edited lightly for brevity, style and continuity.
You’ve been state CISO for about two years. What do you consider to be your legacy?
I think it’s establishing the [cybersecurity] program overall and getting the right people in the right spots. That was really Priority 1 for me — getting the bench to move the ball forward. I’m confident that when I leave, that’s been established. I didn’t want to leave and then have everything fall apart. But we have a great team put together right now, with the managers and Vitaliy [Panych] as the deputy. All the stuff that we’ve done is a testament to their accomplishments.
How did cybersecurity become your passion?
Without getting me in trouble … (laughs) when I was a kid, I tinkered around a lot with computers. I was never like a Beto [O'Rourke], who joined a hacker collective, or anything like that, but I certainly was fascinated with hacking. I was tooling around with a Tandy 1000 Radio Shack computer when I was only like, 8, 9, something like that, and learning to code and building programs — trolling around what they called bulletin boards back then, BBSs, and I was just fascinated — and especially the work-around, the hacking component, breaking into systems and doing things like that. I probably crashed and destroyed my computer and had to rebuild it in terms of reformatting on my own dozens of times, downloading various different viruses and trojans and things like that.
I went into the Naval Academy from high school [William Penn Charter in Philadelphia], and when I got to the academy, I was going to do computer science; that was my major. The first year at the academy was very difficult, and I was struggling academically. … I talked with a counselor, and I was an athlete as well [squash], and the counselor said: 'This is no walk in the park. Every waking moment needs to be spent on this if you’re going to succeed.' So I decided to become an English major instead, which actually has been very beneficial — the writing skills, the communication skills, it really worked out well. Then went into the military, transferred over to Supply Corps, and I started doing technology, and this was before any cyber stuff. The only cyber stuff they were doing was intel, and I really wasn’t interested in doing the intel piece. I got out in about 2008, went to Harvard, and I took this course in cyberwarfare. And I just loved it. I wanted to get back into civil service, and this allowed me to do it.
So where is the state in its security maturity?
This is a very long game. If you look at cybersecurity, a good CISO tries to get the organization to a point where the leaders are comfortable with the risk where they are. Now, things will change — additional threats, stuff coming out of left field that you never solved. The goal of the program is to get to a point where it’s day-to-day, and not, ‘Oh, everything’s going to fall apart.’ But you should always keep looking for the next threat that’s coming down the line and angle yourself toward it.
Are you looking down the road to working again with the federal government?
Eventually, yeah. I love working with the federal and state governments. I got into this field because I felt there was really so much to be done on the state and federal side, in terms of cybersecurity. We were just getting hammered — OPM (U.S. Office of Personnel Management identity hacks), massive breaches, and the states were even worse. I had a course taught by Richard Clarke when I was at Harvard, and that’s really what kick-started it. If you’re going to root for the underdog and go for a cause — and try to do something right for America — let’s shore up what we have on the cybersecurity front and kick China and the other APTs [advanced persistent threats] out, stop the intellectual-property theft, stop cybercrime.
Is there anything you wish you could have accomplished or completed?
Yeah, I think a big one is publishing the five-year strategy. We’re so close; it’s in the final approval state. We’re just waiting on some final comments and edits. That certainly would have been nice, to get that out the door. It’s done. We led the way on it — developing the framework and then getting the community to provide input; it was a long effort. We had over 40 departments contributing; we had 400-plus hours of meetings, sessions, whiteboard brainstorming sessions. … But it’s really fantastic. If you look at what makes a good strategy — I think it was [Richard] Rumelt who wrote that you diagnose problems (people, process or technology), then you develop a policy or strategy to meet that, and then having action assigned as well. And we have all three. We actually have a road map, which — per each fiscal year — gives everyone targets for the next five years. It’s really going to pave the way for where we go.
Will that strategic plan be good for five years, or will it require rolling updates?
It’s broad enough that it’s probably good for five years, but absolutely, the next CISO should look at that annually and figure out where they want to move the needle. A good strategy is something that can be agile, that can flex with the times.
Are you planning to stay in the Sacramento region?
It’s up in the air. I’ll be doing a little bit of consulting independently as I look around the different jobs right now. I’m really trying to find a good fit; I want to stick with the next job for some years, as well. I’m really taking my time, making sure it’s a cultural fit.
What will you miss about working in the public sector?
Certainly — and this holds true for federal as well as state government — when you get into a role that’s at the executive level, it’s pretty big, typically. I have … over 140 departments, 300,000-plus employees. It’s huge – it’s like a multinational corporation. The challenge is certainly something that drives me. That’s not to say the private sector isn’t challenging. I certainly will miss that aspect, and the mission’s a little different, too. Rare is the company that wishes to not make money. Our goal is to provide services to provide a safe, secure environment for all citizen data and services. We have no profit motive. If we do our job, [hackers] will never know we’re here. We are the last line of defense between us and the bad guy.That’s our sole job. I’m not asking people to go sell anything; you’re not here to make a profit. That’s a different mindset, and that’s something I’m going to miss.
We would not be here without the private sector. Everything, we leverage. The private sector is absolutely instrumental, and there is a reason why they build off profit: It’s called capitalism, and it allows us to innovate, move projects forward and do research. It’s just a different mindset.
What are you looking forward to about being back in the private sector?
It’s certainly a more agile environment, being able to flex a bit more with the threat as it comes out, seeing what the next thing is, and, depending on which company I go with, being able to tackle that challenge, build a new program, get it up and running, kind of like where we are now: We have the right team, hiring the right people — to me, that’s a lot of fun, getting everyone moving toward a single goal. I'm looking forward to doing that again.
Will you continue speaking in the area at professional conferences and the like?
The public role is something that I really do enjoy. I love talking about cybersecurity. It’s my passion, so any opportunity I can get to flap my lips and talk about it, I’m happy to do so.
What do you read to stay current?
I do a lot of reading. I love books, especially those that are looking at future state stuff. I listen to podcasts; I like Richard Clarke. ... There are really great articles out there — you look at Wired, you look at Dark Reading. … That allows us to look a bit broader: What are the other states getting hit with? What are they paying attention to? Who is the federal government paying attention to? The intelligence community? It all kind of congeals together and gives you a sense of what to worry about and what’s coming next.
Why did you choose to leave state government now?
There’s a variety of factors that played in. One of the big decisions was timing — the new administration coming in. I was just coming off my parental leave; it didn’t fall apart at the seams when I was gone. I have a good deputy, a good team in place. If I were to leave, this was an opportune time to do it: It allows the new administration to get someone in. We have the continuity, so that definitely played into it. If I’m going to move, I want to do it now before the kids get a little bit older. All these factors kind of contributed. Going into the private sector, it would be nice to make a little bit of money as well, there’s no doubt about it, because now I have two colleges to pay for.
Would you ever consider a state CIO role?
No. I certainly have the opportunity to go do a CIO role in the private sector now, for example. Cybersecurity is my passion. I’ll stick with CISO for quite awhile. I’ve thought about it; I have the capabilities and the technical skill set to do it. I just love the security side too much.
Do you ever want to write a book?
Eventually – I have quite a few books. I’d love to do a fiction book. If you’re going to look at someone now and where they are … Richard Clarke is an example. He writes fiction and non-fiction; he’s had unbelievable experiences working as the terrorism czar and for multiple administrations … so he’s got the non-fiction piece there, but he writes some great fiction. I’d love to do that.