When Dan Barber joined SE Solutions Inc. four years ago, the company’s cybersecurity capabilities were split across multiple business units that had differing levels of focus and growth. By centralizing cybersecurity capabilities and bringing focused leadership, the company’s cybersecurity practice quintupled from $4 to $20 million in annual revenue, Barber said.
Today, SE Solutions’ cybersecurity capabilities focus on successfully blending its customer needs within the ever-changing IT landscape through agile integration, unifying business approaches to DevOpsSec, cloud security, and ongoing authorization with continuous diagnostics and mitigation tools. As senior vice president of technology, Barber has found himself at the center of building these capabilities with his team of experts.
“All the growth has been because of those experts that have delivered really exceptional work for our federal customers,” Barber said.
Barber said the cybersecurity teams have shared many successes over the past 18 months, including one of which he is especially proud — the work of a secure software analysis team that advised senior executives within a government organization on the viability and risk associated with a $100 million software development project.
“They brought us onboard to evaluate the quality of a custom developed government application that had been running for several years with significant resources poured into it,” Barber said. “The application had a number of operational problems, and there was no visibility into the quality or security of their product. They had no way of knowing what needed to be fixed — the code, the infrastructure, the development processes, or all of the above.”
Leaders from that organization brought in the SE Solutions team, which went on to analyze over 500,000 lines of code through manual and automated mechanisms including architectural reviews; change control analysis; leveraging Fortify, Coverity and SonarQube scans; and comparisons against industry standards such as OWASP. In the end, the government used the analysis to focus corrective action on improving development practices including code quality validation prior to release. Over the next six months, the application security risk was cut in half and acceptable user load increased 1,000 percent.
We were able to go in and give our customers the truth about where the system was and what they had been paying for, how it was developed, and give them the insight they needed to make the business decisions on this huge IT investment,” Barber said. “I was proud of my team for having the courage to deliver a tough message in such a professional way. The executive reporting and communications were really just top-notch. The secure software analysis team dove in and built out 300 pages of reports that spoke in pieces to the executive directors, to the managers and to the application developers alike.
Barber said that level of effort and “incredibly thorough, driven work” is paralleled in SE Solutions’ support of DHS Chief Information Officer John Zangardi, who came from the Defense Department. When Zangardi wanted information security scorecards and executive reports delivered in a manner similar to what was used at DOD, Barber’s team analyzed the expectations, determined the complexities of what was needed and quickly revamped those systems, he said. Not only did the team accomplish this effort ahead of the customer’s proposed deadline, but they implemented a solution that significantly enhanced the speed in which the effort was conducted.
“In under 30 days, with the new CIO’s direction, we were able to completely redo the scorecard to look and feel the way he was comfortable with,” Barber said. “It expanded from two pages to 27 pages, and we cut down the time to draw the information together from 16 hours into just minutes.”
Barber has spent the last 13 years supporting DHS in various capacities, as well as other civilian agencies, through work in enterprise architecture, information sharing, cybersecurity and the Capital Planning and Investment Control framework. Yet, he didn’t plan to be where he is now.
Barber began his career working in a commercial and academic environment and pivoted to the public sector following the dotcom bubble burst. He calls himself “extremely fortunate.”
“I ended up supporting the Department of Homeland Security’s chief information security officer kind of unplanned,” he said. “I would love to say that I did that on purpose, but the opportunity just fell into my lap. I always tell young professionals to keep yourself open to unexpected career paths. You never know where an opportunity can lead, as long as you do good work.”
SE Solutions’ cybersecurity practice has historically focused on recommending solutions and guiding customers’ expectations within emerging technologies, such as cloud transformation and continuous diagnostics and mitigation support. Barber foresees the practice remaining focused on delivering and exceeding expectations in these areas as SE Solutions continues to grow.
“When I first came on board four years ago, we were a majority subcontractor,” Barber recalled. “Now, more than 80 percent of our work is prime. There is a cultural shift in what we’re delivering and how we’re delivering it, both in size and scale.”
WashingtonExec: What is the biggest misconception about “cybersecurity,” either by the general public or within the public sector? Has your definition of the term narrowed or changed in recent years?
Barber: Back in the 2005-2006 timeframe, the word “cybersecurity” was not used that much. We used “information assurance,” which came from the DOD side of the public sector. The civilian organizations in government used “information security” a lot. Cybersecurity had a pretty narrow definition that referred to security of things that travel through cyberspace — the internet. Over time, cybersecurity has won out as the preferred term.
I would say the biggest misconception or challenge from my perspective is that people use the term generically to mean anything that might relate to security of anything IT-relevant. I think when you have such a broad, loose definition it loses its power because, especially within public sector organizations, cybersecurity has very specific demands and requirements. There are FISMA requirements, Office of Management and Budget reporting mandates, across multiple layers of security. There are very specific connotations there, and I think with a very generic use of the term it can water down the reality that cybersecurity really means incident response, and audit logging, and risk management, and penetration testing and vulnerability assessment, and other specific tools and processes. It has very specific functions underneath it that I think get lost when people use the term so broadly, and I do think that people are using the term very broadly right now.
WashingtonExec: What steps are SE Solutions taking and what steps would you recommend in the larger GovCon community to ensure a full workforce pipeline?
Barber: Cybersecurity workforce has been a problem since its inception, and it really hasn’t changed much. The only difference is that I now see people with cybersecurity degrees in the stack of candidate resumes. I did not see that a decade ago because those degrees didn’t exist.
In general, the workforce is still a huge problem. In my opinion, the biggest challenge with the cybersecurity workforce is that there still are not many entry level cybersecurity positions. The government is always mandating the need for five or more years of experience and a CISSP certification. The one place that I’ve seen entry level positions in bulk have been in organizations with very large teams; and the personnel are very siloed. So even though somebody might have cybersecurity in their job description, they may not understand the big picture of how what they’re doing fits into everything else in the field. What we need is the flexibility to build and grow people’s careers from entry level through leadership, but that is tough with the current government mandates and contract requirements.
One of the things I’ve always focused on and we’ve focused on at SE Solutions is identifying where we have the flexibility to use entry level positions and start the careers of new cybersecurity professionals. If we can convince our customers that they can get better service at a lower cost when we can bring in entry level workers, we can all reap the benefits. There is a lot of ambition in those personnel trying to break into the field. In my experience, they work really hard, achieve really great results, and provide a higher value to my customers.