Darren Death divides his cybersecurity expertise between engaging kids with STEM, volunteering his services to federal and Maryland governments’ cybersecurity challenges, and publishing cyber-related handbooks and documents — all while managing an enterprisewide security program.
Currently the vice president of information security and chief information security officer of ASRC Federal, Death has led organizational change in government and industry for over 20 years. But what led him to the cybersecurity field was initially an interest in IT engineering and architecture.
In 2004, Death joined Van Dyke Technology Group as a program manager and security architect as a federal contractor. His work included developing and implementing new nationwide systems and IT architectures for government customers. Death belonged to a group of engineers that focused heavily on security and he soon found himself drawn to cybersecurity.
“As an engineer, I was already thinking about security requirements [and]building security into systems that I was building and architecting,” Death said.
So, he made the switch — and got into government.
He ended up at the Library of Congress as the enterprise information security architect, largely a cybersecurity professional role, with some engineering and architecture sprinkled in. After, Death spent a 6-month stint as the deputy CISO for governance, risk and compliance for the Federal Emergency Management Agency.
With various security-related volunteer activities and publications under his belt, Death is now a private sector CISO running a large security program.
The Job of a CISO
As CISO, Death has several priorities and challenges — one of the biggest being the human component rather than the actual technology.
It’s important Death keeps an open dialogue with employees about his role and what services he provides to them. He explains how he helps them select the right products, how their data works and how they should want to protect that data. He asks them questions — and not about their technology but about their information — including what’s important and how they want to protect it.
“By the end of that conversation, they have a good understanding and a good plan on how they should talk with IT about protecting that information,” Death said.
He also builds training programs relevant and interesting to the company’s user community, so they don’t grow tired of listening to organizational cyber conversations.
Then, there’s the continual progression of technology: staying current of the changes, and ensuring the organization is lockstep with the progression and has the proper tools for what comes next.
And finally, with the equipment and technology in place, Death must ensure the organization stays on top of cyber hygiene.
“It never goes away and every month is a new challenge,” he said.
That’s because vendors keep discovering new problems and vulnerabilities, “and we have to solve them,” Death said. He works with operations and the business to figure out the problem, the urgency and schedule and exactly how to deal with it effectively.
Outside the 9-to-5
When he’s not managing ASRC’s cybersecurity program, Death is involved in multiple volunteer organizations and cyber-related activities.
In 2017, he released his 300-page book, “Information Security Handbook: Develop a threat model and incident response strategy to build a strong information security framework.” The handbook is geared toward those wanting to build an information security framework or looking for the best fit framework for an organization.
Outside of work, Death is the chief of the InfraGard Cyber Threat Special Interest Group, where he develops information security products that support security awareness across critical infrastructure sectors in the state of Maryland.
InfraGard members have access to his services, but he’s also making sure his services are as open as they can be outside of InfraGard.
“My goal is to spread the word as much as possible,” he said. That includes developing mini conferences and forums for the Maryland community and establishing a partnership with the Federal Business Council to develop new capabilities that will serve the Maryland area from an information security perspective.
On top of everything, Death is also the program chair for the American Council for Technology Industry Advisory Council’s Cybersecurity Community of Interest. This is a similar role to InfraGard, but more focused on the federal government.
At ACT-IAC, he supports the development of new projects and programs that support federal initiatives, such as Federal Risk and Authorization Management Program automation, cyber workforce development, cyber automation, contractor security, and zero rust frameworks.
“My goal as a program chair is to build interesting programs and topics where we can build out deliverables that are of interest to the federal government,” Death said.
For example, in 2018 he was the Zero Trust Project industry chair for ACT-IAC’s special project on zero trust. This security concept doesn’t assume systems or services operating within a security perimeter are automatically trusted, but rather must verify everything attempting to connect to the system before granting access.
With the project team, Death created a document explaining what zero trust is and whether it could be trusted as a valid architecture for the federal government. Now, he’s working on projects that expand the initial zero trust work and around contractor security, so business leaders within contractor companies can better understand their roles related to cybersecurity and government requirements focusing on cybersecurity as a business investment.
And lastly, Death stood up and developed the curriculum for a CyberPatriot group within the Civil Air Patrol Cadet program of the Arundel Composite Squadron of the Maryland wing.
The CyberPatriot program educates cadets ages 13-18 about defensive cyber, like how to defend networks against attacks and cyber ethics.
“This year, we’re teaching them the basics of computers and networking and basic network attacks,” Death said. “Then, our goal is to get them into a competitive stance so they can compete and win awards.”
And of course, the idea behind CyberPatriot is to get kids interested in STEM and cyber capabilities in hopes they carry this interest with them throughout their educational and professional lives.
Importance of Participation
Death belongs to these organizations because they embody concepts, ideas and information he truly cares about — but he also recognized early in his career that unless you’re in cyber, most people don’t really care or think about it the way those in the field do.
So, an area Death is focusing on in the ACT-IAC and InfraGard communities is building products relevant to decision-makers. And not just the technical decision-makers, but those leading areas such as human resources and finance as they have systems and information that needs to be protected properly, too.
“Usually, that thought doesn’t go through anyone’s mind because they’re not focused on IT; they’re not focused on cyber, they’re focused on their mission-related problems,” Death explained.
And with CyberPatriot, Death said the more people he can get excited about STEM and cyber, the happier he’ll be.
“I have kids. I’d love for them to go into cyber. And I think It’s one of the best fields in the world,” he said.
And in general, along with cyber awareness and cyber training, the future of securing networks also relies on IT leaders communicating the correct messages to business leaders — and that’s what Death wants techies to understand.
“If you can talk about how you’re protecting your business, how you’re protecting your data, how the work that you’re doing helps to . . . meet the business and mission goal, then you’ve got a much better conversation with your mission leader,” he said.
Again, it’s all about the human component.