The finalists for WashingtonExec’s Chief Officer Awards were announced April 15, and we’ll be highlighting some of them until the event takes place virtually May 27.
Next is Chief Information Security Officer Award finalist Mike Gordon, who’s corporate information security officer at Lockheed Martin. Here, he talks key achievements, primary focus areas going forward, learning from failures and more.
What are you most proud of having been a part of in your current organization?
I’m most proud of Lockheed Martin’s evolution into a cyber-first organization over the past 15 years under my leadership. Although we’ve always kept security in mind when designing platforms and delivering services, there was room to grow.
In 2004, everything changed when one of Lockheed Martin’s critical enterprise systems was impacted by a cyberattack. While we were successful in mitigating the attack, it became apparent that our processes, defenses and organizational response could not handle sustained attacks from advanced persistent threats. In response, my organization helped to develop our Cyber Kill Chain framework as part of the Intelligence Driven Defense model we employ today to identify and prevent cyber intrusions.
Our evolution into the corporate information security function we have today laid the foundation for rapidly responding to unforeseen, emergency events. In response to the COVID-19 pandemic, we were able to quickly mobilize over 50% of our workforce onto our VPN secure remote network with minimal disruption to the business.
This was a seismic shift in our work structure and our advance preparation made the difference in keeping our organization resilient and strong.
What are your primary focus areas going forward, and why are those so important to the future of the nation?
I’m focused on promoting more collaboration with the industrial base, our government customers and legislators. We are seeing an increasing need to work together to solve the changing landscape of the 21st century, multidomain battlespace. Collaboration and partnership will be critical to developing the digital tools and cyber technologies needed to counteract today and tomorrow’s adversaries.
My team is also focused on strengthening the cyber posture of our supply chain partners. This is an imperative today. Our supply base relies on thousands of small vendors. Most small businesses with revenues under $1 billion simply can’t afford the large budget requirements needed to combat cyberattacks which makes them vulnerable. This vulnerability impacts primes who rely on these small suppliers.
Prime contractors, like Lockheed Martin, have the opportunity to leverage cyber technologies that we build and buy and bring them to smaller suppliers who can’t afford them, benefitting the industrial base overall.
What has made you successful in your career?
Balancing skills that come natural to me with developing new capabilities has helped to make me successful in my career. Over the years, I’ve honed my ability to communicate with impact to a wide range of audiences, which is critical as you lead across functions and teams. I take the time to understand what is required to drive initiatives, develop culture and provide direction for a significantly large organization where we have to get it right. I leverage technical data and translate it into impactful business strategies to move teams. I believe using data to help our people do their jobs more effectively has made the difference in producing positive outcomes.
Additionally, building a broad network of personal connections across our industry has helped me to deepen my technical expertise and be a meaningful resource for others. Finally, my career starts and ends with my dedication to the mission and willingness to push for results for my stakeholders.
What’s the biggest professional risk you’ve ever taken?
On May 5, 2011, an adversary penetrated Lockheed Martin’s remote access vendors and attempted to infiltrate our VPN network. As a leader of the Computer Incident Response Team, I made the risky recommendation to disconnect all virtual connections, impacting the remote access of 85,000 employees across the enterprise.
Roy E. Disney said it best, “When your values are clear to you, making decisions becomes easier.” Keeping true to our values of doing the right thing and performing with excellence while keeping our employees safe, I was able to make that difficult decision, which I still believe today was the right one.
Using data as a strategic asset, leveraging the trust of my leadership team and having the courage to move quickly with sound judgment made the difference in limiting our risk exposure and protecting the resilience of our network.
What’s your best career advice for those who want to follow in your footsteps?
Don’t be afraid to take risks. Explore roles outside of your specialty because new paths can lead to new directions for your career. I am a trained aerospace engineer and my goal was to design for stealth planes when I got out of college. I worked in this area, left Lockheed Martin to pursue something new and came back with a new interest in cybersecurity. I was new to the field and decided to learn all I could to see where this new path could take my career. The cool thing is my manager gave me the opportunity and the support I needed to fly (excuse the pun). That’s the thing about Lockheed Martin, the diversity of work is rich here so the avenues are limitless.
I’d also encourage early career professionals to keep your skills up, keep fresh and keep modern on trends. Technology is and will continue to change fast. It’s important for technical leaders to stay technical while balancing the people management side of leadership. Workstyles are changing, don’t leave your teams behind, help them to adapt and adopt. Finally, it’s imperative to translate technology to business strategy at all levels of your career.
Looking back at your career, what are you most proud of?
In 2006, I was instrumental in helping to create a cyberthreat-sharing forum for the defense industry that we called the Defense Information Security Exchange. The concept for a threat sharing forum, in and of itself, wasn’t necessarily unique even then. But the big idea that I emphasized — and the truly important principle for which I have a continuing passion — was that peer companies who compete intensely can and should intimately collaborate on protecting themselves and their supply chains from sophisticated nation state cyber threats.
Based on this principle, I wrote the charter for the successor organization for the DSIE, which is now the National Defense Information Sharing & Analysis Center, or ND-ISAC, incorporated in 2017. More than 100 ND-ISAC member companies today engage in that intimate collaboration by sharing cyber threats which they detect and developing technical approaches together. This protects and defends network infrastructures and the DOD information resident on their networks from those nation state threats.
I’ve learned that you have to infuse passion and energy into your principles to bring them to life and bring others along the way. In that regard, I’m proud to serve as the vice chairman of the ND-ISAC board of directors and to continue to guide and grow its operations.
In this capacity, I saw the need to elevate the cybersecurity of the entire Defense Industrial Base as a whole through the DIB Sector Coordinating Council. This was an existing entity provided for in U.S. government policies to promote the protection of U.S.-critical infrastructure. However, it needed to be re-energized.
I built a coalition to support the re-chartering of the DIB SCC and with the ratification or that charter in February 2019, I’ve served as its chairman elected by the members. In partnership with key DIB cybersecurity executives, I launched initiatives such as the DIB SCC Supply Chain Cybersecurity Task Force.
We have also partnered with the counterpart Government Coordinating Council, or GCC, led by the DOD to pave the way for other joint initiatives to elevate cybersecurity within the DIB, while taking account of all hazards that concern both the DIB SCC and the GCC.