Bob Turner is Chief Information Security Officer at Penn State University. His team of experts, analysts and risk managers deliver identity and access tools, architecture, awareness, compliance, and security operations. Bob was Field CISO for Education at Fortinet, Inc. and the first CISO at the University of Wisconsin-Madison. Other cyber focused assignments include founding a company providing virtual CISOs to small business and leading cybersecurity consultants delivering cyber security services to Federal agencies. Bob served in the U.S. Navy as a submarine Radioman and surface Communications and Information Systems officer. He earned BS and MS degrees in Management and Information Security and is a Certified Information Systems Security Professional (CISSP) and Certified Chief Information Security Officer (C|CISO).
Recently, in an exclusive interview with CIO Magazine, Bob shared insights into the evolution of cybersecurity landscape in the next 5-10 years, personal hobbies and interests, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Bob. What inspired you to pursue a career in cybersecurity, and what advice would you give to those looking to enter the field?
I have been involved with information security since I was a 19-year-old Radioman on the USS OMAHA (SSN 692) where I had responsibility for handling, tracking, and disposing of highly classified messages and documents for the submarine. I was involved in cryptography and maintained encryption devices and other tools of the trade. I worked hard and learned a great deal about developing, organizing and executing security plans and gained extensive experience in telecommunications, networking, and information systems. As I advanced in my Navy career we started using “cyber” and a tag for pretty much everything to do with information security and the protection of networks and data. This involved using people, processes and technology. I eventually was the one in charge of communications facilities and excelled by leading teams managing security for communications and information systems. Constant exposure and study was the norm and often included ever evolving cybersecurity tools and processes. As a consultant, I assisted the US Navy in creating the risk management and compliance processes and providing risk assessment “packages” for the Navy Marine Corps Intranet. Other cybersecurity tasks involved providing inspection teams, assessing executive involvement in cyber events, and building policy and processes.
After earning a Master’s in Information Technology, I began teaching cybersecurity courses at a local university and enjoyed the environment where I could help shape the future cyber work force.
With ten or so years as a consultant, teaching experience, and a desire to change the scenery from the military environment I lived in for close to 35 years, I set my sights on becoming a higher education CISO with success coming in my being selected as the University of Wisconsin-Madison’s first CISO.
What do you love the most about your current role?
That’s easy – getting to know the leaders and security teams across the large and complex organization that is Penn State University. When I say large and complex, I am speaking of a program that supports 100,000 students and 40,000 researchers, faculty and staff and 69 organizations which are the Colleges, 20+ Commonwealth Campuses and the university’s diverse business units. I come to the office every day seeking opportunities to propel the university’s Information Security program forward by leading and empowering our team and facilitate creative ways to move our programs forward. This is not just fulfilling the basic missions, it’s embracing artificial intelligence and newer techniques, tactics and procedures that provide the right security for all situations.
Can you discuss the importance of cybersecurity in higher education, and what challenges institutions face in this area?
There is no shortage of challenges in higher education cybersecurity. In a recent report I read the education sector ranked fourth in volume of ransomware attack attempts. The volume of student information including their family’s financial data is an inviting target with a hefty payoff for the criminals. We have to deal with a seemingly endless string of cyber-attacks; planning and directing security operations within the available people, processes and technology; plus guiding and implementing significant investments in cybersecurity technology, programs, and strategies. Universities and colleges are Olympic class players in the continual battle to “get it right” in cyber defence.
How do you see the field of cybersecurity evolving in the next 5-10 years?
Let’s start with artificial intelligence – the buzz phrase that is not going to die off in a couple of years. AI has great promise to help draw focus to the real issues in defending networks and protecting information. Based on the hype and conversations going on in cybersecurity circles, I believe the need for security leaders to be up to speed, hiring of AI subject experts and credentialed technologists, and security operations staff who focus on AI will become requirements in the next few years.
I see AI continuing to evolve but facing some very real challenges. First, generative GPT solutions are already mining the Internet which is increasingly populated by GPT generated text. How long until the GPTs are self digesting common texts which may not have the rich original thoughts generated by humans today? Second, while universities are already graduating AI focused experts, when will we reach the right mix of talent across the technology spectrum? Third, will there be stovepipes developing that are industry specific where search strings remain more general in nature. For example, cyber experts tend to speak in medical/surgical terms on equal balance with military and law enforcement jargon. Will AI evolve to know the differences within industries (some say yes, while others are not sure)? And finally, how far are we from AI’s inevitable need for certificates and badges for those who want to stand out as developers, engineers, and operators if AI tools.
What personal or professional philosophies have contributed to your success, and how have you applied these principles in your career?
The famous children’s show host Fred Rogers told us to “look for the helpers”. To gain more experience, I made a practice of becoming the helper in the organizations I served in. Of course, that meant I needed to augment the practical “deck plate” experiences with additional knowledge from seminars, conferences, short courses and university level education.
I do my own homework! Never be satisfied with the “we always have done it that way” answer. If we choose to go that route, there would be a vast library we can draw from for helpful information. Reading and absorbing lessons from others takes 4 – 6 hours per week just to keep up. More if I need to go to the next level on any topic.
Bring others along for the adventure. As a leader, I need to ensure I have a trained and enthusiastic relief in case I depart ahead of plan.
Is there a particular person you are grateful for who helped get you to where you are?
There are three!
- Rick Sullivan was the “Leading Radioman” on my first submarine. He taught me a lot from his career experience and always encouraged me to go deeper (and no, that’s not a submarine joke). He would challenge me to get in the books and be the expert.
- The second was actually a group of hard charging Sailors I was part of at the Naval Submarine School when I was an instructor there. We encouraged each other to exceed expectations in the classroom and getting ahead in our careers through extra study.
- The third was Larry Downs. He was a retired Navy helo pilot who taught me to appreciate the nuances of business management. He encouraged me to round out my education and go for the Masters degree. From there, I was able to apply for my first CISO position – and the rest is history.
What are some of your passions outside of work? What do you like to do in your time off?
- Family First! My wife Julie and I have been married 46 years, three adult children who gave us five grandkids. They are all close by and we enjoy spoiling the grandkids.
- Golf is a passion that I rarely have time for. When I do it’s not about the score, it’s an internal competition to be better than I was last season.
- I also enjoy running. Following a medical event 18 months ago, I started running as rehabilitation. Last year I logged over 1,000 miles. I am not super-fast, but I can hang in there for a 10K at least.
Which technology are you investing in now to prepare for the future?
Artificial Intelligence – get onboard or be consumed by it. Mostly reading right now, with taking advantage of talking to researchers and exploring the easy to digest learning opportunities that surround me at the research community I serve.
What is your biggest goal? Where do you see yourself in 5 years from now?
My top goal is to promote success and elevate the cybersecurity program at Penn State University. It’s a challenge and I intend to have fun learning and growing the program to wherever the team wants to take it.
What advice would you give to organizations looking to improve their cybersecurity posture?
- Get in the game! Lord Baden Powell started the Boy Scouts – one of his mottos was “If it is to be, it is up to me.” That’s good advice for those on the sidelines too. Join and be part of the success story. Study, experiment, learn, grow.
- Take it as fact that we are all vulnerable to cybercrime and work harder to implement those best practices that continue to mitigate risk to the greatest extent possible.
- Know how to present the risk picture in terms that are familiar to the audience. Tell the story so others will get onboard with managing risk. Have an executive, manager, technical and non-technical version of every cybersecurity story.
- Celebrate success – but not to the point of arrogance. We all can learn from each other and should not be satisfied with last month’s success.