Jenny Menna is a seasoned Midwesterner, having received both her B.A. and M.A. from the University of Chicago. But today, you could say she’s seasoned in the proceedings of our nation’s capitol as a member of the U.S. Department of Homeland Security (DHS).
Menna directs a division of the Office of Cybersecurity and Communications (CS&C) titled, “Stakeholder Engagement and Cyber Infrastructure Resilience” (SECIR). Prior to this role, she directed Critical Infrastructure Cyber Protection & Awareness and the United States Computer Emergency Readiness Team, and has held roles as Deputy Director and Program Manager.
Menna spoke with WashingtonExec about her role at DHS, how to keep information safe, especially with the recent wave in cyber attacks, how cyber security has evolved, and more.
WashingtonExec: Could you tell us a little more about your background and how you got to your current role with DHS?
Jenny Menna: I have actually been at DHS in what is now NPPD (National Protection of Programs Directorate) for about 7 ½ years. I’ve held a number of positions within our infrastructure protection and cyber security organization. With our new realignment, the organization that I’m leading – the Stakeholder Engagement and Cyber Infrastructure Resilience Divsion- includes a number of programs that I’ve been in charge of at some point in my travels throughout the organization. One thing that is new for me is bringing the communications aspect together with cyber security and better coordinating how we engage our stakeholders across the entire Office of Cybersecurity and Communications.
I was the Acting Director of US CERT, our cyber operational component, immediately before this new role, and prior to that I ran the Critical Infrastructure Cyber Protection and Awareness branch of the National Cybersecurity Division. Before joining DHS, I worked for a large systems integrator for almost ten years, working on everything from project management to cyber security to strategic plan development.
WashingtonExec: I know that it is hard for us to think of any information sharing platform as being foolproof so what are your personal tips on keeping information safe?
Jenny Menna: Information sharing is critical for us at DHS. Our mission requires us to share information with federal government, state and local government, and the private sector, as well as international partners.
We have to do that sometimes in person, but more often we have to do it virtually, and we have to do that at different levels of security. Sometimes we are even sharing classified information.
___________________________________________________________________________________________
“While we are worried about safeguarding government information, we also need to be able to receive information safely from the private sector. They have their own set of concerns about proprietary and competitive information, regulations, and other sensitivities.”
___________________________________________________________________________________________
Not every type of information needs to be secured in the same way. While we send some things by regular email, for more sensitive information, we use a secure portal with second factor authentication. Some things we’ve found are best shared in person, not only because of sensitivities but just because of the dialogue and relationship building and the ability to have that immediate feedback. To make it work we all have to have the same understanding about who can use our data, how they can use it and vice versa – we have to understand what the expectations for handling or redistributing information are.
WashingtonExec: General Keith Alexander, commander of the U.S. Cyber Command and director of the National Security Agency, recently said at the Symantec Government Symposium that he thought people were “stuck at the starting line” in defending against cyber attacks. Do you agree?
Jenny Menna: I will say General Alexander and his team at NSA have been excellent partners to us, and we collaborate with them on a daily basis on this issue. I have a more optimistic assessment perhaps than General Alexander does. We have a number of ongoing programs to prevent and mitigate cyber intrusion and incidents and to help our stakeholders respond to and recover from attacks. These range from the Einstein Intrusion Detection System, to the managed security services we fund for state & local government through the Multi-State Information Sharing and Analysis Center, to site assessments for critical infrastructure. We’ve (DHS and NSA) leveraged our respective authorities to provide briefings to critical infrastructure chief information officers at the highest classification levels, so they can make informed investment decisions. I will say that there is no doubt that we are operating in a constantly evolving cyber security landscape. We are certainly off and running here but it is a very long race– it’s not a 5K, it’s probably not even a marathon. It’s probably one of those ultra endurance races!
WashingtonExec: Would you say that the government is fully equipped to provide threat information?
Jenny Menna: The government has a wealth of threat information that we get from a variety of sources: our partners in the Intelligence community, what we at Homeland Security see watching the federalcivlian.gov through the Einstein Program, from our partners in law enforcement, from international partners, as well as what we get from state & local government through the Multi-State ISAC, and from the private sector partners that share information with us. We sit in the middle of a tremendous wealth of information, a great source of situational awareness. The challenge is really getting the right information to the right people when they need it, recognizing that all of those people have different sensitivities with their information.
I will say that we’ve made significant progress through programs like the Cyber Security Information Sharing & Collaboration Program that’s evolved out of a pilot that did with the financial services sector. Have we reached a perfect state? No, but the government does have very good threat information and we are working very hard to get that out to those that need the information quickly, and through a machine readable, easily ingestible format, so that our partners can secure their networks.
WashingtonExec: How would you say cybersecurity has evolved over the years?
Jenny Menna: I think obviously over the last thirty years our country has seen technology revolutionize our economy, it’s transformed our lives. While the increased connectivity has led to significant efficiency and global advances, it has also elevated the complexity of risk. We do almost everything online now personally and at work. Implementing enabling technologies increases efficiencies for sure, but it also introduces potential vulnerabilities. As a result, cyber attacks have become a serious and rapidly evolving threat. Cybercrime has increased significantly as well. We expect cyber risk to only continue to grow more complex as we increase our reliance on our networks and systems. That’s kind of the bad news.
The good news is that I can say in the past few years, people are starting to “get it.” It is less of a sale to convince people that this is a serious risk, that cyber security is something to take seriously. The threat has changed significantly but I think the willingness and acceptance to address this issue as a part of the risk management landscape has grown as well.
WashingtonExec: What has been one of your more memorable moments on the job?
Jenny Menna: Recently, a gentleman from the nuclear power industry told us that based on the briefing that my group at DHS and the National Security Agency jointly gave to their Chief Information Officers about the cyber threat landscape and mitigation strategies, one of those CIOs went back to the office and quadrupled his cyber security budget.
______________________________________________________________________________________________
“We hear good news stories about our programs from across the sectors, but when you think about a nuclear power plant making its systems four times more secure – that’s the kind of thing that makes you glad you came to work. Our outreach to private sector does have a tangible impact on how they secure their systems.”
_______________________________________________________________________________________
WashingtonExec: What keeps you up at night?
Jenny Menna: We’ve had more and more cyber incidents. I do worry about a significant incident or attack against our nation’s critical infrastructure, particularly one that could have physical consequences through industrial control systems. I also worry about attacks that are of a scale that overwhelms the resources available to respond. As a nation, we need to train morecyber security experts to prevent and if necessary, respond and recover from a large scale cyber incident.
WashingtonExec: What other outside organizations are you involved in besides your very intensive job?
Jenny Menna: I am the class mother at my daughter’s elementary school, which everybody here at work finds pretty entertaining. And I spend a great deal of my time driving to and from sports practices.
